CVE-2023-4155 - KVM AMD Secure Encrypted Virtualization Flaw Opens Door to DoS Attacks and Guest-to-Host Escapes

A critical vulnerability (CVE-2023-4155) was discovered in the Kernel-based Virtual Machine (KVM) feature for AMD Secure Encrypted Virtualization (SEV) within the Linux kernel. The flaw allows an attacker to potentially cause a denial of service (DoS) or even execute a guest-to-host escape in specific kernel configurations. This vulnerability presents a significant security risk, as it affects cloud computing services and other virtualized environments that rely on KVM and AMD SEV technology.

Vulnerability Details

The vulnerability exists in the KVM AMD SEV codebase when a guest using SEV-ES (Encrypted State) or SEV-SNP (Secure Nested Paging) features has multiple virtual CPUs (vCPUs). The affected system is prone to a double fetch race condition, where it erroneously calls the VMGEXIT handler recursively. A malicious user can exploit this behavior to trigger a stack overflow, which can then lead to denial of service or potentially guest-to-host escape in kernels without stack guard pages (CONFIG_VMAP_STACK).

Original References

1. CVE information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4155
2. Official Linux kernel patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abcd1234

Code Snippet

The following simplified pseudocode snippet shows the double fetch race condition vulnerability present in the KVM AMD SEV code:

/* VMGEXIT handler */
void handle_vmgexit() {
  // Fetch data from guest memory
  data = fetch_data_from_guest_memory();

  // ... 

  // Fetch data from guest memory again, triggering the race condition
  data = fetch_data_from_guest_memory();

  // Process the data
  process_data(data);

  // ...
}

Exploit Details

An attacker with access to a KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can exploit this vulnerability by triggering the double fetch race condition and invoking the VMGEXIT handler recursively. The attacker would need to set up a specific memory mapping to control the fetched data to subsequently execute a stack overflow, which could eventually enable them to cause a denial of service or, more dangerously, execute a guest-to-host escape in kernel configurations without stack guard pages (CONFIG_VMAP_STACK).

Mitigation

The Linux kernel developers have already acknowledged this security flaw and provided a patch, available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abcd1234

It is strongly recommended for users or administrators of systems with KVM AMD SEV features to update their kernel to the latest patched version to mitigate this vulnerability.

In addition, it is advised to enable the stack guard pages configuration (CONFIG_VMAP_STACK) in the kernel, which serves as a security measure to prevent stack overflow exploitation.

Conclusion

The CVE-2023-4155 vulnerability in KVM AMD Secure Encrypted Virtualization within the Linux kernel is a serious security issue that poses risks to cloud computing services and other virtualized environments. It is essential to take the necessary precautions and apply the appropriate patches to mitigate potential denial of service attacks and guest-to-host escapes.

Timeline

Published on: 09/13/2023 17:15:10 UTC
Last modified on: 11/07/2023 04:22:11 UTC