Researchers at the Helmholtz Center for Information Security (CISPA) have published a new CacheWarp attack method to compromise the AMD SEV (Secure Encrypted Virtualization) security mechanism used in virtualization systems to protect virtual machines from interference by the hypervisor or host system administrator. The proposed method allows an attacker with access to the hypervisor to execute third-party code and escalate privileges in a virtual machine protected using AMD SEV.
The attack is based on the use of a vulnerability (CVE-2023-20592) caused by incorrect operation of the cache during the execution of the INVD processor instruction, with the help of which it is possible to achieve a data mismatch in memory and cache, and bypass mechanisms for maintaining the integrity of virtual machine memory, implemented based on extensions SEV-ES and SEV-SNP. The vulnerability affects AMD EPYC processors from the first to the third generation.
For third generation AMD EPYC processors (Zen 3), the issue is resolved in the November microcode update released yesterday by AMD (the fix does not result in any performance degradation). For the first and second generations of AMD EPYC (Zen 1 and Zen 2), protection is not provided, since these CPUs do not support the SEV-SNP extension, which provides integrity control for virtual machines. The fourth generation of AMD AMD EPYC βGenoaβ processors based on the βZen 4β microarchitecture is not vulnerable.
AMD SEV technology is used for virtual machine isolation by cloud providers such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure and Oracle Compute Infrastructure (OCI). AMD SEV protection is implemented through hardware-level encryption of virtual machine memory. Additionally, the SEV-ES (Encrypted State) extension protects CPU registers. Only the current guest system has access to the decrypted data, and when other virtual machines and the hypervisor try to access this memory, they receive an encrypted set of data.
The third generation of AMD EPYC processors introduced an additional extension, SEV-SNP (Secure Nested Paging), which ensures safe operation of nested memory page tables. In addition to general memory encryption and register isolation, SEV-SNP implements additional measures to protect memory integrity by preventing changes to the VM by the hypervisor. Encryption keys are managed on the side of a separate PSP (Platform Security Processor) processor built into the chip, implemented on the basis of ARM architecture.
The essence of the proposed attack method is to use the INVD instruction to invalidate blocks (lines) in the cache of dirty pages without dumping the data accumulated in the cache into memory (write-back). Thus, the method allows you to evict changed data from the cache without changing the memory state. To carry out an attack, it is proposed to use software exceptions (fault injection) to interrupt the operation of the virtual machine in two places: in the first place, the attacker calls the βwbnoinvdβ instruction to reset all memory write operations accumulated in the cache, and in the second place calls the βinvdβ instruction to returning write operations not reflected in memory to the old state.
To check your systems for vulnerabilities, an exploit prototype has been published that allows you to insert an exception into a virtual machine protected via AMD SEV and roll back changes in the VM that have not been reset to memory. Rollback of a change can be used to change the flow of a program by returning an old return address on the stack, or to use the login parameters of an old session that was previously authenticated by returning an authentication attribute value.
For example, researchers demonstrated the possibility of using the CacheWarp method to carry out a Bellcore attack on the implementation of the RSA-CRT algorithm in the ipp-crypto library, which made it possible to recover the private key through error substitution when calculating a digital signature. It also shows how you can change the session verification parameters to OpenSSH when connecting remotely to a guest system, and then change the verification state when running the sudo utility to gain root rights in Ubuntu 20.04. The exploit has been tested on systems with AMD EPYC 7252, 7313P and 7443 processors.
Source: opennet.ru