AMD has released patches for a critical microcode vulnerability affecting Zen 1 to Zen 4 EPYC CPUs, which could allow malicious actors to load custom code onto vulnerable systems. The vulnerability, CVE-2024-56161, was disclosed by Google and AMD yesterday, February 3.
The issue, which was reported on September 25, 2024, allows attackers to exploit a flaw in the CPU’s signature verification mechanism. If exploited successfully, this could lead to the loss of SEV-based protection for confidential guest users, potentially exposing their sensitive data.
SEV is a feature used by server-grade CPUs to enable secure virtualization. The vulnerability, if exploited, means that even with SEV protection, attackers can still compromise user data.
The affected EPYC CPU series include the AMD EPYC 7001 (Naples), Epyc 7002 (Rome), Epyc 7003 (Milan and Milan-X), and Epyc 9004 (Genoa, Genoa-X, and Bergamo/Siena). However, microcode updates have already been released for impacted CPUs.
To ensure the fix is applied correctly, AMD notes that a SEV firmware update may be required for some platforms to support the fix via SEV-SNP attestation. Users should apply the most recent microcode update as soon as possible to avoid potential security risks.
The vulnerability’s impact goes beyond data theft; it allows for arbitrary microcode installation, which can enable more severe exploits. A proof-of-concept exploit was demonstrated by researchers, which could render encryption on affected CPUs trivially breakable. The risk is further exacerbated by the fact that many CPUs still in stock are vulnerable out of the box.
AMD has already released updates to address this issue, but it’s essential for users to be aware of the vulnerability and apply the necessary patches promptly.
Source: https://www.tomshardware.com/pc-components/cpus/amd-patches-a-critical-microcode-vulnerability-affecting-zen-1-to-zen-4-epyc-cpus