cyware: Novel Ahoi attacks could compromise confidential VMs

Summary: Confidential virtual machines are at risk of being breached through two types of Ahoi attacks, known as “Heckler” and “WeSee.”

Threat Actor: Unknown | Ahoi attacks
Victim: Confidential virtual machines | Confidential virtual machines

Key Point :

  • The first attack, “Heckler,” targets hardware-based trusted execution environments using malicious hypervisors to evade authentication and gain root access.
  • The second attack, “WeSee,” exploits a special interrupt to exfiltrate sensitive data, corrupt kernel data, and open a root shell.

Confidential virtual machines could be breached through two different types of novel Ahoi attacks, reports SecurityWeek.

Intrusions leveraging the first technique, dubbed “Heckler,” involved the targeting of hardware-based trusted execution environments running on Intel’s Trust Domain Extensions and AMD’s Secure Encrypted Virtualization-Secure Nested Paging technologies with malicious hypervisors that sought to facilitate authentication evasion and root access, according to ETH Zurich researchers, who discovered the attacks.

Such an issue, which is believed by AMD to have stemmed from the Linux implementation of SEV-SNP, was confirmed to not impact Microsoft Azure and Amazon Web Services’ EC2. However, AWS will be issuing kernel fixes for Amazon Linux, which has been impacted by the issue.

On the other hand, only AMD SEV-SNP-based confidential virtual machines are impacted by the second attack, dubbed “WeSee,” which involved the exploitation of a special interrupt to enable sensitive data exfiltration, kernel data corruption, and root shell opening.

Source: https://www.scmagazine.com/brief/novel-ahoi-attacks-could-compromise-confidential-vms


“An interesting youtube video that may be related to the article above”