CacheWarp AMD CPU Attack Grants Root Access in Linux VMs
Recently, security researchers have discovered a new attack method named CacheWarp. This attack poses a threat to AMD SEV-protected virtual machines, allowing malicious actors to gain unauthorized access by targeting memory writes to escalate privileges and execute remote code.
CacheWarp takes advantage of vulnerabilities in AMD’s Secure Encrypted Virtualization-Encrypted State (SEV-ES) and Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) technologies. These technologies are designed to safeguard against malicious hypervisors, encrypting VM data, and preventing unauthorized alterations.
CacheWarp Attack Details
Discovered by security researchers from CISPA Helmholtz Center for Information Security and Graz University of Technology, along with independent researcher Youheng Lue, the underlying vulnerability (CVE-2023-20592) is at the core of CacheWarp.
The researchers explained, “CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploits the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state.”
The implications of successful CacheWarp attacks are significant. Malicious actors could revert authentication variables to a previous version, potentially hijacking authenticated sessions. Additionally, CacheWarp enables attackers to manipulate return addresses on the stack, altering the control flow of targeted programs.
To further illustrate the severity of the threat, the researchers conducted case studies demonstrating attacks on RSA in the Intel IPP crypto library, gaining access to an OpenSSH server without authentication, and escalating privileges to root via the sudo binary.
In response to this threat, AMD has issued a security advisory acknowledging the CacheWarp issue’s discovery in the INVD instruction, potentially leading to a loss of SEV-ES and SEV-SNP guest VM memory integrity.
According to AMD, the affected processors include:
- 1st Gen AMD EPYC Processors (SEV and SEV-ES)
- 2nd Gen AMD EPYC Processors (SEV and SEV-ES)
- 3rd Gen AMD EPYC Processors (SEV, SEV-ES, SEV-SNP)
Fortunately, the issue does not impact AMD 4th generation ‘Genoa’ EPYC processors (Zen 4 microarchitecture).
For users of 3rd generation EPYC processors with the AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) feature enabled, AMD has released a hot-loadable microcode patch and an updated firmware image.
Importantly, AMD assures users that applying the patch should not result in any performance degradation. It is essential for affected users to promptly implement these security measures to safeguard their systems against potential CacheWarp attacks.
The sources for this article include a story from BleepingComputer.