Security News > 2023 > November > New CacheWarp AMD CPU attack lets hackers gain root in Linux VMs
A new software-based fault injection attack, CacheWarp, can let threat actors hack into AMD SEV-protected virtual machines by targeting memory writes to escalate privileges and gain remote code execution.
This new attack exploits flaws in AMD's Secure Encrypted Virtualization-Encrypted State and Secure Encrypted Virtualization-Secure Nested Paging tech designed to protect against malicious hypervisors and reduce the attack surface of VMs by encrypting VM data and blocking attempts to alter it in any way.
"CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous state," the researchers said.
"In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary."
"Improper or unexpected behavior of the INVD instruction in some AMD CPUs may allow an attacker with a malicious hypervisor to affect cache line write-back behavior of the CPU leading to a potential loss of guest virtual machine memory integrity," AMD says.
For customers using AMD's 3rd generation EPYC processors with the AMD Secure Encrypted Virtualization-Secure Nested Paging feature enabled, AMD has released a hot-loadable microcode patch and updated firmware image.
News URL
Related news
- North Korean govt hackers linked to Play ransomware attack (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Cisco bug lets hackers run commands as root on UWRB access points (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)
- Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)