AMD and Graz University of Technology researchers have disclosed a new vulnerability in AMD CPU called CacheWarp, or CVE-2023-20592 (via ComputerBase). This attack exploits a security feature in EPYC server CPUs that's supposed to make them resistant to hacks. The vulnerability affects first through third generation EPYC CPUs (Naples, Rome, and Milan), but AMD has only made a microcode patch for third generation Milan chips.
Secure Encrypted Virtualization (or SEV) is an exclusive security feature for EPYC CPUs that's intended to make virtual machines more secure by encrypting each VM's memory with a key. Ironically, it's SEV itself that makes CacheWarp possible and EPYC CPUs thus exploitable. This isn't the first time SEV has been exploited but CacheWarp is more critical as it doesn't require physical access to a PC.
The CacheWarp exploit is triggered by wiping the CPU's cache using the INVD instruction, which leaves the CPU with outdated data stored in system memory or RAM. The CPU will then read the data from the RAM and assume it's brand-new when it's actually not.
The crucial thing that the CPU reads is the value for authentication, which needs to be 0 in order to successfully authenticate. Entering the correct passkey is supposed to be the only way to get the value to be 0, but it turns out the initial value is also 0, which is why sending the CPU effectively back in time is a big security hole.
Although this exploit impacts first, second, and third generation EPYC processors, only third generation EPYC Milan chips are getting new microcode with the CacheWarp vulnerability patched out. In a statement to Computerbase, AMD claims that a patch isn't necessary for first and second generation CPUs as "SEV and SEV-ES features are not intended for protection."
Unlike many other patches, AMD says there should be no performance impact with the patch enabled. This is expected since CacheWarp doesn't hinge on speculative execution like Spectre, which has been patched at the expense of performance.
