BadAML Injection Allows Arbitrary Code Execution in Confidential VMs

The BadAML injection attack, initially published in 2024, exploits the ACPI interface in confidential virtual machines, allowing for arbitrary code execution. This vulnerability arises from the ability of an attacker with control over the host to inject malicious AML (ACPI Machine Language) code. This code, embedded within ACPI tables, is passed from the host (QEMU) to the guest firmware (OVMF) and subsequently to the Linux kernel. The kernel’s AML interpreter then executes this code, granting the attacker control within the guest environment. The Contrast platform versions prior to 1.18.0 are vulnerable on Metal-QEMU-SNP and Metal-QEMU-SNP-GPU platforms. Successful exploitation allows attackers to bypass security measures designed to protect confidential VMs.

Attack Chain

1. Attacker gains control over the host machine running the QEMU hypervisor.
2. Attacker crafts a malicious ACPI table containing arbitrary AML code.
3. The malicious ACPI table is injected into the guest VM via QEMU.
4. The OVMF firmware in the guest VM parses the ACPI table and passes the AML code to the Linux kernel.
5. The Linux kernel’s AML interpreter executes the injected AML code.
6. The AML code leverages its access to guest memory to escalate privileges.
7. The attacker gains arbitrary code execution within the guest VM.
8. The attacker can then perform malicious actions, such as data exfiltration or further compromise of the system.

Impact

Successful exploitation of the BadAML vulnerability allows attackers to execute arbitrary code within confidential VMs, potentially leading to data theft, service disruption, or complete system compromise. While the number of victims is unknown, the affected sectors include any environment utilizing the vulnerable Contrast platforms (Metal-QEMU-SNP and Metal-QEMU-SNP-GPU) for confidential computing. The impact is significant, as it undermines the security guarantees provided by confidential computing technologies.

Recommendation

• Upgrade Contrast installations on Metal-QEMU-SNP and Metal-QEMU-SNP-GPU platforms to version 1.18.0 or later to incorporate the kernel patch.
• Monitor host systems for suspicious ACPI table modifications using custom scripts or host-based intrusion detection systems (no specific rule provided, but ACPI table modification events should be logged where possible).