AMD has released critical firmware updates to address a high-severity security vulnerability, identified as CVE-2024-56161. This flaw allows attackers to load malicious microcode onto unpatched AMD CPUs due to a weakness in the microcode patch loader, which fails to properly verify signatures. The vulnerability primarily affects systems that utilize AMD’s Secure Encrypted Virtualization (SEV) and its enhanced version, SEV-Secure Nested Paging (SEV-SNP). These technologies isolate virtualized guest systems from hypervisors.
Exploitation Risks
Attackers with local administrator privileges can exploit this vulnerability. This exploitation jeopardizes the confidentiality and integrity of sensitive workloads. SEV technology protects against such threats by isolating guests and hypervisors. SEV-SNP adds an additional layer of memory integrity protection to prevent malicious attacks. If an attacker gains access to a system with local admin rights, they could compromise workloads that rely on these security features.
Mitigation Measures
To mitigate this issue, AMD has issued microcode updates that block the execution of malicious microcode. Users must apply these updates. In some cases, they also need to update their system BIOS and reboot their systems to enable the necessary SEV firmware updates for SEV-SNP attestation. This process is crucial for maintaining system security against potential exploits.
Verification Process
Users can verify that the updates have been successfully applied by comparing their system’s microcode version against the following list:
- Naples: AMD EPYC 7001 Series (CPUID: 0x00800F12)
- Rome: AMD EPYC 7002 Series (CPUID: 0x00830F10)
- Milan: AMD EPYC 7003 Series (CPUID: 0x00A00F11)
- Milan-X: AMD EPYC 7003 Series (CPUID: 0x00A00F12)
- Genoa: AMD EPYC 9004 Series (CPUID: 0x00A10F11)
- Genoa-X: AMD EPYC 9004 Series (CPUID: 0x00A10F12)
- Bergamo/Siena: AMD EPYC 9004 Series (CPUID: 0x00AA0F02)
Discovery and Proof of Concept
The Google Security Team discovered the vulnerability and provided a proof-of-concept exploit. This exploit demonstrates how attackers can manipulate the RDRAND instruction on vulnerable AMD processors. The exploit forces the RDRAND instruction to return a fixed value, which neutralizes the attack’s potential impact on secure workloads.
Additional Security Concerns
Reports have also emerged about cache-based side-channel attacks that could affect multiple generations of EPYC processors. These attacks pose risks to data confidentiality and integrity. It is recommended that developers adopt best practices, such as using constant-time algorithms, to mitigate these risks. By following these guidelines, developers can help protect their applications and systems from potential vulnerabilities.
