Researchers from the Helmholtz Center for Information Security, the Technical University of Graz, and an independent security researcher have revealed a fault injection attack named Cachewarp.
This attack allows intruders to interfere with the control flow of Secure Encrypted Virtualization (SEV) protected AMD CPUs and penetrate virtual machines (VMs) to gain elevated privileges, as detailed by the researchers on an information page about Cachewarp.
AMD SEV is a protective function designed to ensure a secure separation between virtual machines and a hypervisor. To achieve this, the data in the VM’s memory is encrypted. “The encryption applies to both the VM’s memory and its register status during context switches,” explain the researchers.
Especially in the cloud, this is crucial for securely processing confidential data even when the cloud provider itself is not fully trusted.
Rewinding to the Past with Cachewarp
According to the researchers, Cachewarp makes it possible to revert certain data changes within a VM, thereby accessing an earlier memory state. Execution of malicious code and privilege escalation within a VM are potential scenarios enabled by this exploit.
For instance, an attacker could reset variables used for authentication to a previous state, potentially taking over a previously authenticated session. Moreover, a malicious actor could reverse stack-stored return addresses, altering the control flow of a target program.
The researchers have provided two videos on their website demonstrating potential attacks. Further details about Cachewarp can be found in a separate paper (PDF).
Patch Available Only for Milan
Cachewarp exploits a vulnerability identified as CVE-2023-20592, affecting both SEV-ES and SEV-SNP. According to a security bulletin from AMD, susceptible processors include Epyc processors from the first three generations, categorized under the code names Naples (Zen 1), Rome (Zen 2), and Milan (Zen 3). AMD rates the severity of this security flaw as moderate.
AMD has released a microcode patch for Milan. The manufacturer assures that no performance losses are expected as a result. However, there is no fix available for the first two Epyc generations since their SEV and SEV-ES functions were not intended to protect the memory integrity of guest VMs. SEV-SNP is not even available for Naples and Rome.
READ MORE: Nuki Unveils Smart Lock 4.0 with Matter Integration and Keypad 2 Pro!
