AMD EPYC: Critical Security Leak in CPU Server 11 Comments
Image: AMD
Google Security researchers have informed AMD of a security gap in its server processors. A local attacker could load damaged firmware code via an inappropriate signature check. However, this requires administrator rights. However, the risk is classified as “high”.
According to AMD, the security leak, which is now closed by firmware update, with the identification CVE-2024-56161, concerns the EPYC 7001 series (Naples), EPYC 7002 (Rome), EPYC 7003 (Milan, Milan -X) and EPYC 9004 (Milan, Milan, Milan, Milan, Milan, Genoa, Génoa-X, Bergamo, Siena). The processors of Zen 1 to Zen 4 architectures are therefore affected. The current EPYC 7005 and 9005 cores with Zen-5 cores are not below.
Improper signature verification in the AMD CPU ROM microcode patch loader can allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running AMD SEV -SNP.
AMD
Google Security already reported the leak in September
Researchers from the Google security team had already recorded the weak point in September 2024 at AMD. As usual, silence was maintained so that potential attackers would not find out.
A solution followed in December
On December 17, AMD finally provided its commercial customers with a firmware update with which the weak point was closed. For this time to have had to play the update, the security gap was not made public until February 3, 2025.
However, Google researchers have not yet revealed all the details and only want to do so on March 5 to allow more time to consolidate the systems.
Due to the extensive supply chain, sequence and coordination required to remedy this issue, we will not announce full details to give users time to restore confidential compensation. We will announce more details and tools on March 5, 2025.
Google Security Team
Topics: AMD EPYC Processor Server Source Source: GitHub, AMD
Marc deciphers processors by testing their performance for gaming, content creation, and artificial intelligence.
