AMD EPYC processors are characterized by a high level of security, which is very important for any enterprise customer, since data center equipment is a very attractive option for hackers and is also used by dozens of people every day, both remotely and personally. Now things seem to be getting worse, as a new vulnerability has been discovered that affects AMD EPYC and its SEV (Secure Encrypted Virtualization). Let’s take a look at what it’s all about.
AMD EPYC suffers security setback after SEV vulnerability is discovered
This issue was discovered by researchers at Cornell University, who presented a proof of concept in which they describe the vulnerability as extremely serious.
SEV (Secure Encrypted Virtualization) is a technology that is part of the AMD Secure Processor. This is a co-processor that is integrated into processors like the AMD EPYC and basically provides security functions that are completely separate from the normal CPU. The SEV encrypts the memory of virtual machines, which are widely used in servers so that their memory environments are completely isolated and maximally secure.
We extract some statements from the proof of concept abstract:
We present a voltage manipulation attack that allows an attacker to run custom workloads on the AMD Secure Processor on all microarchitectures that support SEV (Zen 1, Zen 2, Zen 3). The methods presented allow us to deploy custom SEV firmware on the AMD Secure Processor that allows an attacker to decrypt virtual machine memory.
So, as we can see, the affected processors include AMD EPYC processors of all generations, and there SEV is a key feature.
A quick look at the presented proof-of-concept reveals that the key point of the attack is to change the voltage regulation of the board, so we assume that physical access to the machine is required to execute the attack. Moreover, while this manipulation is cheap, it is not easy.
So where does the problem lie? Very simple: with “rogue” system administrators who do not have access rights to the computer, but have the ability to physically access the computer. Moreover, once the attack was carried out, they could obtain enough keys to remotely attack these virtual machines.
AMD has not commented on the matter, only telling The Register that physical access to the machine is required. No official statement has been made.
It should be noted, however, that this proof of concept has not yet been officially turned into a vulnerability (CVE), so we do not yet know AMD’s position on this. This is usually the case when the discoverers of the attack do not give the company time to prepare its response, as expected.