CacheWarp: vulnerability in AMD CPUs allows gaining root privileges

AMD SEV (Secure Encrypted Virtualization) are CPU extensions designed to ensure a clear separation between virtual machines and thehypervisor below. The goal is to protect the contents of virtual machines from potential external threats, hypervisor included. All data stored in the memory of virtual machines is encrypted so as to prevent a hypervisor malicious or compromised person can directly access confidential data contained in the systems guest. Think for example of any attacks launched against thehypervisor used by provider cloud.

CacheWarp: what it is and how the attack on AMD processors works

The attack CacheWarpjust described by a team of researchers made up of members of the CISPA Helmholtz Center for Information Security and the University of Graz, has its roots in a hardware problem that AMD processors suffer from. As confirmed by the Sunnyvale company, CacheWarp will affect them CPU EPYC older, up to the third generation, therefore Naples, Rome and Milan. At the moment, however, only i AMD Milan processors are recipients of a corrective update at the microcode level.

Paradoxically, it is the SEV security feature that makes the CacheWarp attack possible. L’exploit it works by clearing the cache with the INVD instruction, which leaves the CPU with obsolete data stored in system memory or RAM. There CPU reads data stored under the assumption that they are brand new when in fact they are not.

Suppose we have one variable which determines whether a user is successfully authenticated. By exploiting CacheWarp, an attacker can revert the variable to a previous state and take control of a session already authenticated. Furthermore, the attacker can restore the return addresses stored in the stack and change the control flow of a program.

Lo stack is a region of memory used for handling function calls. Every time a function is called, the return address is pushed onto the stack. When the function finishes, the return address is fetched from the stack to resume execution from where the function was called. L’return address is the memory address at which program execution should return after the completion of a previously invoked function.

This is why CacheWarp is so dangerous: because it allows attackers to carry out real attacks time travelaccessing data that should not be exposed in any way.

Practical impact and safety implications

CacheWarp allows attackers to use AMD SEV extensions for acquire elevated privileges on the victim system as well as to execute arbitrary code. In this video it is used codice exploit which allows you to easily pass an SSH authentication procedure. Another video shows CacheWarp in action: this time the vulnerability is exploited for acquire root rights on the victim’s system.

Obviously, anyone who did not rely on the distribution of secure virtual machines using AMD SEV, it is actually not vulnerable. Likewise, according to AMD engineers, patches for the Naples and Rome processors are not necessary as the SEV extensions are not actually enabled and used.

Furthermore, the bug in question does not fall within the category of side-channel attacks that have affected processors for several years now. It is in fact an architectural problem.

The flaw that can lead to the CacheWarp attack is known by the identifier CVE-2023-20592 and is documented in the bulletin published by AMD.


Please enter your comment!
Please enter your name here