Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

GhostWrite Vulnerability Facilitates Attacks on Devices With RISC-V CPU

Researchers disclose the details of GhostWrite, a RISC-V CPU vulnerability that can be exploited to gain full access to targeted devices.

GhostWrite

LAS VEGAS — BLACK HAT USA 2024 — A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new vulnerability affecting a popular CPU that is based on the RISC-V architecture. 

RISC-V is an open source instruction set architecture (ISA) designed for developing custom processors for various types of applications, including embedded systems, microcontrollers, data centers, and high-performance computers. 

The CISPA researchers have discovered a vulnerability in the XuanTie C910 CPU made by Chinese chip company T-Head. According to the experts, the XuanTie C910 is one of the fastest RISC-V CPUs.

The flaw, dubbed GhostWrite, allows attackers with limited privileges to read and write from and to physical memory, potentially enabling them to gain full and unrestricted access to the targeted device.

While the GhostWrite vulnerability is specific to the XuanTie C910 CPU, several types of systems have been confirmed to be impacted, including PCs, laptops, containers, and VMs in cloud servers.  

The list of vulnerable devices named by the researchers includes Scaleway Elastic Metal RV bare-metal cloud instances; Sipeed Lichee Pi 4A, Milk-V Meles and BeagleV-Ahead single-board computers (SBCs); as well as some Lichee compute clusters, laptops, and gaming consoles. 

“To exploit the vulnerability an attacker needs to execute unprivileged code on the vulnerable CPU. This is a threat on multi-user and cloud systems or when untrusted code is executed, even in containers or virtual machines,” the researchers explained. 

To demonstrate their findings, the researchers showed how an attacker could exploit GhostWrite to gain root privileges or to obtain an administrator password from memory.

Advertisement. Scroll to continue reading.

Unlike many of the previously disclosed CPU attacks, GhostWrite is not a side-channel nor a transient execution attack, but an architectural bug.

The researchers reported their findings to T-Head, but it’s unclear if any action is being taken by the vendor. SecurityWeek reached out to T-Head’s parent company Alibaba for comment days before this article was published, but it has not heard back. 

Cloud computing and web hosting company Scaleway has also been notified and the researchers say the company is providing mitigations to customers. 

It’s worth noting that the vulnerability is a hardware bug that cannot be fixed with software updates or patches. Disabling the vector extension in the CPU mitigates attacks, but also impacts performance.

The researchers told SecurityWeek that a CVE identifier has yet to be assigned to the GhostWrite vulnerability. 

While there is no indication that the vulnerability has been exploited in the wild, the CISPA researchers noted that currently there are no specific tools or methods for detecting attacks. 

Additional technical information is available in the paper published by the researchers. They are also releasing an open source framework named RISCVuzz that was used to discover GhostWrite and other RISC-V CPU vulnerabilities. 

Related: Intel Says No New Mitigations Required for Indirector CPU Attack

Related: New TikTag Attack Targets Arm CPU Security Feature 

Related: Researchers Resurrect Spectre v2 Attack Against Intel CPUs

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights