AMD's Secure Encrypted Virtualization (SEV) defeated

[keja]

More bad news in the CPU department, as a hardware-feature on AMDs Epyc CPUs that are responsible for encrypting the data in VMs have been defeated by a german team.

I dont know the extent of this, as im not sure how many actually use Epyc in production VS how many uses Xeon.

 

Source https://thehackernews.com/2018/05/amd-sev-encryption.html

Quote

German security researchers claim to have found a new practical attack against virtual machines (VMs) protected using AMD's Secure Encrypted Virtualization (SEV) technology that could allow attackers to recover plaintext memory data from guest VMs.

 

Quote

During their tests, the team was able to extract a test server's entire 2GB memory data, which also included data from another guest VM.

In their experimental setup, the researchers used a with the Linux-based system powered by an AMD Epyc 7251 processor with SEV enabled, running web services—the Apache and Nginx web servers—as well as an SSH server, OpenSSH web server in separate VMs.

 

Im a bit tired of all the bad CPU news.

[Ezzy-525]

I suppose it's good that they've found the vulnerability and now AMD can fix it hopefully.

[Morgan MLGman]

RIP.
This is seriously bad and I hope that it's possible to fix that through some kind of a firmware/software update (without a performance loss unlike the other company...).

I suppose that we need to wait for an official statement from AMD.

[Starelementpoke]

Tis is not what I needed to see when I woke up this morning.

[WereCatf]

As far as I understand, this is a pretty minor issue as it will only affect people and companies running VMs and even then it only degrades the security to the same level as any other setup without SEV. Considering that Epyc hasn't been out for that long yet and most companies therefore aren't making use of SEV yet and yet they are running VMs just fine... well, the practical impact just isn't really much worth mentioning. Financially this does hurt AMD to some extent, because it makes Epycs less attractive unless AMD can fix the vulnerability, but even then it's not like Epycs are useless or anything, it's just one feature of them that companies can't count on (for now).

[ScratchCat]

1970-2017 : Very few CPU vulnerabilities, it is an event if one if found.

2018: Researchers start releasing them in batches of 3-12. Reaction reduced to " Another one?"

 

[anotherriddle]

2 minutes ago, WereCatf said:

This is a pretty minor issue as it will only affect people and companies running VMs and even then it only degrades the security to the same level as any other setup without SEV. Considering that Epyc hasn't been out for that long yet and most companies therefore aren't making use of SEV yet and yet they are running VMs just fine... well, the practical impact just isn't really much worth mentioning. Financially this does hurt AMD to some extent, because it makes Epycs less attractive unless AMD can fix the vulnerability, but even then it's not like Epycs are useless or anything, it's just one feature of them that companies can't count on (for now).

I agree mostly with your statement, ... but

can we please stop all those comments (regarding Intel and AMD) that something is only a minor issue when a problem only affects virtualisation.

 

Almost everything to do with cloud, distributed compute services, webservers and services, some remote storage solutions, use virtualisation to some extend. This is a huge part of the industry. Some comments regarding Spectre and Meltdown read like "well, I am not running VMs, I am clear -> this is not a problem". Everybody that uses websites and online services is affected by these problems by extension.

 

Sorry, I am just a bit frustrated by this.

[WereCatf]

3 minutes ago, anotherriddle said:

I agree mostly with your statement, ... but

can we please stop all those comments (regarding Intel and AMD) that something is only a minor issue when a problem only affects virtualisation.

 

Almost everything to do with cloud, distributed compute services, webservers and services, some remote storage solutions, use virtualisation to some extend. This is a huge part of the industry. Some comments regarding Spectre and Meltdown read like "well, I am not running VMs, I am clear -> this is not a problem". Everybody that uses websites and online services is affected by these problems by extension.

 

Sorry, I am just a bit frustrated by this.

But I explained why I don't see this as a big issue. I never said anything about myself, I specifically said that disabling SEV would only drop VM-security to the level it already was without it and considering how many companies are even at this very moment running just such setups, I just cannot fathom how it could be a major issue.

 

PS. I actually run VMs myself all the time.

[Tech_Dreamer]

Hope they can patch it up soon .

[anotherriddle]

1 minute ago, WereCatf said:

But I explained why I don't see this as a big issue. I never said anything about myself, I specifically said that disabling SEV would only drop VM-security to the level it already was without it and considering how many companies are even at this very moment running just such setups, I just cannot fathom how it could be a major issue.

