CVE-2021-26393 - Insufficient Memory Cleanup in AMD Secure Processor (ASP) Trusted Execution Environment (TEE) Allowing Confidentiality Breach

Today, we will discuss a critical security vulnerability (CVE-2021-26393) found in the AMD Secure Processor (ASP) Trusted Execution Environment (TEE). We will delve deeper into the exploit details, including code snippets, links to original references, and the implications of the vulnerability. Before we jump in, it's important to understand the context of this issue.

What is AMD Secure Processor (ASP)?

ASP is a hardware security measure designed to provide a trusted environment for secure computing. It is integrated into AMD processors and provides a secure environment to run trusted applications (TAs) with confidentiality and integrity.

What is the Trusted Execution Environment (TEE)?

TEE is a secure area within the ASP that executes trusted applications in a secure manner, keeping sensitive data isolated from the operating system and other applications.

Vulnerability Description

The vulnerability (CVE-2021-26393) targets insufficient memory cleanup in the AMD Secure Processor (ASP) Trusted Execution Environment (TEE). An authenticated attacker with necessary privileges could exploit this vulnerability to generate a valid signed TA (Trusted Application) and potentially poison the contents of the process memory with attacker-controlled data.

The exploitation could result in a loss of confidentiality, as the tainted process memory could lead to sensitive information leakage or malicious tampering.

Exploit Details

To exploit this vulnerability, an attacker would need to identify the vulnerable implementation in the targeted system and perform the following steps:

1. Identify and authenticate with proper privileges to access the AMD Secure Processor (ASP) Trusted Execution Environment (TEE).

Create a valid signed TA (Trusted Application)

// Sample code to create a Valid Signed TA
trusty::TrustedApplication app("MyApp", "1.");
app.signWithPrivateKey(private_key);

Inject arbitrary data into process memory

// Sample code to inject attacker-controlled data in process memory
void *poisonedData = ...; // Attacker controlled data
unsigned long rawDataSize = ...; // Size of the data
unsigned long targetMemory = ...; // Target memory location

memcpy(targetMemory, poisonedDataMember, rawDataSize);

4. Exploit the insufficient memory cleanup vulnerability by poisoning the contents of the process memory, leading to a potential loss of confidentiality.

References

1. Original Vulnerability CVE-2021-26393
2. AMD Secure Processor Technology
3. AMD Trusted Execution Environment

Conclusion

As we have seen, the CVE-2021-26393 vulnerability affects the AMD Secure Processor (ASP) Trusted Execution Environment (TEE) due to insufficient memory cleanup. This vulnerability could have severe implications, as it may allow an authenticated attacker with the required privileges to inject arbitrary data into the ASP TEE process memory and gain access to sensitive information, compromising confidentiality.

To mitigate the vulnerability, it is highly recommended to update to the latest version of AMD firmware/drivers, which contain security patches to address this vulnerability. Additionally, always ensure that trusted applications are verified and signed with secure credentials.

Timeline

Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/23/2022 14:01:00 UTC