New T-Head CPU Bugs Expose Devices to Unrestricted Attacks by GhostWrite
An architectural flaw affecting Chinese chip manufacturer T-Head’s XuanTie C910 and C920 RISC-V CPUs has been unveiled by a group of investigators from the CISPA Helmholtz Center for Information Security in Germany. This bug could provide malicious actors with unfettered entry to vulnerable devices.
GhostWrite, as it is known, is not a side-channel or transient execution attack but a direct CPU vulnerability embedded in the hardware.
“The impact of this vulnerability is significant as it allows unauthorized individuals, even those with limited privileges, to gain access to any section of the device’s memory and take charge of peripheral components such as network cards,” stated the researchers. “GhostWrite neutralizes the security measures of the CPU and the issue cannot be resolved without deactivating roughly 50% of the CPU’s functions.”
CISPA’s study discovered that the CPU is plagued with faulty directives in its vector extension, which is an extension to the base RISC-V ISA crafted to manage larger data entities.
According to the researchers, these defective directives work directly on physical memory instead of virtual memory, circumventing the customary process isolation enforced by the operating system and hardware.
This loophole can be weaponized by an unauthorized attacker to write to any memory location, bypass security and isolation features, and gain full, unrestricted control over the device. It may also expose sensitive information stored in a machine, such as passwords.
“The exploit is completely reliable, deterministic, and executes within microseconds,” the researchers emphasized. “Even protective measures like Docker containerization or sandboxing are ineffective in thwarting this exploit. Furthermore, the attacker can seize control of hardware devices that rely on memory-mapped input/output (MMIO) to issue commands to these devices.”
The best defense against GhostWrite is to deactivate the vector functionality completely, although this comes at the cost of severely impairing the CPU’s performance and capabilities by disabling approximately 50% of the instruction set.
The researchers pointed out, “Fortunately, the vulnerable directives are in the vector extension, which can be disabled by the operating system. This eliminates GhostWrite but also disables vector instructions on the CPU.”
“Deactivating the vector extension notably diminishes the CPU’s performance, particularly in tasks that benefit from parallel processing and managing extensive datasets. Applications that heavily rely on these functionalities may encounter decelerated performance or reduced features.”
Meanwhile, the Android Red Team at Google unveiled more than nine flaws in Qualcomm’s Adreno GPU that could enable an attacker with local access to escalate privileges and execute code at the kernel level. The vulnerabilities have been addressed by the chipset manufacturer.
Additionally, a new security vulnerability in AMD processors was found, which could potentially be leveraged by an attacker with kernel access to enhance privileges and modify System Management Mode (SMM or Ring-2) configurations even when SMM Lock is active.
Identified as Sinkclose by IOActive (CVE-2023-31315, CVSS score: 7.5), the vulnerability laid dormant for almost twenty years and grants access to the highest privilege levels on a computer, allowing security features to be disabled and stealthy malware installations to go unnoticed.
The most effective way to address an infection caused by this vulnerability, according to the company, would be to physically connect to the CPUs using a hardware-based tool called SPI Flash programmer and scan the memory for malware implanted using SinkClose.
“A flaw in a specific model register (MSR) could be exploited by a malicious program with ring0 access to alter SMM configurations while SMI lock is active, enabling arbitrary code execution,” as noted by AMD in an advisory. The company aims to deliver updates to Original Equipment Manufacturers (OEMs) to address the issue.
About Author
