Hacker News: AMD: Microcode Signature Verification Vulnerability

Feb 3, 2025

—

Source URL: https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
Source: Hacker News
Title: AMD: Microcode Signature Verification Vulnerability

Feedly Summary: Comments

AI Summary and Description: Yes

Summary: The text discusses a security vulnerability in AMD Zen-based CPUs identified by Google’s Security Team, which allows local administrator-level attacks on the microcode verification process. This is significant for professionals in infrastructure and hardware security due to its potential impact on confidential computing workloads.

Detailed Description: The text details a discovered vulnerability within AMD’s Zen architecture CPUs that could pose serious security risks if exploited. Key points are as follows:

– **Vulnerability Identification**: The Google Security Team found that specific AMD CPUs suffer from a flaw in their microcode signature verification process.
– **Affected Versions**: CPUs with platform IDs (PIs) below Naples, Rome, Milan, and Genoa released before specified patched versions are at risk.
– **Exploitation Potential**: An adversary with local administrator privileges could load malicious microcode patches, compromising the integrity and confidentiality of workloads using AMD’s Secure Encrypted Virtualization (SEV-SNP).
– **Insecure Hash Function**: The root cause of the vulnerability lies in an insecure hash function utilized for signature verification of microcode updates.
– **Proof of Concept**: A demonstration payload for vulnerable models (Milan and Genoa) has been provided, indicating the vulnerability’s viability.
– **Severity and Impact**: The vulnerability has a high severity designation due to its potential to undermine confidentiality for users of SEV-SNP technology.
– **Disclosure Timeline**:
– Reported on September 25, 2024.
– Fix released on December 17, 2024.
– Public disclosure occurred on February 3, 2025, after a joint decision for coordinated disclosure with AMD.
– **Next Steps for Users**: AMD SEV-SNP users are advised to confirm their Trusted Computing Base (TCB) values through attestation reports, highlighting the importance of post-incident checks.

This information is critical for security professionals focused on hardware and infrastructure security, pointing to the need for diligent monitoring and patching practices within environments that leverage AMD CPUs for confidential computing workloads. The vulnerability underscores the importance of trusting the hardware and its components in cloud and server environments.

1 2 2024 3 4 5 7 a Act administrator privileges advisories after AI AMD and Arch architecture as attack attacks attestation based by C Cloud code code update Computing concept confidential computing confidentiality core CPUs critical D de decision demo design disclosure e environment exp exploit Exploitation focused for g Gen git GitHub Go Google Google Security Team hack hacker Hacker News hardware hardware security hash function high high severity Highlight HR http HTTPS in incident information infrastructure infrastructure security integrity ite J k Key l law led low Micro microcode microcode updates Mila mini model models Monitor monitoring nation news next NIST no o of on one over Patch patches patching patching practices platform point post potential professionals proof public R rag RCE red release report research Risk risks Ro RSA Rust s search sec secure Secure Encrypted Virtualization security security professionals security risk security risks security vulnerability server severity Sig signature verification source SSE T Tails tech technology test text the Time to Tor TP trust up update updates US use user Users V val verification verification process version virtualization vulnerability vulnerability identification Wi workload workloads x Zen