SEVered: New Vulnerability For Extracting Passwords From Guest VM’s Memory

A group of Researchers from Fraunhofer Institute of Technology for Applied and Integrated safety in Munich, Germany have published a scientific paper which explains their method for recovering  data from AMD’s Secure Encrypted Virtualization Mechanism which was designed to encrypt data of a virtual machine running on a server. The team said that their attack was named SEVered  and is capable of recovering plaintext passwords from memory data from a guest VM running on the host OS.

“By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM’s memory in plaintext,” researchers said in their paper, entitled “SEVered: Subverting AMD’s Virtual Machine Encryption.”

The attack successfully executed due to the design of the AMD CPU which uses primary memory to store data.”The page-wise encryption of main memory lacks integrity protection.”

This allows the attacker to map the entire memory and then request some of the parts of the data in the nearby VMs of an attacked guest VM. During tests of their attack, researchers said they were able to recover a test server’s entire 2GB memory, including data from a guest VM.

The Researchers bombarded Apache and Ngnix with continuous repeated requests and tried to retrieve the memory at the speed of 79.4KB/sec. OpenSSH was slower with 41.7KB/sec. The attacker needs to modify the servers hypervisor to initiate the SEVred attack which may be out of reach. This attack can however be mitigated by ensuring patching is kept up to date.

While the Researchers said that their attack isn’t hindered maxed out servers and will be able to retrieve the memory under high workloads. The team showcased their work at the European Workshop on Systems Security which is held in Porto Portugal. They have used an AMD Epyc 7251 as the test device.

If you would like to read the research paper you can do so here

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients