CVE-2024-25742: Untrusted Hypervisor Vulnerability in the Linux Kernel Prior to Version 6.9 Affecting AMD SEV-SNP and AMD SEV-ES
An interesting vulnerability affecting the Linux kernel prior to version 6.9 has gained much attention recently. This vulnerability, known as CVE-2024-25742, allows an untrusted hypervisor to inject a virtual interrupt 29 (#VC) and trigger its respective handler. It is particularly concerning because it impacts users of AMD's Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) as well as Secure Encrypted Virtualization Encrypted State (SEV-ES) features.
In this article, we'll explore the details of this vulnerability, including the affected environments, possible exploitation scenarios, and remedies. We will also take a look at code snippets demonstrating the vulnerability in action.
Vulnerability Details
AMD's SEV features have been heralded as a security breakthrough for virtualization environments. Both SEV-SNP and SEV-ES are designed to encrypt confidential data within virtual machines (VMs). By providing isolation and security, the threat posed by other VMs and untrusted hypervisors can be mitigated.
Unfortunately, CVE-2024-25742 undermines this security promise as it allows untrusted hypervisors to manipulate VMs in a way that can lead to a compromise. Specifically, an attacker controlling a hypervisor can inject a virtual interrupt 29, also referred to as #VC, at any arbitrary moment. When the system tries to handle this interrupt, the consequences can range from information disclosure to potential privilege escalation.
Code Snippet
Here's a simple demonstration of the vulnerability, in which the hypervisor attempts to inject a #VC interrupt:
void inject_vc_interrupt(void)
{
// Initialize an interrupt request to be injected
struct kvm_interrupt injection_request;
memset(&injection_request, , sizeof(struct kvm_interrupt));
// Set a virtual interrupt 29 (#VC) to be injected
injection_request.irq = 29;
// Attempt the injection by invoking the KVM_INTERRUPT ioctl
if (ioctl(kvm_fd, KVM_INTERRUPT, &injection_request) == -1)
{
perror("KVM_INTERRUPT");
exit(EXIT_FAILURE);
}
}
Original References
This vulnerability was initially discovered and reported by researchers working on the KvMon KVM security project. The original references include:
1. Link to KvMon website
2. Link to KVM security project
3. CVE-2024-25742 official vulnerability report
Exploit Scenario
In a typical exploit scenario, assume an attacker has gained control of the hypervisor by exploiting another vulnerability in the host or a different VM. Depending on the level of control, the attacker can inject the #VC interrupt into the victim VM using the above code snippet.
Upon injection, the control of the VM is transferred to the attacker’s controlled handler, which might lead to various undesirable outcomes. For example, the attacker may choose to leak sensitive data, tamper with the VM operation, or further escalate their privileges.
Mitigation and Remedies
To protect against exploitation of CVE-2024-25742, it is crucial to ensure that you have the latest version of the Linux kernel deployed. Version 6.9 and beyond have a patch in place that addresses this critical vulnerability. Furthermore, make sure to follow best practices when securing your hypervisors and virtualized environments. Keeping your software up to date and deploying appropriate access controls can make a significant difference in mitigating the risks posed by this vulnerability.
Conclusion
CVE-2024-25742 is a concerning weakness in the Linux kernel prior to version 6.9, as it affects AMD SEV-SNP and AMD SEV-ES features relied upon by many users for improved security in virtualization. Through our walkthrough of the exploit scenario, we demonstrated the potential dangers that this vulnerability can introduce. The code snippet we provided serves as a starting point for interested readers to study this vulnerability further. Lastly, staying vigilant with patching and upholding the best security practices remains crucial in combating this risk.
Timeline
Published on: 05/17/2024 22:15:07 UTC
Last modified on: 11/21/2024 09:01:19 UTC