April 8, 2024 at 09:54AM
Researchers from ETH Zurich have unveiled new attack techniques called Ahoi attacks, targeting hardware-based trusted execution environments in cloud platforms using AMD’s SEV-SNP and Intel’s TDX technologies. The attacks allow malicious hypervisors to compromise confidential virtual machines and gain root access. The researchers have notified relevant companies, and relevant patches and mitigations have been made available.
The meeting notes specify that a team of researchers from ETH Zurich has revealed details about a new type of attack that threatens the security of confidential virtual machines (CVMs). The attack involves a malicious hypervisor injecting interrupts to compromise the integrity and confidentiality of CVMs, specifically targeting hardware-based trusted execution environments.
The attack pertains to AMD’s Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel’s Trust Domain Extensions (TDX) technologies used in cloud platforms. Both technologies aim to protect VMs from other cloud tenants and service providers, but the researchers were able to bypass authentication and gain root access to targeted CVMs using malicious hypervisors.
Upon discovering the vulnerability, the researchers notified Intel, AMD, AWS, Microsoft, and Google before publicly disclosing their findings. AMD has identified the Linux kernel implementation of SEV-SNP as the vulnerability source, with available patches and mitigations. Additionally, AMD stated that it supports hardware security features to prevent such attacks, albeit not currently supported in Linux.
Regarding cloud vendors, Microsoft’s Azure claims not to be affected, while AWS announced that its EC2 services do not rely on the affected technologies. However, Amazon Linux is confirmed to be impacted, and AWS plans to address the kernel issues in a future release. Google has not provided information about the impact on its cloud services.
Furthermore, a second type of Ahoi attack, “WeSee,” only works against AMD SEV-SNP, enabling the extraction of sensitive VM information and the manipulation of kernel data.
Lastly, the CVE identifiers CVE-2024-25744, CVE-2024-25743, and CVE-2024-25742 have been assigned to the issues related to Ahoi attacks.
Please let me know if you need further clarifications or excerpts from the meeting notes.