New PMFULT Attack Disables CPU on Certain Server Systems

University of Birmingham researchers, well-known for previous exploits such as plundervolt and voltpillager, have discovered a new vulnerability in certain server motherboards, identified as CVE-2022-43309. The flaw, dubbed pmfault, allows attackers to physically disable a CPU without the possibility of recovery. It can be used to destroy servers where an attacker has privileged access to the operating system, such as via the exploitation of other vulnerabilities or intercepting administrator account data.

The method works by increasing the voltage to the voltage processor within server motherboards that support the Pmbus interface, typically implemented within the Voltage Regulator Module (VRM) module. To perform an attack on such boards, an attacker requires programme access to the Baseboard Management Controller (BMC), which can be achieved through the IPMI KCS interface or Ethernet.

The vulnerability is confirmed in Supermicro (X11, X12, H11, and H12) and ASROCK motherboards, but other server boards that have access to Pmbus are also vulnerable. During testing, the researchers damaged two Intel Xeon processors. They have published a tool for attack instrumentation on these boards as well as a utility for verifying Pmbus access on github.

The researchers have also identified that the voltage change method through PMBUS can be used to launch attacks by exploiting Plundervolt. This exploit allows attackers to induce data damage in CPU data cells used for calculations in isolated Intel SGX enclaves and generate errors in algorithms. By changing the value of the key stored in an SGX enclave, attackers can accumulate statistics on the change in output by causing system failures and restore the value.

It is important to note that an attacker needs privileged access to the operating system to exploit these vulnerabilities and cause physical damage to servers. Thus, a comprehensive approach to security that includes vulnerability assessments and regular system updates is necessary to protect against attacks.

/Reports, release notes, official announcements.