Yesterday, AMD and Google publicly disclosed September findings of a key microcode vulnerability in AMD Zen 1 to Zen 4 CPUs, specifically server/enterprise platform EPYC CPUs. This vulnerability, CVE-2024-56161, is discussed in more detail in the GitHub post from the Google Security Research team and, of course, AMD’s security bulletin on the vulnerability.
According to Google’s documentation, the original issue was reported on September 25, 2024, and subsequently fixed by AMD about two and a half months later, on December 17, 2024. The public disclosure date was delayed until yesterday, February 3, to give AMD’s customers time to apply the fix before the issue became more widespread.
Per AMD’s official wording, “Researchers from Google have provided AMD with information on a potential vulnerability that, if successfully exploited, could lead to the loss of SEV-based protection of a confidential guest.”
SEV refers to Secure Encrypted Virtualization, a feature used by server-grade AMD CPUs to allow virtualization. This usually means remote or on-site “thin clients” whose data is stored and managed in a central server. The devices they use to access it are so secondary that they sometimes have little to no processing power. The specific setup can vary. Still, the purpose of virtualizing several users is typically to save on hardware costs or provide a higher degree of security—sometimes both.
The loss of SEV-based protection through a microcode exploit means that the otherwise confidential data of virtualized users compromised by this exploit can now be stolen. However, malicious microcode loading could allow for more exploits than data theft.
The specific series of impacted AMD EPYC CPUs include the following: AMD EPYC 7001 (Naples), AMD Epyc 7002 (Rome), AMD Epyc 7003 (Milan and Milan-X), and AMD Epyc 9004 (Genoa, Genoa-X, and Bergamo/Siena). Microcode updates have fortunately already been released for impacted CPUs, so using the appropriate update utilities (BIOS updates, etc.) should work fine— but as AMD notes, a SEV firmware update may be required for some platforms to support the fix via SEV-SNP attestation properly.
0 Comments