Google security researchers have recently discovered CVE-2024-56161, a microprocessor vulnerability that could lead to the loss of Secure Encrypted Virtualization (SEV) protection, and allow an attacker to load malicious code. You can read the research here:
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
Google Security Team has identified a security vulnerability in some AMD Zen-based CPUs. This vulnerability allows an adversary with local administrator privileges (ring 0 from outside a VM) to load malicious microcode patches. We have demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs. The vulnerability is that the CPU uses an insecure hash function in the signature validation for microcode updates. This vulnerability could be used by an adversary to compromise confidential computing workloads protected by the newest version of AMD Secure Encrypted Virtualization, SEV-SNP or to compromise Dynamic Root of Trust Measurement.
And:
Google notified AMD of this vulnerability on September 25, 2024. AMD subsequently provided an embargoed fix to its customers on December 17, 2024. To coordinate with AMD, we made a one-off exception to our standard vulnerability disclosure policy and delayed public disclosure until today, February 3, 2025. This joint disclosure occurs 46 days after AMD shared the fix with its customers and 131 days after Google’s initial report. Due to the deep supply chain, sequence and coordination required to fix this issue, we will not be sharing full details at this time in order to give users time to re-establish trust on their confidential-compute workloads. We will share additional details and tools on March 5, 2025.
Andrew Obadiaru, CISO, Cobalt had this comment:
“The discovery of this vulnerability, along with the subsequent collaboration between AMD and Google, underscores the importance of responsible vulnerability disclosure. By proactively identifying and addressing the issue before it could be widely exploited.
This vulnerability, tracked as CVE-2024-56161, highlights ongoing hardware security challenges. While CPU vulnerabilities are not new, they remain difficult to detect due to the complexity of modern processors. Additionally, many organizations, including major manufacturers, often prioritize performance over security when it comes to patching CPUs, as such updates can lead to performance trade-offs. Could this vulnerability be a result of that trade-off?
Organizations must ensure that users promptly apply patches through firmware updates, operating system patches, etc. More importantly, hardware manufacturers should prioritize security at the design stage rather than treating it as an afterthought once vulnerabilities are discovered.”
Gunter Ollmann, CTO, Cobalt adds this:
“For decades flawed or absent update security validation has been a common threat. Failure to sign patches, updates, firmware, and microcode, etc. and failure to verify the signature and identify tampering have seen countless otherwise secure devices and software to fall victim to targeted attack.
Silicon-level device security is both one of the hardest to master and the most vital. The root of trust starts and ends with the secrets within the silicon layer.
If security fails at the silicon-level than all the layers above (firmware, drivers, software, data storage) are undermined and compromised.”
It’s good that this is being fixed as AMD is seeing a rise in its fortunes in the processor space. Thus it is highly likely that it will be targeted by threat actors looking for weaknesses in their silicon that they can exploit to do their evil deeds.
Related
This entry was posted on February 4, 2025 at 4:42 pm and is filed under Commentary with tags AMD, Google. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
AMD Silicon Flaw Found By Security Researchers At Google
Google security researchers have recently discovered CVE-2024-56161, a microprocessor vulnerability that could lead to the loss of Secure Encrypted Virtualization (SEV) protection, and allow an attacker to load malicious code. You can read the research here:
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
Google Security Team has identified a security vulnerability in some AMD Zen-based CPUs. This vulnerability allows an adversary with local administrator privileges (ring 0 from outside a VM) to load malicious microcode patches. We have demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs. The vulnerability is that the CPU uses an insecure hash function in the signature validation for microcode updates. This vulnerability could be used by an adversary to compromise confidential computing workloads protected by the newest version of AMD Secure Encrypted Virtualization, SEV-SNP or to compromise Dynamic Root of Trust Measurement.
And:
Google notified AMD of this vulnerability on September 25, 2024. AMD subsequently provided an embargoed fix to its customers on December 17, 2024. To coordinate with AMD, we made a one-off exception to our standard vulnerability disclosure policy and delayed public disclosure until today, February 3, 2025. This joint disclosure occurs 46 days after AMD shared the fix with its customers and 131 days after Google’s initial report. Due to the deep supply chain, sequence and coordination required to fix this issue, we will not be sharing full details at this time in order to give users time to re-establish trust on their confidential-compute workloads. We will share additional details and tools on March 5, 2025.
Andrew Obadiaru, CISO, Cobalt had this comment:
“The discovery of this vulnerability, along with the subsequent collaboration between AMD and Google, underscores the importance of responsible vulnerability disclosure. By proactively identifying and addressing the issue before it could be widely exploited.
This vulnerability, tracked as CVE-2024-56161, highlights ongoing hardware security challenges. While CPU vulnerabilities are not new, they remain difficult to detect due to the complexity of modern processors. Additionally, many organizations, including major manufacturers, often prioritize performance over security when it comes to patching CPUs, as such updates can lead to performance trade-offs. Could this vulnerability be a result of that trade-off?
Organizations must ensure that users promptly apply patches through firmware updates, operating system patches, etc. More importantly, hardware manufacturers should prioritize security at the design stage rather than treating it as an afterthought once vulnerabilities are discovered.”
Gunter Ollmann, CTO, Cobalt adds this:
“For decades flawed or absent update security validation has been a common threat. Failure to sign patches, updates, firmware, and microcode, etc. and failure to verify the signature and identify tampering have seen countless otherwise secure devices and software to fall victim to targeted attack.
Silicon-level device security is both one of the hardest to master and the most vital. The root of trust starts and ends with the secrets within the silicon layer.
If security fails at the silicon-level than all the layers above (firmware, drivers, software, data storage) are undermined and compromised.”
It’s good that this is being fixed as AMD is seeing a rise in its fortunes in the processor space. Thus it is highly likely that it will be targeted by threat actors looking for weaknesses in their silicon that they can exploit to do their evil deeds.
Share this:
Like this:
Related
This entry was posted on February 4, 2025 at 4:42 pm and is filed under Commentary with tags AMD, Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.