PMFault: Voltage Fault Injection on Server Platforms Through the PMBus

Hardware-based attacks like voltage glitching have been a threat to embedded processors like smartcards for decades. More recently, attacks like Clkscrew, Plundervolt, VoltJockey, and V0ltPwn, have shown that desktop and server processors are equally vulnerable to voltage fault injection. Controlling the built-in power management features from software, those attacks break the security guarantees of trusted execution environments like Intel SGX or ARM TrustZone.In this talk, we look at a related, yet so-far overlooked attack surface - the PMBus - that is widely used on server motherboards for power monitoring and management. We first show that an attacker with PMBus access can take over control of the voltage regulator to under and overvolt the CPU. Using the case study of a Supermicro X11SSL-CF motherboard, we demonstrate practical end-to-end exploits. As the Baseboard Management Controller (BMC) has a direct connection to the PMBus, we show that both intended interfaces (the IPMI protocol) and (known) vulnerabilities in the BMC's firmware upgrade path allow for voltage fault injection from software.Undervolting the CPU through the BMC and PMBus, we revive prior attacks on Intel SGX like Plundervolt (CVE-2019-11157), bypassing Intel's microcode patches. Then, we show that - in contrast to prior methods - the PMBus also allows overvolting outside the specified operational range of the CPU. With this, we successfully bricked several Xeon CPUs and rendered the server permanently inoperable. Notably, both attacks can be performed by a remote adversary and without physical access to the server hardware. Finally, we discuss possible mitigations and look at how the security of different components on a single motherboard can affect each other, with the goal of promoting a broader view of server system security.We disclosed our findings to the affected vendors.