First Last Prev Next    This bug is not in your last search results.
Bug 1186200 - (CVE-2020-12967) VUL-1: CVE-2020-12967: AMD SEV: The lack of nested page table protection in the AMD SEV/SEV-ES feature could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor
(CVE-2020-12967)
VUL-1: CVE-2020-12967: AMD SEV: The lack of nested page table protection in t...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Minor
: ---
Assigned To: Kernel Bugs
Security Team bot
https://smash.suse.de/issue/284242/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-18 12:15 UTC by Marcus Meissner
Modified: 2021-05-18 13:01 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-05-18 12:15:16 UTC 
CVE-2020-12967

The lack of nested page table protection in the AMD SEV/SEV-ES feature could
potentially lead to arbitrary code execution within the guest VM if a malicious
administrator has access to compromise the server hypervisor.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12967
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12967
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1004
Comment 1 Marcus Meissner 2021-05-18 12:16:00 UTC 
Summary

AMD is aware of 2 research papers related to AMD’s Secure Encrypted Virtualization (SEV) which will be presented at this year’s 15th IEEE Workshop on Offensive Technologies (WOOT’21).

In the paper titled “SEVerity:  Code Injection Attacks against Encrypted Virtual Machines,” researchers from Fraunhofer AISEC, in partnership with Technical University of Munich, make use of previously discussed research around the lack of nested page table protection in the SEV/SEV-ES feature which could potentially lead to arbitrary code execution within the guest. 

In the paper titled “undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation,” researchers from University of Lubeck demonstrate that in the SEV/SEV-ES feature, memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest. 

The exploits mentioned in both papers require a malicious administrator to have access in order to compromise the server hypervisor.
Affected Products

1st/2nd/3rd Gen AMD EPYC™ Processors

AMD EPYC™ Embedded Processors
Mitigation

 AMD has provided mitigation in the SEV-SNP feature which is available for enablement in 3rd Gen AMD EPYC™ processors.   

The mitigation requires the use of SEV-SNP, which is only supported on 3rd Gen AMD EPYC™.  

Prior generations of AMD EPYC™ do not support SEV-SNP.  For earlier AMD EPYC™ products, AMD recommends following security best practices. 

For additional information on SEV-SNP and SEV/SEV-ES please refer to our white paper in the References Section of this document. 
Acknowledgement

AMD thanks the following for reporting these issues and engaging in coordinated vulnerability disclosure.

    CVE-2020-12967:  Mathias Morbitzer, Martin Radev and Erick Quintanar Salas from Fraunhofer AISEC and Sergej Proskurin and Marko Dorfhuber from Technical University of Munich
Comment 3 Marcus Meissner 2021-05-18 13:01:35 UTC 
closing on our side, as we cannot do much.
First Last Prev Next    This bug is not in your last search results.