A safety vulnerability has been disclosed in AMD’s Safe Encrypted Virtualization (SEV) that might allow an attacker to load a malicious CPU microcode below particular circumstances.
The flaw, tracked as CVE-2024-56161, carries a CVSS rating of seven.2 out of 10.0, indicating excessive severity.
“Improper signature verification in AMD CPU ROM microcode patch loader could enable an attacker with native administrator privilege to load malicious CPU microcode leading to lack of confidentiality and integrity of a confidential visitor operating below AMD SEV-SNP,” AMD said in an advisory.
The chipmaker credited Google safety researchers Josh Eads, Kristoffer Janke, Eduardo Vela, Tavis Ormandy, and Matteo Rizzo for locating and reporting the flaw on September 25, 2024.
SEV is a security feature that makes use of a novel key per digital machine to isolate digital machines (VMs) and the hypervisor from each other. SNP, which stands for Safe Nested Paging, incorporates reminiscence integrity protections to create an remoted execution setting and safeguard in opposition to hypervisor-based assaults.
“SEV-SNP introduces a number of extra optionally available safety enhancements designed to assist extra VM use fashions, provide stronger safety round interrupt habits, and provide elevated safety in opposition to not too long ago disclosed aspect channel assaults,” according to AMD.
In a separate bulletin, Google noted that CVE-2024-56161 is the results of an insecure hash operate within the signature validation for microcode updates, which opens the door to a state of affairs the place an adversary may compromise confidential computing workloads.
The corporate has additionally launched a take a look at payload to show the vulnerability, however extra technical particulars have been withheld for one more month in order to offer sufficient time for the repair to be propagated throughout the “deep provide chain.”
Source link