Software vulnerabilities come and go, but vulnerabilities found in hardware are significantly harder to deal with and lead to more problems, such as with Hertzbleed and that family of security issues that sprung up from simple clock management techniques. Now, researchers have found a new problem with AMD EPYC processors that allows an attacker to potentially execute code, break into encrypted virtual machines, and perform privilege escalation in a virtual machine.
On AMD EPYC Server Processors, AMD Secure Encrypted Virtualization is a CPU extension that helps separate virtual machines from the hypervisor and one another. Moreover, SEV enables encryption of virtual machine contents such as CPU registers, among other security enhancements, to “offer stronger protection around interrupt behavior, and offer increased protection against recently disclosed side-channel attacks.”
Researchers at the CISPA Helmholtz Center for Information Security discovered CacheWarp, a software-based fault injection attack that allows “the hypervisor to revert data modifications of the VM on a single-store granularity, leading to an old (stale) view of memory for the VM.” Given this, one could revert variables that set permission levels or revert memory addresses for code execution. In the video above, the research team demonstrates what this vulnerability implies by bypassing pseudo authentication to escalate privileges.
While this vulnerability sounds rather concerning, it has been tracked as CVE-2023-20592, and AMD has published a microcode update to fix the problem. This update only applies to 1st, 2nd, and 3rd generation AMD EPYC Processors, though, and has yet to be found to apply to Zen 4-based EPYC CPUs. In any event, anyone with an EPYC processor should apply this update to be on the safe side, and if you want to read the more technical details, you can do so on the website dedicated to CacheWarp.