Summary: AMD has released patches for a critical microprocessor vulnerability (CVE-2024-56161) that could allow attackers with local admin access to load malicious microcode, jeopardizing the integrity of systems using Secure Encrypted Virtualization (SEV). The vulnerability is attributed to improper signature verification in the microcode patch loader of AMD CPUs. Mitigations have been rolled out, requiring BIOS updates from OEM partners to ensure protection.
Affected: AMD microprocessors and systems utilizing Secure Encrypted Virtualization (SEV)
Keypoints :
- Vulnerability CVE-2024-56161 has a CVSS score of 7.2, indicating a high severity.
- Malicious microcode could lead to loss of confidentiality and integrity for systems running AMD SEV-SNP.
- OEMs need to provide BIOS updates that incorporate AMD’s mitigations after the AGESA updates.
- Google security researchers noted that the flaw arises from an insecure hash function used in microcode signature validation.
- Additional findings on cache-based side-channel attacks against SEV were reported by academics from National Taiwan University, urging developers to adopt security best practices.
Source: https://www.securityweek.com/amd-patches-cpu-vulnerability-found-by-google/