AMD and Google Unveil High-Severity Vulnerability in Zen CPUs
AMD and Google have jointly disclosed a major microcode signature verification vulnerability affecting the chipmaker’s Zen CPUs. The critical issue was inadvertently exposed last month, prompting a coordinated response from both companies to address the security risk.
Initial Leak and Official Disclosure
On January 21, Google vulnerability researcher Tavis Ormandy sent an email to the Open Source Security mailing list on SecLists.org, bringing attention to an Asus update page that contained a patch for an undisclosed “AMD Microcode Signature Verification Vulnerability.” Asus quickly removed the page, and AMD confirmed awareness of the vulnerability, though few details were available at the time.
The vulnerability was formally disclosed on Monday in a coordinated effort between AMD and Google, who acknowledged the contributions of researchers Tavis Ormandy, Josh Eads, Kristoffer Janke, Eduardo Vela, and Matteo Rizzo in their advisory.
Understanding the Vulnerability
Tracked as CVE-2024-56161, this high-severity vulnerability, rated 7.2 on the CVSS scale, impacts AMD CPUs. AMD highlighted that the flaw “Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode, leading to loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.”
Exploitation Risks
Exploiting this vulnerability requires local administrator access and the development and execution of malicious microcode. According to AMD, mitigating this risk involves updating the microcode for affected processors. Some platforms may also need a firmware update for the manufacturer’s Secure Encrypted Virtualization (SEV) technology.
Google’s In-Depth Advisory
Eduardo Vela, a Google researcher, provided additional details in a separate advisory on GitHub. He noted that “This vulnerability allows an adversary with local administrator privileges (ring 0 from outside a VM) to load malicious microcode patches.” Vela demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs.
The GitHub post includes a link to a proof-of-concept exploit and a timeline of events. Google reported the issue on September 25, it was resolved on December 17, and the coordinated disclosure process commenced last Monday.
Extending Disclosure Timeline
Vela extended the standard disclosure timeline due to the complex supply chain and coordination required to address the issue. “We will not be sharing full details at this time in order to give users time to re-establish trust on their confidential-compute workloads,” he wrote in his advisory. “We will share additional details and tools on March 5, 2025.”
Conclusion
The AMD and Google collaboration underscores the importance of coordinated vulnerability disclosures and the active role of industry partners in enhancing cybersecurity. While the vulnerability poses significant risks, the availability of mitigation steps should help safeguard affected users.
As this story unfolds, it remains crucial for users and organizations to stay informed and apply the necessary updates to protect their systems.
Stay tuned for more updates and take the necessary steps to secure your systems against this critical vulnerability.
For more information on cybersecurity and the latest technological developments, subscribe to our newsletter and follow us on social media for breaking news and insights.
What are your thoughts on this vulnerability and how your organization plans to address it? Share your comments below!
Alexander Culafi is a senior information security news writer and podcast host for Archynetys.
