idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
CISPA researcher Ruiyi Zhang and colleagues have discovered a new security flaw that can threaten the integrity of Confidential Virtual Machines (CVMs) running on AMD CPUs from the Zen-1 through Zen-5 generations. SEV (Secure Encrypted Virtualization)—the technology that encrypts the memory of protected VMs and is intended to protect them from the cloud operator—can be bypassed without reading the VM’s plaintext memory. The attack developed by the researchers, called StackWarp, instead targets a microarchitectural optimization responsible for accelerating stack operations.
Please respect the Embargo until January 15th AT 7 P.M. CET
“The vulnerability can be exploited via a previously undocumented control bit on the hypervisor side. An attacker running a hyperthread in parallel with the target VM can use this to manipulate the position of the stack pointer inside the protected VM,” explains Ruiyi Zhang. According to the researcher, this enables redirection of program flow or tampering with sensitive data. “We were able to show that attacks can be carried out this way that require no access to plaintext data.”
Demonstrated Impact in Practice
Proven attack scenarios include reconstructing an RSA-2048 private key from incorrectly generated signatures, bypassing OpenSSH password authentication, circumventing sudo’s password prompt, and attaining kernel-mode code execution inside the VM. These results show that the execution integrity of CVMs—exactly the protection SEV-SNP is intended to provide—can be practically undermined. Specifically, this means that manipulated signing operations could allow attackers to reconstruct a supposedly secret RSA private key and thereby forge identities or decrypt encrypted data. The OpenSSH flaw permits login without a correct password. Another exploit allows skipping sudo’s password prompt, enabling attackers to run privileged administrative commands. Finally, an attack can enable execution of attacker-controlled code in the VM’s kernel mode—the area with the highest system privileges. These findings demonstrate that CVM execution integrity—the very defense SEV-SNP aims to offer—can be effectively broken: Confidential keys and passwords can be stolen, attackers can impersonate legitimate users or gain persistent control of the system, and isolation between guest VMs and the host or other VMs can no longer be relied upon.
Operational Guidance for Operators
“For operators of SEV-SNP hosts there are concrete steps to take: First, check whether hyperthreading is enabled on the affected systems. If it is, plan a temporary disablement for CVMs that have particularly high integrity requirements,” Zhang says. At the same time, any available microcode and firmware updates from the hardware vendors should be installed. StackWarp is another example of how subtle microarchitectural effects can undermine system-level security guarantees.
Responsible Disclosure and Release
The researchers responsibly reported their findings to AMD; AMD has acknowledged receipt and will assign a CVE number. Proof-of-concept code and measurement scripts will be provided at the time of publication in accordance with the agreement. According to AMD, hot-loadable microcode patches have already been released to their customers.
CISPA researchers discovered a new vulnerability in Some AMD-Protected Cloud VMs: StackWarp targets ...
Quelle: Chiara Schwarz
Copyright: CISPA
Merkmale dieser Pressemitteilung:
Journalisten
Informationstechnik
überregional
Forschungsergebnisse
Englisch
CISPA researchers discovered a new vulnerability in Some AMD-Protected Cloud VMs: StackWarp targets ...
Quelle: Chiara Schwarz
Copyright: CISPA
Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.
Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).
Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.
Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).
Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).
