Full Report
Academic researchers developed a side-channel attack called TEE.Fail, which allows extracting secrets from the trusted execution environment in the CPU, the highly secure area of a system, such as Intel's SGX and TDX, and AMD's SEV-SNP. [...]
Analysis Summary
# Vulnerability: TEE.Fail Side-Channel Attack Exfiltrates Secrets from TEEs (SGX, TDX, SEV-SNP)
## CVE Details
- **CVE ID:** Not explicitly provided in the article. Researchers reported findings to vendors (Intel in April, AMD in August, NVIDIA in June).
- **CVSS Score:** Not provided in the article. Based on the impact (key extraction, attestation forgery), this would likely rate as **High** or **Critical**.
- **CWE:** Not explicitly provided, but related to Side-Channel Attacks (e.g., CWE-203: Reliance on Cleared/Stale Data, or specific architectural weaknesses in memory encryption handling).
## Affected Systems
- **Products:** Intel SGX (Software Guard Extensions), Intel TDX (Trust Domain Extensions), AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging). Also mentioned in relation to attacks against Intel and NVIDIA attestations, and OpenSSL running inside AMD SEV-SNP VMs.
- **Versions:** Architectures implementing confidential computing features that utilize DDR5 memory with deterministic AES-XTS encryption and reliance on exposed memory decoding interfaces. (Specific version numbers are not listed, but the flaw impacts **recent generations** moving to DDR5).
- **Configurations:** Systems using DDR5 memory where memory integrity and replay protections may have been stripped for performance, and where the Memory Address Translation component exposes decoding interfaces via `sysfs` (for Intel).
## Vulnerability Description
TEE.Fail is a memory-bus interposition side-channel attack targeting CPUs implementing Trusted Execution Environments (TEEs) like Intel SGX/TDX and AMD SEV-SNP, specifically those using DDR5 memory.
The attack capitalizes on the deterministic nature of AES-XTS memory encryption used in modern TEE implementations on DDR5. By installing a custom probe network (interposer) between a DDR5 DIMM and the motherboard, researchers can reliably capture DDR5 command/address and data bursts (ciphertexts). By forcing data into observable memory channels, performing known operations within the TEE (via modified kernel drivers/enclaves), and observing the resulting ciphertexts, the attacker can build a ciphertext-to-value mapping. This mapping is used to recover the per-signature nonces used during cryptographic operations, allowing the attacker to reconstruct private signing keys (including Provisioning Certificate Keys - PCKs).
## Exploitation
- **Status:** PoC available (Developed and demonstrated by researchers).
- **Complexity:** **Medium**. Requires physical access, root-level privileges for kernel driver modification, and specialized hardware (DDR5 riser/custom probe isolation network costing less than $1,000) to monitor the physical memory bus. Not feasible for remote attacks.
- **Attack Vector:** Physical (Local access required).
## Impact
- **Confidentiality:** **High**. Full extraction of secrets (e.g., ECDH private keys, cryptographic keys used for authentication/authorization, Provisioning Certificate Keys - PCK).
- **Integrity:** **High**. Ability to forge valid SGX/TDX quotes and attestations, allowing attackers to impersonate legitimate TEEs and run malicious workloads appearing legitimate.
- **Availability:** Low/Negligible (The attack focuses on data extraction, not denial of service).
## Remediation
### Patches
- Vendors (Intel, AMD, NVIDIA) acknowledged the issues and are **working on mitigations and adaptations** for the confidential computing threat model. Specific patch versions were not available at the time of the article (October 2025).
### Workarounds
- **Physical Security:** Since the attack requires physical access and hardware attachment, maintaining strong physical security controls remains a necessary mitigating factor.
- **Configuration:** The article notes the attack still functions against AMD SEV-SNP even when the “Ciphertext Hiding” security option is enabled, suggesting configuration changes alone may be insufficient without microcode/firmware updates.
## Detection
- **Indicators of Compromise:** Observing unexpected access patterns or modifications to kernel drivers governing SGX memory allocation, or unauthorized reading of DDR5 memory bus traffic.
- **Detection Methods and Tools:** Monitoring for memory bus interposition attempts, although detection on the software level is difficult due to the hardware nature of the side-channel capture.
## References
- Vendor advisories: Intel (Reported April), AMD (Reported August), NVIDIA (Reported June). (Official vendor statements pending publication of the research paper).
- Relevant links - defanged:
- Research findings related to prior DDR4 attacks: `hxxps://wiretap.fail/`
- Research findings related to prior DDR4 attacks: `hxxps://batteringram.eu/`