CVE-2021-29657
📋 TL;DR
This vulnerability allows an attacker with guest VM access on AMD systems to bypass host OS security controls and potentially execute arbitrary code on the host. It affects Linux systems running KVM virtualization with nested guests enabled. Attackers need guest VM access to exploit this race condition.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Full host compromise allowing attacker to escape guest VM isolation, access host resources, and potentially compromise other VMs on the same host.
Likely Case
Privilege escalation from guest VM to host kernel, allowing unauthorized access to host system resources and MSRs.
If Mitigated
Limited impact if proper network segmentation and access controls prevent attackers from reaching vulnerable virtualization hosts.
🎯 Exploit Status
Exploit requires guest VM access and knowledge of the race condition timing. Project Zero has published technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 5.11.12 and later
Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.12
Restart Required: Yes
Instructions:
1. Update Linux kernel to version 5.11.12 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable nested virtualization
linuxPrevents exploitation by disabling the vulnerable nested SVM feature
echo 'options kvm_amd nested=0' > /etc/modprobe.d/kvm-amd-nested.conf
rmmod kvm_amd
modprobe kvm_amd
🧯 If You Can't Patch
- Disable nested virtualization on AMD hosts
- Restrict guest VM access to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r. If version is earlier than 5.11.12 and nested virtualization is enabled on AMD, system is vulnerable.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is 5.11.12 or later: uname -r. Check /sys/module/kvm_amd/parameters/nested shows 0 if workaround applied.📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing nested SVM operations
- Unexpected MSR access attempts from guest VMs
Network Indicators:
- Unusual network traffic patterns from virtualization hosts
SIEM Query:
source="kernel" AND ("nested_svm" OR "VMCB" OR "MSR access")🔗 References
- http://packetstormsecurity.com/files/163324/KVM-nested_svm_vmrun-Double-Fetch.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2177
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.12
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a58d9166a756a0f4a6618e4f593232593d6df134
- https://security.netapp.com/advisory/ntap-20210902-0008/
- http://packetstormsecurity.com/files/163324/KVM-nested_svm_vmrun-Double-Fetch.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2177
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.12
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a58d9166a756a0f4a6618e4f593232593d6df134
- https://security.netapp.com/advisory/ntap-20210902-0008/
