Chipmaker AMD has released fixes to address a security flaw dubbed RMPocalypse that could be exploited to undermine confidential computing guarantees provided by Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP).
The attack, per ETH Zürich researchers Benedict Schlüter and Shweta Shinde, exploits AMD’s incomplete protections that make it possible to perform a single memory write to the Reverse Map Paging (RMP) table, a data structure that’s used to store security metadata for all DRAM pages in the system.
“The Reverse Map Table (RMP) is a structure that resides in DRAM and maps system physical addresses (sPAs) to guest physical addresses (gPAs),” according to AMD’s specification documentation. “There is only one RMP for the entire system, which is configured using x86 model-specific registers (MSRs).”
“The RMP also contains various security attributes of each that are managed by the hypervisor through hardware-mediated and firmware-mediated controls.”
AMD makes use of what’s called a Platform Security Processor (PSP) to initialize the RMP, which is crucial to enabling SEV-SNP on the platform. RMPocalypse exploits a memory management flaw in this initialization step, allowing attackers to access sensitive information in contravention of SEV-SNP’s confidentiality and integrity protections.
At the heart of the problem is a lack of adequate safeguards for the security mechanism itself — something of a catch-22 situation that arises as a result of RMP not being fully protected when a virtual machine is started, effectively opening the door to RMP corruption.
“This gap could allow attackers with remote access to bypass certain protective functions and manipulate the virtual machine environment, which is intended to be securely isolated,” ETH Zürich said. “This vulnerability can be exploited to activate hidden functions (such as a debug mode), simulate security checks (so-called attestation forgeries) and restore previous states (replay attacks) – and even to inject foreign code.”
Successful exploitation of RMPocalypse can allow a bad actor to arbitrarily tamper with the execution of the confidential virtual machines (CVMs) and exfiltrate all secrets with 100% success rate, the researchers found.
In response to the findings, AMD has assigned the CVE identifier CVE-2025-0033 (CVSS v4 score: 5.9) to the vulnerability, describing it as a race condition that can occur while the AMD Secure Processor (ASP or PSP) is initializing the RMP. As a result, it could allow a malicious hypervisor to manipulate the initial RMP content, potentially resulting in loss of SEV-SNP guest memory integrity.
“Improper access control within AMD SEV-SNP could allow an admin-privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity,” the chipmaker noted in its advisory released Monday.
AMD has revealed that the following chipsets are impacted by the flaw –
- AMD EPYC™ 7003 Series Processors
- AMD EPYC™ 8004 Series Processors
- AMD EPYC™ 9004 Series Processors
- AMD EPYC™ 9005 Series Processors
- AMD EPYC™ Embedded 7003 Series Processors (Fix planned for release in November 2025)
- AMD EPYC™ Embedded 8004 Series Processors
- AMD EPYC™ Embedded 9004 Series Processors
- AMD EPYC™ Embedded 9004 Series Processors
- AMD EPYC™ Embedded 9005 Series Processors (Fix planned for release in November 2025)
Microsoft and Supermicro have also acknowledged CVE-2025-0033, with the Windows maker stating that it’s working to remediate it in Azure Confidential Computing’s (ACC) AMD-based clusters. Supermicro said impacted motherboard SKUs require a BIOS update to address the flaw.
“RMPocalypse shows that AMD’s platform protection mechanisms are not complete, thus leaving a small window of opportunity for the attacker to maliciously overwrite the RMP on initialization,” the researchers said. “Due to the design of the RMP, a single overwrite of 8 bytes within the RMP causes the entire RMP to become subsequently compromised.”
“With a compromised RMP, all integrity guarantees of SEV-SNP become void. RMPocalypse case studies show that an attacker-controlled RMP not only voids the integrity but also results in a full breach of confidentiality.”
The development comes weeks after a group of academics from KU Leuven and the University of Birmingham demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors.
About The Author
Original post here
