CVE-2021-26408

Q: What is the severity of CVE-2021-26408?

CVE-2021-26408 has a CVSS score of 7.1 (HIGH). This vulnerability in AMD SEV-legacy firmware allows insufficient validation of elliptic curve points during guest migration. Attackers could potentially compromise guest integrity or confidentiality during migration operations. This affects systems using AMD EPYC processors with SEV-legacy enabled.

7.1 HIGH

📋 TL;DR

This vulnerability in AMD SEV-legacy firmware allows insufficient validation of elliptic curve points during guest migration. Attackers could potentially compromise guest integrity or confidentiality during migration operations. This affects systems using AMD EPYC processors with SEV-legacy enabled.

💻 Affected Systems

Products:

AMD EPYC processors with SEV-legacy firmware

Versions: SEV-legacy firmware versions prior to fixes

Operating Systems: All guest operating systems using SEV-legacy

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with SEV-legacy enabled and using guest migration features.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of guest VM confidentiality and integrity during migration, allowing attackers to access sensitive data or modify guest execution.

🟠

Likely Case

Potential data leakage or integrity compromise during migration between trusted hosts in controlled environments.

🟢

If Mitigated

Minimal impact if migration occurs only between fully trusted hosts with proper isolation controls.

🌐 Internet-Facing: LOW - SEV-legacy migration typically occurs within controlled data center environments, not directly internet-facing.

🏢 Internal Only: MEDIUM - Risk exists within data center environments where guest migration occurs between potentially untrusted hosts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires access to migration infrastructure and knowledge of SEV-legacy internals.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to AMD advisory for specific firmware versions

Vendor Advisory: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021

Restart Required: Yes

Instructions:

1. Check AMD advisory for affected processor models. 2. Obtain updated firmware from hardware vendor. 3. Apply firmware update following vendor instructions. 4. Reboot system to activate new firmware.

🔧 Temporary Workarounds

Disable guest migration

all

Prevent migration of SEV-legacy guests between hosts

# Configure hypervisor to disable SEV-legacy guest migration

Restrict migration to trusted hosts

all

Only allow migration between fully trusted and controlled hosts

# Configure migration policies to trusted host list only

🧯 If You Can't Patch

Isolate SEV-legacy guests to single hosts without migration
Implement strict access controls to migration infrastructure

🔍 How to Verify

Check if Vulnerable:

Check firmware version against AMD advisory and verify SEV-legacy is enabled

Check Version:

# Check firmware version via dmesg or vendor-specific tools

Verify Fix Applied:

Verify firmware version matches patched version from AMD advisory

📡 Detection & Monitoring

Log Indicators:

Unusual migration patterns
Failed migration attempts
Firmware error logs related to SEV

Network Indicators:

Unexpected migration traffic between hosts
Anomalous patterns in migration protocols

SIEM Query:

Search for SEV migration events with error codes or from untrusted sources

📊 Metadata

CVE ID: CVE-2021-26408

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Published: May 10, 2022

Last Updated: November 21, 2024

🔗 References

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 Vendor Advisory
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Epyc 7001 Firmware by Amd

Epyc 7002 Firmware by Amd

Epyc 7232p Firmware by Amd

Epyc 7251 Firmware by Amd

Epyc 7252 Firmware by Amd

Epyc 7262 Firmware by Amd

Epyc 7272 Firmware by Amd

Epyc 7281 Firmware by Amd

Epyc 7282 Firmware by Amd

Epyc 7301 Firmware by Amd

Epyc 7302 Firmware by Amd

Epyc 7302p Firmware by Amd

Epyc 7351 Firmware by Amd

Epyc 7351p Firmware by Amd

Epyc 7352 Firmware by Amd

Epyc 7401 Firmware by Amd

Epyc 7401p Firmware by Amd

Epyc 7402 Firmware by Amd

Epyc 7402p Firmware by Amd

Epyc 7451 Firmware by Amd

Epyc 7452 Firmware by Amd

Epyc 7501 Firmware by Amd

Epyc 7502 Firmware by Amd

Epyc 7502p Firmware by Amd

Epyc 7532 Firmware by Amd

Epyc 7542 Firmware by Amd

Epyc 7551 Firmware by Amd

Epyc 7551p Firmware by Amd

Epyc 7552 Firmware by Amd

Epyc 7601 Firmware by Amd

Epyc 7642 Firmware by Amd

Epyc 7662 Firmware by Amd

Epyc 7702 Firmware by Amd

Epyc 7702p Firmware by Amd

Epyc 7742 Firmware by Amd

Epyc 7f32 Firmware by Amd

Epyc 7f52 Firmware by Amd

Epyc 7f72 Firmware by Amd