August 13, 2024Ravie LakshmananVulnerability / Hardware Security

A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has discovered an architecture bug affecting the XuanTie C910 and C920 RISC-V CPUs from Chinese chip company T-Head, which could allow attackers to gain unrestricted access to vulnerable devices.

The vulnerability has been codenamed GhostWrite. It has been described as a direct CPU bug embedded in the hardware, as opposed to a side-channel or transient execution attack.

“This vulnerability allows unauthorized attackers, even those with limited access, to read and write to any portion of the computer’s memory and control peripherals such as network cards,” the researchers said. “GhostWrite renders the CPU’s security features ineffective and cannot be fixed without disabling approximately half of the CPU’s functionality.”

CISPA discovered that the CPU contained erroneous instructions in the vector extension, an add-on to the RISC-V ISA designed to handle larger data values ​​than the basic Instruction Set Architecture (ISA).

These erroneous instructions, which the researchers say are executed directly on physical memory rather than virtual memory, could bypass the process isolation normally enforced by the operating system and hardware.

As a result, an unprivileged attacker could use this loophole to write to any memory location and bypass security and isolation features to gain full, unrestricted access to the device. It could also leak all of a machine’s memory contents, including passwords.

“The attack is 100% reliable, deterministic, and takes only microseconds to execute,” the researchers said. “Even security measures such as Docker containerization or sandboxing cannot stop this attack. Furthermore, the attacker can hijack hardware devices that use memory-mapped input/output (MMIO), allowing them to send any commands to these devices.”

The most effective countermeasure for GhostWrite is to disable all vector functionality. However, this has a major impact on CPU performance and capabilities, as approximately 50% of the instruction set is disabled.

“Fortunately, the vulnerable instructions lie in the vector extension, which can be disabled by the operating system,” the researchers noted. “This completely limits GhostWrite, but also completely disables vector instructions on the CPU.”

“Disabling the vector extension significantly reduces CPU performance, especially for tasks that benefit from parallel processing and processing large data sets. Applications that rely heavily on these features may experience slower performance or reduced functionality.”

The revelation comes after Google’s Android Red Team disclosed more than nine flaws in Qualcomm’s Adreno GPU that could allow an attacker with local access to a device to achieve privilege escalation and kernel-level code execution. The vulnerabilities have since been patched by the chipset maker.

It also follows the discovery of a new vulnerability in AMD processors that could potentially be exploited by an attacker with kernel access (aka Ring-0) to escalate privileges and modify the System Management Mode (SMM or Ring-2) configuration, even when SMM Lock is enabled.

The vulnerability, dubbed Sinkclose by IOActive (also known as CVE-2023-31315, CVSS score: 7.5), is said to have gone unnoticed for nearly two decades. Access to the highest privilege levels on a computer means that security features can be disabled and persistent malware can be installed that can go virtually undetected.

Speaking to WIRED, the company said the only way to fix an infection is to physically connect to the CPUs using a hardware tool called the SPI Flash programmer and scan the memory for installed malware using SinkClose.

“Improper validation in a model-specific register (MSR) could allow a malicious program with ring0 access to modify the SMM configuration while SMI locking is enabled, potentially leading to arbitrary code execution,” AMD said in an alert, adding that it plans to release updates for Original Equipment Manufacturers (OEM) to address the issue.