idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
CISPA researcher Ruiyi Zhang and colleagues have discovered a new security flaw that can threaten the integrity of Confidential Virtual Machines (CVMs) running on AMD CPUs from the Zen-1 through Zen-5 generations. SEV (Secure Encrypted Virtualization)—the technology that encrypts the memory of protected VMs and is intended to protect them from the cloud operator—can be bypassed without reading the VM’s plaintext memory. The attack developed by the researchers, called StackWarp, instead targets a microarchitectural optimization responsible for accelerating stack operations.
Please respect the Embargo until January 15th AT 7 P.M. CET
“The vulnerability can be exploited via a previously undocumented control bit on the hypervisor side. An attacker running a hyperthread in parallel with the target VM can use this to manipulate the position of the stack pointer inside the protected VM,” explains Ruiyi Zhang. According to the researcher, this enables redirection of program flow or tampering with sensitive data. “We were able to show that attacks can be carried out this way that require no access to plaintext data.”
Demonstrated Impact in Practice
Proven attack scenarios include reconstructing an RSA-2048 private key from incorrectly generated signatures, bypassing OpenSSH password authentication, circumventing sudo’s password prompt, and attaining kernel-mode code execution inside the VM. These results show that the execution integrity of CVMs—exactly the protection SEV-SNP is intended to provide—can be practically undermined. Specifically, this means that manipulated signing operations could allow attackers to reconstruct a supposedly secret RSA private key and thereby forge identities or decrypt encrypted data. The OpenSSH flaw permits login without a correct password. Another exploit allows skipping sudo’s password prompt, enabling attackers to run privileged administrative commands. Finally, an attack can enable execution of attacker-controlled code in the VM’s kernel mode—the area with the highest system privileges. These findings demonstrate that CVM execution integrity—the very defense SEV-SNP aims to offer—can be effectively broken: Confidential keys and passwords can be stolen, attackers can impersonate legitimate users or gain persistent control of the system, and isolation between guest VMs and the host or other VMs can no longer be relied upon.
Operational Guidance for Operators
“For operators of SEV-SNP hosts there are concrete steps to take: First, check whether hyperthreading is enabled on the affected systems. If it is, plan a temporary disablement for CVMs that have particularly high integrity requirements,” Zhang says. At the same time, any available microcode and firmware updates from the hardware vendors should be installed. StackWarp is another example of how subtle microarchitectural effects can undermine system-level security guarantees.
Responsible Disclosure and Release
The researchers responsibly reported their findings to AMD; AMD has acknowledged receipt and will assign a CVE number. Proof-of-concept code and measurement scripts will be provided at the time of publication in accordance with the agreement. According to AMD, hot-loadable microcode patches have already been released to their customers.
CISPA researchers discovered a new vulnerability in Some AMD-Protected Cloud VMs: StackWarp targets ...
Source: Chiara Schwarz
Copyright: CISPA
Criteria of this press release:
Journalists
Information technology
transregional, national
Research results
English
CISPA researchers discovered a new vulnerability in Some AMD-Protected Cloud VMs: StackWarp targets ...
Source: Chiara Schwarz
Copyright: CISPA
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).
