A recent oss-security list post from Tavis Ormandy has brought attention to a use-after-free vulnerability, CVE-2023-20593, in AMD Zen2 processors. This issue, which had the potential to affect a broad range of AMD products, has been addressed by AMD with a timely patch release.
https://www.openwall.com/lists/oss-security/2023/07/24/1
[Early Analysis]
Understanding the Issue
As detailed in Ormandy’s post, the vulnerability was associated with the vector register file (RF), a resource shared among all tasks on the same physical core. The register allocation table (RAT) manages the assignment and mapping of RF resources to named registers. An issue could arise when a flag, known as the z-bit, was speculatively set in the RAT. If the z-bit was unset due to a branch misprediction, the previously allocated RF space could have been reallocated, leading to a use-after-free scenario.
This situation could occur under specific conditions, such as when an instruction that uses merge optimization, a register rename, and a mispredicted VZEROUPPER instruction enter the FP backend simultaneously.
Implications of the Vulnerability
The vulnerability could potentially allow an individual to access the registers of other processes. It could operate across virtual machines and affect all operating systems. Ormandy has written a proof-of-concept for this issue that’s fast enough to reconstruct keys and passwords as users log in.
Addressing the Issue
AMD has released a patch for this issue, which can be found here. A software workaround is also available, which involves setting the chicken bit DE_CFG[9]. However, this may have some performance cost, and the microcode update is preferred. It is important to note that disabling SMT is not sufficient to mitigate this vulnerability.
Detection Engineering
Detecting use-after-free vulnerabilities such as CVE-2023-20593 can be challenging due to their complex nature. However, there are several strategies that can be employed:
- Behavioral Analysis: Monitor system behavior for anomalies. Unusual system behavior can often indicate the presence of a vulnerability being exploited.
- Memory Analysis: Use-after-free vulnerabilities involve improper memory management. Tools that can monitor and analyze memory usage can help detect these vulnerabilities.
- Log Analysis: Regularly review system and application logs for any suspicious activity. In the context of Microsoft systems, Event Tracing for Windows (ETW) can provide valuable information. Sysmon, a Windows system service and device driver, can also provide detailed information about process creations, network connections, and changes to file creation time.
MITRE TTPs
This vulnerability touches on several MITRE ATT&CK tactics and techniques, including:
- T1055: Process Injection
- T1056: Input Capture
- T1496: Resource Hijacking
Further Reading
For more information on this vulnerability and related topics, you may find the following resources useful:
- Understanding Use-After-Free Vulnerabilities
- Sysmon and ETW: A Love Story
- Detecting Use-After-Free with Static Analysis
- https://www.openwall.com/lists/oss-security/2023/07/24/1 : Original Advisory
- https://www.openwall.com/lists/oss-security/2023/07/24/2 : Xen Advisory
This article is based on the information shared by Tavis Ormandy in his oss-security list post.