New CacheWarp AMD CPU attack lets hackers gain root in Linux VMs

Subject : New CacheWarp AMD CPU attack lets hackers gain root in Linux VMs

Severity : Medium (CVE-2023-20592)

CVSS v3.0 Score : 5.3

Date : 2023-11-14

*

Information

  A new software-based fault injection attack, CacheWarp, can let threat actors hack into AMD SEV-protected virtual machines by targeting memory writes to escalate privileges and gain remote code execution.

  This new attack exploits flaws in AMD's Secure Encrypted Virtualization-Encrypted State (SEV-ES) and Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) tech designed to protect against malicious hypervisors and reduce the attack surface of VMs by encrypting VM data and blocking attempts to alter it in any way.

Incident

  The underlying vulnerability (CVE-2023-20592) was discovered by security researchers with CISPA Helmholtz Center for Information Security and Graz University of Technology and independent researcher Youheng Lue.

  CacheWarp a new software-based fault attack on AMD SEV-ES and SEV-SNP exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state, the researchers said.

  we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary

In successful attacks, malicious actors could, for instance, revert variables used for authentication to a previous version, enabling them to hijack a previously authenticated session. Moreover, exploiting CacheWarp enables attackers to manipulate return addresses on the stack, thereby altering the control flow of a targeted program

  The security researchers have also published an academic paper and shared video demos on using CacheWarp to gain root privileges or bypass OpenSSH authentication

Solution

  AMD also issued a security advisory today, saying that the CacheWarp issue was found in the INVD instruction and may lead to a loss of SEV-ES and SEV-SNP guest virtual machine (VM) memory integrity.

  Improper or unexpected behavior of the INVD instruction in some AMD CPUs may allow an attacker with a malicious hypervisor to affect cache line write-back behavior of the CPU leading to a potential loss of guest virtual machine (VM) memory integrity," AMD says.

  CacheWarp affects only AMD systems with the following processors that come with SEV support:

1st Gen AMD EPYC Processors (SEV and SEV-ES)

2nd Gen AMD EPYC Processors (SEV and SEV-ES)

3rd Gen AMD EPYC Processors (SEV, SEV-ES, SEV-SNP)

According to AMD's advisory, the issue does not impact AMD 4th generation 'Genoa' EPYC processors (Zen 4 microarchitecture).

  The company says there is no mitigation for first or second generations of EPYC processors because the SEV and SEV-ES features lack protection functionality for guest VM memory, while the SEV-SNP feature is unavailable.

  Nevertheless, for customers using AMD's 3rd generation EPYC processors with the AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) feature enabled, AMD has released a hot-loadable microcode patch and updated firmware image (the patch should not result in any performance hit).

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

References

https://www.bleepingcomputer.com/news/security/new-cachewarp-amd-cpu-attack-lets-hackers-gain-root-in-linux-vms/#google_vignette

https://thehackernews.com/2023/11/cachewarp-attack-new-vulnerability-in.html

https://googleprojectzero.blogspot.com/2022/05/release-of-technical-report-into-amd.html

https://www.youtube.com/watch?v=Za6KVLVF1AA

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Ref

1

CVE-2023-24576

3/2/2023

7/11/2023

DELL

Remote Code Execution

 

9.8

EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the NetWorker Client execution service (nsrexecd) irrespective of any auth used.

19.7.0.3,19.8.0.1 and later versions

https://www.opencve.io/cve/CVE-2023-24576

2

CVE-2018-6703

11/12/2018

07/11/2023

McAfee

Remote Code Execution

 

9.8

Use After Free in Remote logging (which is disabled by default) in McAfee McAfee Agent (MA) 5.x prior to 5.6.0 allows remote unauthenticated attackers to cause a Denial of Service and potentially a remote code execution via a specially crafted HTTP header sent to the logging service.

5.6.0 and later versions

https://www.opencve.io/cve/CVE-2018-6703

3

CVE-2023-34059

27/10/2023

08/11/2023

VMware Open VM Tools Packages
affected from 11.0.0 through 12.3.0

File Descriptor Hijacking

7

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs.

Update to the latest version.

https://www.opencve.io/cve/CVE-2023-34059

 

4

CVE-2023-41679

10/10/2023

07/11/2023

Fortinet
FortiManager

Access control

9.6

An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions may allow a remote and authenticated attacker with at least "device management" permission on his profile and belonging to a specific ADOM to add and delete CLI script on other ADOMs

Update to Version 7.2.3, 7.0.8, 6.4.12, 6.2.4, or 6.0.9
or later

https://www.opencve.io/cve/CVE-2023-41679

https://vuldb.com/?id.241754

5

CVE-2022-44702

13/12/2022

09/11/2023

Windows Terminal
windows_11 affected from 1.0.0 before 1.15.2875
windows_10 affected from 1.0.0 before 1.15.2874.0

Remote Code Execution

7.8

An attacker can execute malicious code on the victim's system. This malicious code can be used to steal data, install malware, or damage the system.

Update to the latest version.

https://www.cve.org/CVERecord?id=CVE-2022-44702

https://www.opencve.io/cve/CVE-2022-44702

Malware News or Campaign IOC/IOA

No

Campaign Name

Detection in Thailand​
(/1m Divs

Detection Date

Attack

Type

Severity

 

Description

 

Solution

1

Technical Analysis Of Ursnif Banking Trojan​

15​

 09/11/2023​

Banking Trojan,​

Information-stealer,​

Phishing,​

Low

Ursnif, also recognized as Gozi or Dreambot, is a sophisticated banking trojan. Its delivery method primarily relies on phishing emails containing malicious attachments or hyperlinks. Ursnif exhibits a range of evasion techniques designed to circumvent detection by security software. These encompass anti-debugging, anti-analysis, and anti-virtual machine (VM) tactics.​

The attack commences with the transmission of a phishing email with an attachment masquerading as a DHL invoice in PDF format. Within the PDF structure, a malicious URL is concealed, discreetly linked to a seemingly benign "download" button. Upon user interaction, this link triggers the download of JavaScript files essential for the subsequent malicious payload. These scripts steal sensitive credentials, modify configurations within web browsers and computing systems, and transmit harvested data to a Command and Control (C&C) server.​

1.Update your Antivirus, Windows last version, and the device you are using to the latest.​

2.Always check the link before clicking​

Ref. 1 https://medium.com/@yossipob/ursnif-the-banking-trojan-b08418b76986

27 November 2023

Viewed 156 time

Engine by shopup.com