- AMD advisory warns a few new high-severity safety flaw
- The bug impacts Zen 1 to Zen 4 CPUs
- Abuse may result in the lack of SEV-based safety of a confidential visitor
Chipmaking large AMD has confirmed it not too long ago patched a high-severity vulnerability affecting its Zen 1 to Zen 4 CPUs.
The corporate printed a brand new safety advisory, detailing the bug and its potential for exploitation, noting, “Researchers from Google have offered AMD with info on a possible vulnerability that, if efficiently exploited, may result in the lack of SEV-based safety of a confidential visitor.”
SEV is brief for Safe Encrypted Virtualization – a hardware-based safety function designed to reinforce the confidentiality and integrity of digital machines (VMs) working on AMD EPYC processors. It encrypts the reminiscence of particular person VMs utilizing distinctive encryption keys, making certain that neither the hypervisor nor different VMs can entry their knowledge.
Mitigations obtainable
The vulnerability is tracked as CVE-2024-56161, and has a severity rating of seven.2/10 (excessive). It’s described as an improper signature verification flaw in AMD CPU ROM microcode patch loader, which may enable menace actors with native admin privileges to load malicious CPU microcode. Consequently, the confidentiality and integrity of a confidential visitor working underneath AMD SEV-SNP can be misplaced.
“AMD has made obtainable a mitigation for this difficulty which requires updating microcode on all impacted platforms to assist forestall an attacker from loading malicious microcode,” the corporate concluded.
“Moreover, an SEV firmware replace is required for some platforms to assist SEV-SNP attestation. Updating the system BIOS picture and rebooting the platform will allow attestation of the mitigation. A confidential visitor can confirm the mitigation has been enabled on the goal platform by way of the SEV-SNP attestation report.”
The corporate solely publicly disclosed the flaw not too long ago, however the patch was truly launched in mid-December 2024. AMD determined to delay the announcement to present its clients sufficient time to mitigate the issue.