A high-severity microcode signature verification vulnerability in AMD’s Zen CPUs was recently disclosed following a leak of initial details last month. This vulnerability, known as CVE-2024-56161, was first brought to light on Jan. 21 when Google vulnerability researcher Tavis Ormandy emailed the Open Source Security mailing list about an Asus update page that included a patch for the vulnerability.
The vulnerability, which has a 7.2 CVSS score, stems from improper signature verification in AMD CPU ROM microcode patch loader. This flaw could potentially allow an attacker with local administrator privileges to load malicious CPU microcode, compromising the confidentiality and integrity of a confidential guest running under AMD SEV-SNP.
After the leak, AMD and Google worked together to officially disclose the vulnerability and provide a mitigation plan. The chipmaker thanked Google researchers Ormandy, Josh Eads, Kristoffer Janke, Eduardo Vela, and Matteo Rizzo in an advisory for their contributions to addressing the issue.
The disclosure of this vulnerability highlights the importance of maintaining system security and promptly addressing vulnerabilities in hardware components. AMD has made a mitigation available for affected microprocessors, which involves updating microcode and, in some cases, applying a firmware update for Secure Encrypted Virtualization (SEV) technology.
Eduardo Vela published a separate advisory on GitHub, providing additional insights into the vulnerability and its impact. The advisory outlines the ability of an adversary with local administrator privileges to load malicious microcode patches, posing a significant threat to system security.
Vela emphasized the complexity of fixing the vulnerability and the need for coordinated efforts to address the issue. The disclosure timeline indicated that Google reported the vulnerability on Sept. 25, it was fixed on Dec. 17, and coordinated disclosure officially began recently.
Due to the intricate nature of the vulnerability and the supply chain involved in addressing it, Vela noted that full details would not be shared at this time. However, additional information and tools will be made available on March 5, 2025, to assist users in securing their confidential-compute workloads.
As of press time, neither AMD nor Google has responded to requests for additional information regarding the vulnerability and its impact. The collaborative efforts between the two companies underscore the importance of addressing hardware vulnerabilities promptly to safeguard system security and protect confidential data.
In conclusion, the disclosure of the high-severity microcode signature verification vulnerability in AMD’s Zen CPUs serves as a reminder of the ongoing need for robust security measures and prompt mitigation strategies to address vulnerabilities in hardware components. The collaboration between AMD and Google to address this issue highlights the importance of coordinated efforts to enhance system security and protect against potential threats.