This security flaw could affect nearly all CPUs - but it might not be all bad

Craig Hale
·2 min read
CPU concept art of a chip with blue electricity coursing through it
CPU concept art of a chip with blue electricity coursing through it

A new vulnerability has been identified affecting a wide number of CPUs, but users have been told not to be overly concerned, given the sheer complexity of carrying out an attack.

That’s according to chipmaker AMD, who “believes that it is difficult to execute the attack/exploit of this vulnerability in the real world or outside of a controlled/lab-type environment.”

The warning came from a group of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security.

Software-based Power Side Channel widely affecting CPUs

The issue, known as ‘Collide+Power,’ presents a potential power side-channel vulnerability affecting processors that could allow authenticated attacks to monitor CPU power consumption, which in turn may lead to the leak of sensitive information.

Read more

> These are the best malware removal tools

> Microsoft is fixing a load of serious Intel CPU security flaws

> Your old discarded printer could be hiding security secrets - here's what to do

The vulnerability has been tracked as CVE-2023-20583 and was awarded a severity level of ‘low’.

Ahead of a full investigation, AMD has confirmed that “EPYC server processors contain a performance determinism mode which can be used to reduce this type of leakage” and that “Ryzen client processors support a core boost disable bit that can help reduce the changes in frequency.”

ARM also shared some information about the issue at hand, and an Intel spokesperson told TechRadar Pro:

"Intel has evaluated this research and determined new mitigations are not required. Existing features in Intel products and guidance for mitigating power side-channel attacks are applicable in this and other known cases."

The chipmakers appear to have been cooperative in reaching an agreement to rectify the vulnerability. The team behind the discovery said: “We thank the vendors AMD, ARM, and Intel for professionally handling the responsible disclosure.”

In its own statement, Amazon said that AWS customers’ data and instances are not impacted by Collide+Power.

A full breakdown of how an attacker may be able to get access to sensitive information via a machine’s CPU can be found on the Collide+Power website. Moving forward, the Graz and CISPA researchers see a solution in preventing attackers from observing power-related signals rather than redesigning general-purpose CPUs which is a sizeable task by any measure.