AMD Secure Encrypted Virtualization
Bulletin ID: AMD-SB-1004
Potential Impact: Arbitrary Code Execution
Severity: Medium
Summary
AMD is aware of 2 research papers related to AMD’s Secure Encrypted Virtualization (SEV) which will be presented at this year’s 15th IEEE Workshop on Offensive Technologies (WOOT’21).
In the paper titled “SEVerity: Code Injection Attacks against Encrypted Virtual Machines,” researchers from Fraunhofer AISEC, in partnership with Technical University of Munich, make use of previously discussed research around the lack of nested page table protection in the SEV/SEV-ES feature which could potentially lead to arbitrary code execution within the guest.
In the paper titled “undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation,” researchers from University of Lubeck demonstrate that in the SEV/SEV-ES feature, memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest.
The exploits mentioned in both papers require a malicious administrator to have access in order to compromise the server hypervisor.
CVE Details
See Above
Affected Products
1st/2nd/3rd Gen AMD EPYC™ Processors
AMD EPYC™ Embedded Processors
Mitigation
AMD has provided mitigation in the SEV-SNP feature which is available for enablement in 3rd Gen AMD EPYC™ processors.
The mitigation requires the use of SEV-SNP, which is only supported on 3rd Gen AMD EPYC™.
Prior generations of AMD EPYC™ do not support SEV-SNP. For earlier AMD EPYC™ products, AMD recommends following security best practices.
For additional information on SEV-SNP and SEV/SEV-ES please refer to our white paper in the References Section of this document.
Acknowledgement
AMD thanks the following for reporting these issues and engaging in coordinated vulnerability disclosure.
- CVE-2020-12967: Mathias Morbitzer, Martin Radev and Erick Quintanar Salas from Fraunhofer AISEC and Sergej Proskurin and Marko Dorfhuber from Technical University of Munich
- CVE-2021-26311: Luca Wilke, Jan Wichelmann, Florian Sieck and Thomas Eisenbarth from University of Lübeck
References
Revisions
Revision Date |
Description |
11 May 2021 |
Initial publication |
DISCLAIMER
The information contained herein is for informational purposes only and is subject to change without notice. While every precaution has been taken in the preparation of this document, it may contain technical inaccuracies, omissions and typographical errors, and AMD is under no obligation to update or otherwise correct this information. Advanced Micro Devices, Inc. makes no representations or warranties with respect to the accuracy or completeness of the contents of this document, and assumes no liability of any kind, including the implied warranties of noninfringement, merchantability or fitness for particular purposes, with respect to the operation or use of AMD hardware, software or other products described herein. Any computer system has risks of security vulnerabilities that cannot be completely prevented or mitigated. No license, including implied or arising by estoppel, to any intellectual property rights is granted by this document. Terms and limitations applicable to the purchase or use of AMD’s products are as set forth in a signed agreement between the parties or in AMD's Standard Terms and Conditions of Sale.
AMD, the AMD Arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.
© 2021 Advanced Micro Devices, Inc. All rights reserved.