Two flaws could allow bypassing AMD SEV protection system

The chipmaker AMD published guidance for two new attacks against its SEV (Secure Encrypted Virtualization) protection technology.

Chipmaker AMD has issued guidance for two attacks (CVE-2020-12967, CVE-2021-26311) that allow bypassing the SEV (Secure Encrypted Virtualization) technology implemented to prevent rogue operating systems on virtual machines.

The chipmaker is aware of two research papers, respectively titled “SEVerity: Code Injection Attacks against Encrypted Virtual Machines” and “undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation,” related to the two attacks above. The findings about the two attacks will be presented by two research teams at this year’s 15th IEEE Workshop on Offensive Technologies (WOOT’21).

AMD Secure Encrypted Virtualization (SEV) isolates virtual machines and the hypervisor, but the two attacks can allow threat actors to inject arbitrary code into the virtual machine even if the protection mechanism is in place.

The first flaw, tracked as CVE-2020-12967, is caused by the lack of nested page table protection in the AMD SEV/SEV-ES feature which could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.

The second vulnerability, tracked as CVE-2021-26311, resides in the AMD SEV/SEV-ES feature. According to the security advisory, the memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.

The vulnerabilities impact all AMD EPYC processors, 1^st/2^nd/3^rd Gen AMD EPYC™ Processors and AMD EPYC™ Embedded Processors.

The vendor has provided mitigation in the SEV-SNP feature which is available for enablement in 3^rd Gen AMD EPYC™ processors. Customers could mitigate the attacks by enabling SEV-SNP, which is only supported on 3rd Gen AMD EPYC™.

Customers using prior generations of EPYC processors, which do not support SEV-SNP, should follow security best practices.

The vendor published the following acknowledgement:

CVE-2020-12967: Mathias Morbitzer, Martin Radev and Erick Quintanar Salas from Fraunhofer AISEC and Sergej Proskurin and Marko Dorfhuber from Technical University of Munich
CVE-2021-26311: Luca Wilke, Jan Wichelmann, Florian Sieck and Thomas Eisenbarth from University of Lübeck

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, AMD)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.