Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities

Chipmakers Intel and AMD have published 10 new security advisories this Patch Tuesday to inform customers about vulnerabilities impacting their products. 

Intel published eight new advisories, including two that describe high-severity vulnerabilities. One of the high-severity issues is a local privilege escalation impacting BIOS firmware for some Intel processors. 

The second is a local privilege escalation that impacts the on-chip debug and test interface in some 4th Generation Intel Xeon processors when using SGX or TDX technology. 

The remaining nine issues have a ‘medium’ or ‘low’ severity rating. Most of them impact processors and their exploitation could lead to information disclosure, denial of service, and local privilege escalation.

One of the information disclosure vulnerabilities, discovered internally by Intel and tracked as CVE-2023-28746, impacts only Atom processors. Named Register File Data Sampling (RFDS), the flaw has been described as a microarchitectural vulnerability that can allow a local attacker to obtain potentially sensitive data from memory. 

The issue has been compared to previously disclosed Microarchitectural Data Sampling (MDS) flaws. 

“At this time, there is no known practical RFDS value injection transient execution attack,” Intel noted.

One of Intel’s advisories covers four medium- and low-severity issues that can lead to DoS attacks, information disclosure, and privilege escalation. They impact the Converged Security Management Engine (CSME) installer, Local Manageability Service software, and Server Platform Servcies (SPS).

Advertisement. Scroll to continue reading.

The chip giant has released microcode updates and other patches that should address these vulnerabilities. 

Many of the flaws were found internally by Intel, which recently reported patching 353 security holes last year.

AMD has published two advisories. One is in response to a newly disclosed microarchitectural vulnerability named GhostRace, which impacts all major CPU makers, as well as Linux and other software. 

Intel does not appear to have mentioned GhostRace in its latest advisories, despite financially supporting the project. 

The second AMD advisory covers a WebGPU browser-based GPU cache side-channel attack method whose details will likely be made public soon by a team of academic researchers. 

“AMD does not believe that any exploit against AMD products is demonstrated by the researchers,” the company said.

Related: Chipmaker Patch Tuesday: Intel, AMD Address Over 130 Vulnerabilities

Related: Chipmaker Patch Tuesday: Intel, AMD Address Over 100 Vulnerabilities

Source: Original Post

“An interesting youtube video that may be related to the article above”