CVE CyberSecurity Database News

CVE-2021-26360 - Local Exploit Letting Attackers Tamper with AMD Secure Processor SOC Registers

Poster -

When you think about computer security, imagine your hardware as a fortress. Every door, window, and lock counts. But sometimes, a skilled local intruder can sneak inside and unlock what should stay sealed. That’s exactly what happened with the security hole tracked as CVE-2021-26360—a serious vulnerability affecting certain AMD platforms.

What is CVE-2021-26360?

Discovered in 2021, CVE-2021-26360 is a vulnerability in AMD's System-on-Chip (SOC) hardware registers. These controls are essentially hardware-level properties that manage how the computer's processor (especially the AMD Secure Processor, or ASP) handles encrypted memory and private operations.

A malicious user who already has access to your computer (local access) can change these SOC settings on their own. That could let them corrupt the memory meant to be protected by the AMD Secure Processor. In the worst-case scenario, they could run any code inside the ASP—totally bypassing your hardware security and opening up your system to much bigger threats.

How Bad is This Vulnerability?

This is a *local* vulnerability, which means attackers need to get onto your computer or server first (so it's less risk for average home PCs, more for multi-user servers or shared systems).

Memory that's supposed to be safe (encrypted by hardware) could become exposed or changed.

- If an attacker gets the right code running in ASP, they control a trusted part of your system, making it nearly impossible to tell that anything is wrong.

Exploit Details and Example

Let’s walk through how an attacker might exploit CVE-2021-26360.

What is Actually Happening?

1. Improper Access Controls:  The SOC register controls didn't check thoroughly who was allowed to write/change certain secure settings.
2. Malicious Modification:  An attacker with local access could write to these registers and, for example, flip a setting that disables memory encryption or changes ASP’s behavior.
3. Arbitrary Code Execution:  By corrupting ASP-managed memory, the attacker could plant code that gets run with ASP privileges.

Example: SOC Register Write in Action

Suppose an attacker can write to a specific memory-mapped IO region that manages SOC register security settings. Here’s a Python pseudocode snippet showing how this might occur using /dev/mem in Linux (real exploits need privileges, use C, and are system-specific):

# WARNING: simplified! Do NOT run, educational only.
import mmap, os

SOC_REG_BASE = xFEDC000   # Hypothetical address for demo only
SOC_REG_SIZE = x100       # 4KB region

with open("/dev/mem", "r+b") as f:
    # Map the SOC register region
    mm = mmap.mmap(f.fileno(), SOC_REG_SIZE, offset=SOC_REG_BASE)
    # Offset where the privilege control register sits
    reg_offset = xF4
    # Read existing value
    orig = mm[reg_offset]
    # Overwrite with a value that disables protection
    mm[reg_offset] = x00   # Disables security (hypothetical)
    mm.close()

Once this protection is dropped, attacker code could directly tamper with ASP’s secure memory areas—either reading secrets or planting code.

Disable encrypted memory, making sensitive data readable.

- Corrupt ASP control flow, leading to execution of code stubs in the processor’s "trusted" context.
- Bypass virtualization/secure boot, allowing rootkit installation or persistent malware.

What Systems are Affected?

AMD’s advisory (see below) says this affects *multiple* processors and platforms, especially those with ASP/PSP (Platform Security Processor) features—mostly aimed at enterprise and server hardware.

How Can I Protect Myself?

- Update Firmware:  AMD and most OEMs have released BIOS/UEFI updates to block unauthorized write access to these registers.  
- Least Privilege:  Never give untrusted users local access to high-privilege accounts or allow them to run software with admin/root rights.
- Monitor for Physical Access:  Since this attack is local, guarding physical access to servers and workstations is crucial.

References

- AMD Security Advisory Page on CVE-2021-26360
- National Vulnerability Database on CVE-2021-26360
- GitHub: Firmware Updates from Vendors

Final Thoughts

CVE-2021-26360 is a textbook example of why hardware security matters. When attackers can flip a switch inside your processor, even encrypted memory is up for grabs. This isn't a remote attack, but anyone sharing a machine, or handling critical infrastructure, should be on the lookout and patch as soon as possible.

Keeping everything—from OS to firmware—up to date is your best defense. And, as always, never let anyone you don’t trust touch your machines!


*If you found this guide helpful, share it with IT staff, sysadmins, or anyone who manages AMD-powered hardware. Understanding is the first step to security!*

Timeline

Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/23/2022 13:59:00 UTC