AMD has warned that two attack methods have been identified that can bypass the AMD SEV (Secure Encrypted Virtualization) security mechanism. The problem affects the first, second and third generations of AMD EPYC processors (based on the Zen1 - Zen3 microarchitecture), as well as embedded AMD EPYC processors.
AMD SEV at the hardware level provides transparent encryption of virtual machine memory, in which only the current guest system has access to decrypted data, and other virtual machines and the hypervisor receive an encrypted set of data when attempting to access this memory. The identified issues allow an attacker with administrative rights on the server and control of the hypervisor to bypass AMD SEV restrictions and execute their code in the context of protected virtual machines.
Issues identified:
- CVE-2021-26311 (undeSErVed attack) - through manipulation of changing the order of memory blocks in the address space of the guest system, if you have control over the hypervisor, you can execute your code in the guest virtual machine, despite the use of AMD SEV/SEV-ES protection. Researchers have prepared a prototype of a universal exploit that regroups blocks of loaded UEFI and uses return-oriented programming (ROP - Return-Oriented Programming) techniques to organize the execution of arbitrary code.
- CVE-2020-12967 (SEVerity attack) - the lack of proper protection of nested memory page tables in AMD SEV/SEV-ES allows, if you have access to the hypervisor, to organize the substitution of code into the guest system kernel and organize the transfer of control to this code. The method allows you to gain full control over the protected guest system and extract confidential data from it.
To counter the proposed attack methods, AMD has prepared the SEV-SNP (Secure Nested Paging) extension, available as a firmware update for the third generation of AMD EPYC processors and providing secure operation with nested memory page tables. In addition to general memory encryption and the SEV-ES (Encrypted State) extension that protects CPU registers, SEV-SNP provides additional memory integrity protection that can withstand attacks from hypervisors and provides additional protection against side-channel attacks.
Source: opennet.ru