In June 2021, security researchers discovered CVE-2021-26393, a critical vulnerability affecting AMD Secure Processor’s Trusted Execution Environment (TEE). This bug can let an attacker, who has certain privileges, poison process memory with malicious data and lead to potentially severe leakage of sensitive information. If you’re building secure systems on AMD hardware or handle confidential data, it’s important you understand how this works. In this detailed post, we’ll break it down step-by-step, show code snippets, provide easy-to-understand analogies, and link out to official sources.
What is the AMD Secure Processor (ASP) TEE?
AMD chips from several product families include a specialized Secure Processor (ASP), designed to handle security-critical tasks. The Trusted Execution Environment (TEE) inside the ASP runs what are called Trusted Applications (TAs). These ensure that encryption keys and sensitive data stay protected, even if the main operating system is compromised.
The Vulnerability Explained
CVE-2021-26393 is about *insufficient memory cleanup* in AMD’s TEE. When a TA (Trusted Application) finishes running, leftover memory may not get completely erased. This “dirty” memory can then be read by another application, leaking the previous app’s sensitive data (like cryptographic keys).
Here’s the critical part:
> An authenticated attacker, with the ability to generate a valid signed TA, could carefully craft their TA to read or alter uncleaned memory, and potentially inject new data into it.
Let’s look at how the exploit works
1. Attacker gains ability to run a signed TA. (This is a privileged, but possible scenario, such as a rogue employee or a successful supply chain attack).
2. TA A runs: Pretend TA-A is a legitimate application, which uses the TEE to process highly sensitive data (e.g., a private signing key).
3. TA B runs: Later, attacker deploys a malicious TA-B. Because TEE memory isn't wiped properly, TA-B can inspect (or even overwrite) memory areas previously used by TA-A.
4. Sensitive data leak or attack: The attacker now has access to data remnants—possibly something like a cryptographic key, user password, or any plaintext sensitive info.
Real-World Example (Simplified Code)
Below is a simplified pseudocode illustration. Imagine TEE memory as a bucket that should be emptied after every use:
// Pseudocode representing what might happen in the TEE
// Example: Trusted Application A
void TA_A() {
char sensitive_data[128];
strcpy(sensitive_data, "TopSecretKey123");
// ... use sensitive_data for some operation
// TA_A ends - memory should be cleansed, but isn't!
}
// Later: Trusted Application B (attacker's)
void TA_B() {
char buffer[128];
// Read raw memory where previous app's buffer was
memcpy(buffer, /*address of previous TA_A's buffer*/, 128);
printf("Leaked: %s", buffer); // Oops! Prints "TopSecretKey123"
}
In actual hardware, the process is more complex, but the idea is similar: lack of zeroing out memory after use leaves data available for the next process.
Leak sensitive data processed by others,
- Potentially manipulate upcoming memory allocations (e.g., preparing for more advanced attacks by laying “poisoned” memory).
This can have devastating outcomes, allowing attackers to escalate privileges, bypass encryption, or breach a company’s crown-jewel secrets.
References and Further Reading
- AMD Security Bulletin: AMD-SB-1021
- CVE-2021-26393 MITRE Entry
- Trusted Execution Environments (Wikipedia)
- AMD TEE Overview
Update Firmware and TEE Software:
AMD released patches for this vulnerability in several product lines. Check your device vendor’s pages and AMD’s security updates for your product.
Segregate Sensitive Data:
Architect systems so the most sensitive secrets are never exposed to the TEE unless absolutely necessary.
Summary
CVE-2021-26393 shows us that even highly-trusted, hardware-backed security features can be undone by small oversights—like failing to wipe memory between apps. For IT, security engineers, and devs using AMD Secure Processor features, it’s a wakeup call: always keep your firmware updated, and treat the TEE as a valuable but not infallible stronghold.
If you want to see the official details, check these direct links
- AMD Security Bulletin
- CVE Entry at MITRE
Timeline
Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/23/2022 14:01:00 UTC