A team of researchers from CISPA’s Helmholtz Center for Information Security in Germany discovered an architectural flaw in the XuanTie C910 and C920 of the Chinese company T-Head. RISC-V CPU which could allow attackers to gain unrestricted access to sensitive devices.
The vulnerability was codenamed GhostWrite. This was described as a direct processor bug built into the hardware, as opposed to a side-channel attack or transient execution.
“This vulnerability allows an unprivileged attacker, even with limited access, to read and write any part of a computer’s memory and control peripheral devices such as network cards,” the researchers said. said. “GhostWrite renders the CPU’s security features ineffective and cannot be fixed without disabling about half of the CPU’s features.”
CISPA found that the processor had faulty instructions in vector extension, an add-on to the RISC-V ISA designed to handle larger data values than the base instruction set architecture (ISA).
These faulty instructions, which the researchers say work directly on physical memory rather than virtual memory, can bypass the process isolation normally performed by the operating system and hardware.
As a result, an unprivileged attacker could use this vulnerability to write to any memory location and bypass security and isolation features to gain full, unrestricted access to the device. It can also leak any memory contents from the machine, including passwords.
“The attack is 100% robust, deterministic and takes only microseconds to execute,” the researchers said. “Not even security measures like Docker containerization or sandboxing can stop this attack. Additionally, an attacker can hijack hardware devices that use memory-mapped input/output (MMIO), allowing them to send any commands to those devices.”
The most effective countermeasure for GhostWrite is to disable all vector functionality, which, however, greatly affects performance and CPU capabilities as it disables approximately 50% of the instruction set.
“Fortunately, the vulnerable instructions reside in a vector extension that can be disabled by the operating system,” the researchers noted. “This completely mitigates GhostWrite, but also completely disables vectored instructions on the CPU.”
“Disabling vector expansion significantly reduces CPU performance, especially for tasks that benefit from parallel processing and handling large data sets. Applications that rely heavily on these features may experience lower performance or reduced functionality.”
The disclosure comes from the Android Red Team at Google revealed over nine vulnerabilities in Qualcomm’s Adreno GPU that could allow an attacker with local access to the device to achieve privilege escalation and kernel-level code execution. The flaws have since been fixed by the chipset manufacturer.
It is also worth discovering new things security flaw in AMD processors which could potentially be used by an attacker with access to the kernel (aka Ring-0) to elevate privileges and change the system management mode configuration (SMM or Ring-2) even if SMM lock is enabled.
Duplicated The sink is close IOActive (aka CVE-2023-31315, CVSS score: 7.5), vulnerability remained unnoticed for nearly two decades. Access to the highest levels of privilege on a computer means it can disable security features and install persistent malware that can fly virtually under the radar.
Speaking to WIRED said the only way to cure the infection would be to physically connect to the CPUs with a hardware tool known as SPI Flash programmer and scan the memory for malware installed with SinkClose.
“A faulty check in the model-specific register (MSR) could allow a malicious program with ring0 access to modify the SMM configuration when SMI locking is enabled, potentially leading to arbitrary code execution” – AMD noted in an advisory that says it intends to release updates to original equipment manufacturers (OEMs) to mitigate the problem.