This is why I said I agree mostly with your statement.

I have a problem with the first bit

21 minutes ago, WereCatf said:

As far as I understand, this is a pretty minor issue as it will only affect people and companies running VMs and even then ...

This makes it sound like VMs and virtualisation is not used a lot in the in the industry and (for me) by extension downplays any other potential vulnerabilities regarding VMs too.

[laminutederire]

10 minutes ago, anotherriddle said:

I agree mostly with your statement, ... but

can we please stop all those comments (regarding Intel and AMD) that something is only a minor issue when a problem only affects virtualisation.

 

Almost everything to do with cloud, distributed compute services, webservers and services, some remote storage solutions, use virtualisation to some extend. This is a huge part of the industry. Some comments regarding Spectre and Meltdown read like "well, I am not running VMs, I am clear -> this is not a problem". Everybody that uses websites and online services is affected by these problems by extension.

 

Sorry, I am just a bit frustrated by this.

The minor part has more to do withthe fact that it seems you need to have control over the hypervisor to get data, when most cloud based etc the most important is to prevent guests from looking at other guests since guests can be anyone, while this requires the company itself to be compromised which the leatmst important of the two.

[WereCatf]

1 minute ago, anotherriddle said:

This makes it sound like VMs and virtualisation is not used a lot in the in the industry and (for me) by extension downplays any other potential vulnerabilities regarding VMs too.

That's not what I meant, I wrote it that way mostly so that all the pundits over here won't panic and get their knickers in a twist over this. I know full well how important VMs are in the grand scheme of things, but I would hazard a guess that most people frequenting the LTT-forums aren't providing VM-services for other people, running honeypots or researching random malware-packages/viruses in VMs.

[anotherriddle]

1 minute ago, laminutederire said:

The minor part has more to do withthe fact that it seems you need to have control over the hypervisor to get data, when most cloud based etc the most important is to prevent guests from looking at other guests since guests can be anyone, while this requires the company itself to be compromised which the leatmst important of the two.

I agree. It was just the first sentence that got me a bit frustrated, but it probably didn't warrant my frustrated, rambling reply.

[anotherriddle]

5 minutes ago, WereCatf said:

That's not what I meant, I wrote it that way mostly so that all the pundits over here won't panic and get their knickers in a twist over this. I know full well how important VMs are in the grand scheme of things, but I would hazard a guess that most people frequenting the LTT-forums aren't providing VM-services for other people, running honeypots or researching random malware-packages/viruses in VMs.

Yeah, you are right and it makes sense to calm people down after all these security vulnerabilities when this one is not an immediate problem*. I just don't want people to disregard every problem with virtualisation outright because they got the impression it is not used in the industry.

[SpaceGhostC2C]

1 hour ago, Morgan MLGman said:

This is seriously bad and I hope that it's possible to fix that through some kind of a firmware/software update

Or alternatively that it is hard enough to exploit...

40 minutes ago, WereCatf said:

As far as I understand, this is a pretty minor issue as it will only affect people and companies running VMs

 

Well, it's not like people will buy Epyc CPUs to play Minecraft...  

 

40 minutes ago, WereCatf said:

and even then it only degrades the security to the same level as any other setup without SEV. Considering that Epyc hasn't been out for that long yet and most companies therefore aren't making use of SEV yet and yet they are running VMs just fine...

That is a much more sensible qualifier. 

 

40 minutes ago, WereCatf said:

, the practical impact just isn't really much worth mentioning. Financially this does hurt AMD to some extent, because it makes Epycs less attractive unless AMD can fix the vulnerability, but even then it's not like Epycs are useless or anything, it's just one feature of them that companies can't count on (for now).

Coupled with its low installed based, I think that's the largest impact of this news.

 

9 minutes ago, WereCatf said:

That's not what I meant, I wrote it that way mostly so that all the pundits over here won't panic and get their knickers in a twist over this. I know full well how important VMs are in the grand scheme of things, but I would hazard a guess that most people frequenting the LTT-forums aren't providing VM-services for other people, running honeypots or researching random malware-packages/viruses in VMs.

True, but they are also not using Epyc for the same reason  

[leadeater]

Quote

allowing a malicious hypervisor to extract the full content of the main memory in plaintext from SEV-encrypted VMs

Bad, but how many people are actually running "malicious hypervisors". Have to wonder first of all, other than a dodgy hosting company, how an attacker would get a hypervisor on a system without anyone noticing. If you're going with a back ally "I've got a deal for you" hosting company you probably have bigger problems.

