CacheWarp AMD VM Bug Opens the Door to Privilege Escalation

  /     /     /  
Publicated : 23/11/2024   Category : security


CacheWarp AMD VM Bug Opens the Door to Privilege Escalation


Academics in Germany figured out how to reverse time in AMD virtualization environments, then reap the spoils.



Researchers have developed an exploit for AMD CPUs that allows attackers to undermine memory protections, and thereby escalate privileges or perform remote code execution (RCE) in cloud environments.
The issue lies with Secure Encrypted Virtualization (SEV), a seven-year-old extension for AMDs EPYC server processors. The promise of SEV is that users can deploy virtual machines (VMs) even within untrusted hypervisors — environments for running multiple VMs — by encrypting their memory with a key.
On Tuesday, though, a group of German scholars
demonstrated in a paper
how this security feature can, in fact, expose the very chips its meant to protect, enabling attackers to roll back time and access exploitable data in memory.
This so-called CacheWarp vulnerability, assigned
CVE-2023-20592
, affects first- through third-generation EPYC processors (not fourth gen). It was granted a 5.3 Medium severity score by AMD.
At the heart of CacheWarp is a single, exploitable instruction: INVD. By manipulating INVD, a malicious hypervisor user can selectively wipe the CPUs cache at any given point, reverting it to an old state (hence the name CacheWarp) with stale data.
At this point, possibilities abound.
As a consequence, a malicious hypervisor can break into a guest VM without knowing any password, explains Ruiyi Zhang, one of the reports authors.
On CacheWarps website
, his team provided a simple example for how it could go down:
Assume you have a variable determining whether a user is successfully authenticated. By exploiting CacheWarp, an attacker can revert the variable to a previous state and thus take over an old (already authenticated) session. Furthermore, an attacker can revert the return addresses stored on the stack and, by that, change the control flow of a victim program, they explained.
In such a case, Zhang says, they can achieve privilege escalation, get to the root of your VM, and, in the end, they can just do anything.
The researchers first reached out to AMD in late April. On November 14 — the day CacheWarp was revealed, and
a proof-of-concept (PoC) exploit
released to GitHub — AMD released a microcode patch for third-generation EPYC chips. Unlike with
recent transient execution bugs affecting similar chips
, the patch isnt expected to cause any performance issues.
No mitigation is available for the first or second generations of EPYC processors,
AMD noted in a security bulletin
, since the SEV and SEV-ES [Encrypted State] features are not designed to protect guest VM memory integrity and the SEV-SNP [Secure Nested Paging] is not available.
When asked about the delay in releasing a patch, AMD told Dark Reading that Coordinated Vulnerability Disclosure is standard practice in the industry to protect end users. Notification is made to the impacted parties, fixes are developed, then the bulletin and details are published.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CacheWarp AMD VM Bug Opens the Door to Privilege Escalation