LAS VEGAS — BLACK HAT USA 2024 — A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new vulnerability affecting a popular CPU that is based on the RISC-V architecture.
RISC-V is an open source instruction set architecture (ISA) designed for developing custom processors for various types of applications, including embedded systems, microcontrollers, data centers, and high-performance computers.
The CISPA researchers have discovered a vulnerability in the XuanTie C910 CPU made by Chinese chip company T-Head. According to the experts, the XuanTie C910 is one of the fastest RISC-V CPUs.
The flaw, dubbed GhostWrite, allows attackers with limited privileges to read and write from and to physical memory, potentially enabling them to gain full and unrestricted access to the targeted device.
While the GhostWrite vulnerability is specific to the XuanTie C910 CPU, several types of systems have been confirmed to be impacted, including PCs, laptops, containers, and VMs in cloud servers.
The list of vulnerable devices named by the researchers includes Scaleway Elastic Metal RV bare-metal cloud instances; Sipeed Lichee Pi 4A, Milk-V Meles and BeagleV-Ahead single-board computers (SBCs); as well as some Lichee compute clusters, laptops, and gaming consoles.
“To exploit the vulnerability an attacker needs to execute unprivileged code on the vulnerable CPU. This is a threat on multi-user and cloud systems or when untrusted code is executed, even in containers or virtual machines,” the researchers explained.
To demonstrate their findings, the researchers showed how an attacker could exploit GhostWrite to gain root privileges or to obtain an administrator password from memory.
Unlike many of the previously disclosed CPU attacks, GhostWrite is not a side-channel nor a transient execution attack, but an architectural bug.
The researchers reported their findings to T-Head, but it’s unclear if any action is being taken by the vendor. SecurityWeek reached out to T-Head’s parent company Alibaba for comment days before this article was published, but it has not heard back.
Cloud computing and web hosting company Scaleway has also been notified and the researchers say the company is providing mitigations to customers.
It’s worth noting that the vulnerability is a hardware bug that cannot be fixed with software updates or patches. Disabling the vector extension in the CPU mitigates attacks, but also impacts performance.
The researchers told SecurityWeek that a CVE identifier has yet to be assigned to the GhostWrite vulnerability.
While there is no indication that the vulnerability has been exploited in the wild, the CISPA researchers noted that currently there are no specific tools or methods for detecting attacks.
Additional technical information is available in the paper published by the researchers. They are also releasing an open source framework named RISCVuzz that was used to discover GhostWrite and other RISC-V CPU vulnerabilities.
Related: Intel Says No New Mitigations Required for Indirector CPU Attack
Related: New TikTag Attack Targets Arm CPU Security Feature
Related: Researchers Resurrect Spectre v2 Attack Against Intel CPUs
