GhostWrite Vulnerability Let Hackers Read And Write Any Part Of The Computer’s Memory

Such is the industry, that RISC-V, an open and extensible instruction set architecture (ISA) has now invaded the CPU market, opening up many opportunities for new entrants.

It has gained a lot of traction through Linux kernel support as well as being adopted by consumer devices and cloud platforms.

However, RISC-V’s flexible nature has led to various kinds of hardware implementations with different features and security practices.

However, this can be achieved without any knowledge of source codes or using emulators. Models are chosen from various vendors using differential CPU fuzzing in order to compare their architectural behaviors.

A group of cybersecurity researchers at CISPA Helmholtz Center for Information Security recently identified that there were three major security vulnerabilities in five commercial RISC-V CPUs including GhostWrite where an attacker can write arbitrary data from unprivileged states into any physical memory locations.

Technical Analysis

This makes it possible to read physical memory and execute arbitrary machine-mode code even when operating within cloud environments.

Two privileged instruction sequences that could cause unrecoverable CPU halts were also found by RISCVuzz consequently exposing major security concerns in the implementation of RISC-V systems.

The GhostWrite bug, found in the RISC-V CPU, T-Head XuanTie C910, is a hardware design flaw that poses a major security risk.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Even attackers with minimal system privilege can read and write any memory and tamper with peripherals like network cards.

Ghostwrite eliminates all of the inbuilt security controls of the CPU consequently allowing attackers to have absolute control over the entire system.

However, this vulnerability is made worse by the fact that fixing it would involve disabling about 50% of its functions consequently making it an inappropriate measure.

As an addition to RISC-V ISA, which helps in dealing with huge information values, these broken instructions deal with the physical memory by ignoring the virtual memory protections and process isolation imposed by the OS and hardware.

In contrast to side-channel or transient-execution attacks, however, GhostWrite is a direct CPU bug caused by faulty vector extension instructions.

GhostWrite is a flaw embedded in hardware that cannot be fixed using software updates.

This allows unprivileged attackers to write to any memory location, bypassing security features completely and gaining uncontrolled access to devices.

Furthermore, it enables hackers to hijack hardware devices through memory-mapped I/O (MMIO), enabling them to execute arbitrary commands on those devices.

Here below we have mentioned all the vulnerable devices:-

  • Scaleway Elastic Metal RV1, bare-metal C910 cloud instances
  • Lichee Cluster 4A, compute cluster
  • Lichee Book 4A, laptop
  • Lichee Console 4A, tiny laptop
  • Lichee Pocket 4A, gaming console
  • Sipeed Lichee Pi 4A, single-board computer (SBC)
  • Milk-V Meles, SBC
  • BeagleV-Ahead, SBC

Differential fuzz testing of RISC-V CPUs revealed GhostWrite by comparing the results of small programs on different processors.

Differential CPU Fuzz Testing (Source – GhostWriteAttack)

However, the T-Head XuanTie C910 acted differently, as its execution did not raise an exception as expected but rather it just executed the vector store instruction illegitimately encoded into it.

This implies that there is a serious direct physical memory write error that can bypass the virtual memory protection systems.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

15 hours ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

15 hours ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

15 hours ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

15 hours ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

2 days ago