 

Bit of a credibility knock for AMD though, SEV was supposed to be an actual feature they could leverage to get cloud hosters to move over from Intel as there isn't really a fully equivalent solution from Intel for SEV.

[laminutederire]

8 minutes ago, anotherriddle said:

Yeah, you are right and it makes sense to calm people down after all these security vulnerabilities when this one is not an immediate problem*. I just don't want people to disregard every problem with virtualisation outright because they got the impression it is not used in the industry.

What really pisses me off is how the security researchers are disclosing security vulnerabilities nowadays. It just look like they want attention so they publish things without giving motive to companies beforehand. That leads to a media fuss around their research, but it also looks like they make a big deal over not that much. In the end it just seem like researchers are trying to bash on AMD as much as possible because God forbids they gain actual marketshares because their products deserve it...

[leadeater]

19 minutes ago, huilun02 said:

Does this one vulnerability magically make all of AMD's products worse than the 99+ Intel CPU vulnerabilities?

I need to know because almost everyone and their dog is running an Epyc powered VM server these days.

EPYC? I haven't actually seen that many at all, only recently did there get real offerings from the "big" server names for the main product lines.

 

As for this I think it's really important to point out this does not allow a VM on the host to read any other VM's ram, it can only read it's own. The attack concept they are showing is dumping the full memory content of a target VM remotely that is running on a modified KVM host. SEV VM encryption is still in effect and protects VMs from each other, to remotely dump the memory of a victim VM it must have a public service running like a web server.

 

So in short even with this security flaw the end result is a slight step higher than an Intel Xeon, unless you are doing VM encryption another way which there are solutions for.

 

Edit:

Also the research paper itself does not seem to be a hit job, the reporting on it, honestly not looked at many articles.

[Trixanity]

From my understanding, this is a non-issue in 99.999999% of cases.

It apparently requires physical access to begin with and then to either intentionally or inadvertently put a compromised hypervisor on the machine. How many organisations have a rogue IT department or pull their software from torrents or other unknown sources? There would have to be multiple failures involved to accomplish this.

 

As good as it is to get all these issues fixed, I once again have to question the motives? Why not just say that this is a hypothetical attack instead of hinting it's a real threat?

[Fetzie]

1 hour ago, ScratchCat said:

1970-2017 : Very few CPU vulnerabilities, it is an event if one if found.

2018: Researchers start releasing them in batches of 3-12. Reaction reduced to " Another one?"

 

Nah, they've been turning up regularly but nobody outside of a small group of people cared enough to publicly talk about them.

[captain_to_fire]

Is this related to the vulnerabilities published by the smear campaign CTS labs? 

[leadeater]

Just now, captain_to_fire said:

CTS labs? 

FFS I had just managed to forget their name completely now you reminded me. Now it'll take me another 1-2 months to do it again .

[ScratchCat]

10 minutes ago, captain_to_fire said:

Is this related to the vulnerabilities published by the smear campaign CTS labs? 

No, thankfully. If they had the article would be swarming with recommendations to throw all AMD products into the nearest incinerator.

10 minutes ago, Fetzie said:

Nah, they've been turning up regularly but nobody outside of a small group of people cared enough to publicly talk about them.

The names are rather entertaining (Not all CPU bugs)

[captain_to_fire]

 

54 minutes ago, leadeater said:

FFS I had just managed to forget their name completely now you reminded me. Now it'll take me another 1-2 months to do it again .

Gamers Nexus however doesn't find it funny.

 

The goal here is to research whether the hysterical whitepapers -- hysterical as in “crazy,” not “funny” -- have any weight to them, and where these previously unknown companies come from.

 

But as long as security researchers will continue to poke holes in AMD processors, "CTS labs" will never be forgotten. 

 

Edited May 29, 2018 by captain_to_fire

[TechyBen]

22 minutes ago, ScratchCat said:

No, thankfully. If they had the article would be swarming with recommendations to throw all AMD products into the nearest incinerator.

The names are rather entertaining (Not all CPU bugs)

The "Computer on fire" at least returns the right error code:

 

https://en.wikipedia.org/wiki/Lp0_on_fire

 

(Should have actually been made/used because the old printers could overheat/clog and catch fire!!! But AFAIK was never implemented)