Attack 'CacheWarp' that exploits the vulnerability of AMD CPU and seizes root privileges is discovered

It has been revealed that it is possible to gain root privileges by exploiting a vulnerability in the virtual machine protection technology installed in AMD CPUs. The attack method in question was discovered by a research team belonging to the German security research institute `` CISPA '', and the research team named the attack method `` CacheWarp '' and reported the details.

Cache Warp
https://cachewarpattack.com/

AMD INVD Instruction Security Notice
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3005.html

AMD's server CPU 'EPYC' is equipped with virtual machine protection functions such as 'SEV-ES' and 'SEV-SNP'. According to the research team, these virtual machine protection functions have a ``vulnerability that can return the virtual machine cache to an old state.'' If an attacker exploits this vulnerability, it will be possible to ``restore an old session that has already been authenticated and seize privileges''.

Below is a movie demonstrating the attack by CacheWarp. If you play the movie, you can see how the attacker gains root privileges.

CacheWarp Demo - Bypassing Sudo Authentication - YouTube


AMD has confirmed that ``1st generation AMD EPYC processors,'' ``2nd generation AMD EPYC processors,'' and ``3rd generation AMD EPYC processors'' are affected by the attack, and has updated the firmware for 3rd generation AMD EPYC processors. We offer On the other hand, 1st and 2nd generation AMD EPYC processors are relaxed because ``SEV and SEV-ES are not designed to protect the memory integrity of guest virtual machines, and SEV-SNP is not available.'' does not provide any solutions.

The research team has published the CacheWarp proof-of-concept code in the GitHub repository below.

GitHub - cispa/CacheWarp: Proof-of-concept implementation for the paper 'CacheWarp: Software-based Fault Injection using Selective State Reset' (USENIX Security 2024)
https://github.com/cispa/CacheWarp