52/68 Thursday, February 6, 2025
AMD has released a patch to address CVE-2024-56161 (CVSS score: 7.2), a vulnerability discovered by researchers from Google. This flaw allowed attackers with administrative privileges to load malicious microcode into the CPU, impacting Secure Encrypted Virtualization (SEV) technology, which protects virtual machine (VM) memory from unauthorized access.
The vulnerability stemmed from the use of an insecure hashing function to verify microcode signatures. This flaw enabled attackers to craft malicious microcode targeting AMD Zen 1 to Zen 4 CPUs, compromising systems utilizing SEV-SNP, the latest version of Confidential Computing. To mitigate the issue, AMD has released microcode and firmware updates, urging users to update their BIOS and reboot their systems.
Researchers also developed a Proof of Concept (PoC) demonstrating how the vulnerability could be exploited to create harmful microcode for AMD Zen 1 to Zen 4 CPUs, potentially affecting Confidential Computing and Dynamic Root of Trust Measurement systems. AMD strongly advises users and administrators to update their systems immediately to mitigate the risk of exploitation.
Source https://securityaffairs.com/173831/security/amd-flaw-allowed-load-malicious-microcode.html
