Full Report
Confidential Virtual Machines (CVMs) are Linux-based systems that run in automated environments, handling secrets in an untrusted setting. They run on an untrusted host machine but are interacted with remotely. These are used in applications like private blockchains or multi-party data collaboration. These systems require that the host OS not be able to read memory or modify the the logical operation of the CVM. Additionally, a remote party should be able to confirm that they are running against a genuine CVM program via a remote attestation process. LUKS2 encryption is used for encrypting the hard drive of the CVM. It contains header information, followed by the actual encrypted volume. The main encryption setting is aes-xts-plain64. The setting cipher_null-ecb is an algorithm that just ignores the key and returns the data unchanged. When the null cipher is used, the key slot can be opened with any passphrase. Effectively, the key phrase is just ignored - in newer versions, the password must be empty in this mode. This attack enables you to substitute an attacker-controlled drive for the legitimate one. The threat model is really confusing to me. It's a malicious host attacking a VM that is modifying the VM. If the device is running an OS in a VM, couldn't you change the VM's memory to perform arbitrary actions anyway? Maybe I'm misunderstanding something.
Analysis Summary
# Vulnerability: LUKS2 Header Manipulation in Confidential VMs
## CVE Details
- **CVE ID:** CVE-2025-59054, CVE-2025-58356
- **CVSS Score:** Not yet finalized (Critical/High severity implied)
- **CWE:** CWE-345: Insufficient Verification of Data Authenticity / CWE-311: Missing Encryption
## Affected Systems
- **Products:** Confidential Virtual Machines (CVMs) utilizing LUKS2 for disk encryption.
- **Versions:**
- Oasis Protocol: `oasis-sdk` < v0.7.2
- Phala Network: `dstack` < v0.5.4
- Flashbots TDX: `tdx-init` < v0.2.0
- Edgeless Constellation: `constellation` < v2.24.0
- Edgeless Contrast: `contrast` < v1.12.1 / v1.13.0
- Cosmian VM: `cosmian-vm` (Pre-Oct 2025 patches)
- Cryptsetup: Versions prior to v2.8.1 (Partial mitigation)
- **Configurations:** CVMs running on untrusted hosts (e.g., AMD SEV-SNP, Intel TDX) where the host has write access to the VM's encrypted disk images.
## Vulnerability Description
The flaw exists because LUKS2 metadata headers are malleable and not integrity-protected by the CVM's boot process. While the data volume is encrypted, the header—which defines the encryption algorithm—is stored in plaintext on the untrusted host's storage.
An attacker (the malicious host) can modify the LUKS2 header to replace the legitimate encryption cipher (e.g., `aes-xts-plain64`) with `cipher_null-ecb`. The "null" cipher ignores keys and returns data unchanged. When the CVM boots and attempts to "decrypt" the drive, it uses the null cipher, effectively writing all subsequent "encrypted" data in plaintext or reading attacker-supplied plaintext data as if it were encrypted.
## Exploitation
- **Status:** PoC available (confirmed by Trail of Bits); No known exploitation in the wild.
- **Complexity:** Medium (Requires understanding of LUKS2 header structures).
- **Attack Vector:** Local/Adjacent (The attacker must be the host provider or have administrative access to the host machine/storage layer).
## Impact
- **Confidentiality:** Total. The host can read all data written to the "encrypted" volume.
- **Integrity:** Total. The host can modify disk contents, allowing for arbitrary code execution within the VM.
- **Availability:** High. The host can corrupt the disk or prevent the VM from mounting the volume.
## Remediation
### Patches
- **Cryptsetup v2.8.1:** Disables the use of `cipher_null` in keyslots as a partial mitigation.
- **Oasis SDK v0.7.2:** Implements header JSON validation.
- **Dstack v0.5.4:** Implements header JSON validation.
- **Flashbots tdx-init v0.2.0:** Implements MAC-based verification for headers.
- **Edgeless Constellation v2.24.0:** Implements header JSON validation.
### Workarounds
- Implement **Remote Attestation** policies that include the measurement of the disk encryption metadata.
- Ensure the LUKS2 header is included in the "reproducible" or "measured" part of the CVM boot process.
## Detection
- **Indicators of Compromise:** Presence of `cipher_null` within LUKS2 headers on VM disk images.
- **Detection Methods:**
- Use `cryptsetup luksDump <device>` to inspect the cipher used in the headers.
- Audit remote attestation reports to ensure the disk configuration matches the expected security profile.
## References
- Trail of Bits Advisory: hxxps://blog[.]trailofbits[.]com/2025/10/30/vulnerabilities-in-luks2-disk-encryption-for-confidential-vms/
- Cryptsetup Issue Tracker: hxxps://gitlab[.]com/cryptsetup/cryptsetup/-/issues/954
- NVD CVE-2025-59054: hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2025-59054
- NVD CVE-2025-58356: hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2025-58356