Father
Professional
- Messages
- 2,602
- Reaction score
- 776
- Points
- 113
ETH Zurich researchers have revealed the technical details of a new type of attack called Ahoi Attacks, which can be used to compromise CVM VMs.
Ahoi includes two variants of Heckler and WeSee attacks targeting AMD SEV-SNP and Intel TDX using malicious interrupts to hack the CVM. Assigned to CVE-2024-25744, CVE-2024-25743, and CVE-2024-25742.
One of them, Heckler, supports a malicious hypervisor that implements interrupts to change data and control flow, violating the integrity and confidentiality of the CVM.
The attack targets hardware trusted execution environments, in particular those that rely on AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX) technologies used in cloud platforms.
AMD SEV-SNP and Intel TDX enable users to deploy and run virtual machines in the cloud, while protecting them from other cloud users and the service provider, including hypervisor hardware and software.
However, hypervisors still control some resource management and configuration tasks, including interrupts, and ETH Zurich researchers managed to use some interrupts to perform potentially malicious actions.
In the case of AMD and Intel technologies, the researchers used malicious hypervisors to bypass authentication and gained root access to the target CVM.
In the second type of Ahoi attack, called WeSee, which only works against AMD SEV-SNP, researchers were able to use a special interrupt to obtain confidential information (including the kernel's TLS session keys), corrupt kernel data to disable firewall rules and access the root shell.
Before publicly releasing their findings, the researchers notified Intel, AMD, AWS, Microsoft, and Google.
AMD rolled out a message about this, believing that, in its opinion, the vulnerability is related to the implementation of SEV-SNP in the Linux kernel.
In addition, AMD said it implements hardware security features to prevent such attacks, but these features are not currently supported on Linux.
Intel has not yet provided a recommendation, but researchers said the company came to the same conclusion as AMD.
Linux kernel fixes and troubleshooting tools are currently available.
As for cloud service providers, Microsoft Azure said the issue will not be affected in any way. AWS stated that EC2 does not rely on the affected technologies. At the same time, it confirmed that Amazon Linux is vulnerable, and plans to fix problems with the kernel in a future release.
Google also did not provide any information about whether its cloud services were affected.
Ahoi includes two variants of Heckler and WeSee attacks targeting AMD SEV-SNP and Intel TDX using malicious interrupts to hack the CVM. Assigned to CVE-2024-25744, CVE-2024-25743, and CVE-2024-25742.
One of them, Heckler, supports a malicious hypervisor that implements interrupts to change data and control flow, violating the integrity and confidentiality of the CVM.
The attack targets hardware trusted execution environments, in particular those that rely on AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX) technologies used in cloud platforms.
AMD SEV-SNP and Intel TDX enable users to deploy and run virtual machines in the cloud, while protecting them from other cloud users and the service provider, including hypervisor hardware and software.
However, hypervisors still control some resource management and configuration tasks, including interrupts, and ETH Zurich researchers managed to use some interrupts to perform potentially malicious actions.
In the case of AMD and Intel technologies, the researchers used malicious hypervisors to bypass authentication and gained root access to the target CVM.
In the second type of Ahoi attack, called WeSee, which only works against AMD SEV-SNP, researchers were able to use a special interrupt to obtain confidential information (including the kernel's TLS session keys), corrupt kernel data to disable firewall rules and access the root shell.
Before publicly releasing their findings, the researchers notified Intel, AMD, AWS, Microsoft, and Google.
AMD rolled out a message about this, believing that, in its opinion, the vulnerability is related to the implementation of SEV-SNP in the Linux kernel.
In addition, AMD said it implements hardware security features to prevent such attacks, but these features are not currently supported on Linux.
Intel has not yet provided a recommendation, but researchers said the company came to the same conclusion as AMD.
Linux kernel fixes and troubleshooting tools are currently available.
As for cloud service providers, Microsoft Azure said the issue will not be affected in any way. AWS stated that EC2 does not rely on the affected technologies. At the same time, it confirmed that Amazon Linux is vulnerable, and plans to fix problems with the kernel in a future release.
Google also did not provide any information about whether its cloud services were affected.
