Chipmaker AMD has released fixes to address a security flaw dubbed RMPocalypse that could be exploited to undermine confidential computing guarantees provided by Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP).
The attack, per ETH Zürich researchers Benedict Schlüter and Shweta Shinde, exploits AMD’s incomplete protections that make it possible to perform a single memory write to the Reverse Map Paging (RMP) table, a data structure that’s used to store security metadata for all DRAM pages in the system.
“The Reverse Map Table (RMP) is a structure that resides in DRAM and maps system physical addresses (sPAs) to guest physical addresses (gPAs),” according to AMD’s specification documentation. “There is only one RMP for the entire system, which is configured using x86 model-specific registers (MSRs).”
“The RMP also contains various security attributes of each that are managed by the hypervisor through hardware-mediated and firmware-mediated controls.”
AMD makes use of what’s called a Platform Security Processor (PSP) to initialize the RMP, which is crucial to enabling SEV-SNP on the platform. RMPocalypse exploits a memory management flaw in this initialization step, allowing attackers to access sensitive information in contravention of SEV-SNP’s confidentiality and integrity protections.
At the heart of the problem is a lack of adequate safeguards for the security mechanism itself — something of a catch-22 situation that arises as a result of RMP not being fully protected when a virtual machine is started, effectively opening the door to RMP corruption.
“This gap could allow attackers with remote access to bypass certain protective functions and manipulate the virtual machine environment, which is intended to be securely isolated,” ETH Zürich said. “This vulnerability can be exploited to activate hidden functions (such as a debug mode), simulate security checks (so-called attestation forgeries) and restore previous states (replay attacks) – and even to inject foreign code.”
Successful exploitation of RMPocalypse can allow a bad actor to arbitrarily tamper with the execution of the confidential virtual machines (CVMs) and exfiltrate all secrets with 100% success rate, the researchers found.
In response to the findings, AMD has assigned the CVE identifier CVE-2025-0033 (CVSS v4 score: 5.9) to the vulnerability, describing it as a race condition that can occur while the AMD Secure Processor (ASP or PSP) is initializing the RMP. As a result, it could allow a malicious hypervisor to manipulate the initial RMP content, potentially resulting in loss of SEV-SNP guest memory integrity.
“Improper access control within AMD SEV-SNP could allow an admin-privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity,” the chipmaker noted in its advisory released Monday.
AMD has revealed that…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
