Google Uncovers AMD Microcode Vulnerability

Researchers Uncover Vulnerability in AMD Microcode
Researchers from Google have discovered a vulnerability in AMD microcode that allows for the unauthorized modification of processor operations. By exploiting this vulnerability, hackers can manipulate the generation of random numbers, compromising AMD’s protective mechanisms, including the SEV-SNP virtualization system and root confidence system. Microcode, which controls the processor at a low level, is typically protected by AMD with a cryptographic signature. However, Google experts found a way to bypass this protection using Vascularity in a hash algorithm for checking signatures. This method works on all Zen architecture processors, such as Ryzen and Epyc. To demonstrate the potential impact of modifying the microcode, the researchers released a patch that alters the RDRAND operation on Epyc and Ryzen 9 processors. This could be exploited by attackers to weaken cryptographic protection. Although exploiting this vulnerability requires access at the Ring-0 level, limiting its use to system administrators or sophisticated malicious programs, in cloud environments with trusted virtualization, the substitution of microcode on the host could compromise the safety of guest machines. SEV-SNP, AMD’s mechanism for protecting virtualized workloads, may also be compromised, allowing attackers to manipulate computational processes and access memory. AMD has acknowledged the vulnerability and released updated microcode for server processors. Updates for desktop Ryzen and Threadripper processors will follow. Systems can automatically check the authenticity of uploaded updates and block unofficial versions with a BIOS update containing the fixed microcode. The vulnerability has been assigned the identifier CVE-2024-56161 and given a severity rating of 7.2 on the CVSS scale. AMD recommends that all users update their motherboard firmware to safeguard against potential attacks. Google plans to disclose additional details about the vulnerabilities on March 5, 2025.

Researchers Uncover Vulnerability in AMD Microcode

Researchers from Google have discovered a vulnerability in AMD microcode that allows for the unauthorized modification of processor operations. By exploiting this vulnerability, hackers can manipulate the generation of random numbers, compromising AMD’s protective mechanisms, including the SEV-SNP virtualization system and root confidence system.

Microcode, which controls the processor at a low level, is typically protected by AMD with a cryptographic signature. However, Google experts found a way to bypass this protection using Vascularity in a hash algorithm for checking signatures. This method works on all Zen architecture processors, such as Ryzen and Epyc.

To demonstrate the potential impact of modifying the microcode, the researchers released a patch that alters the RDRAND operation on Epyc and Ryzen 9 processors. This could be exploited by attackers to weaken cryptographic protection.

Although exploiting this vulnerability requires access at the Ring-0 level, limiting its use to system administrators or sophisticated malicious programs, in cloud environments with trusted virtualization, the substitution of microcode on the host could compromise the safety of guest machines. SEV-SNP, AMD’s mechanism for protecting virtualized workloads, may also be compromised, allowing attackers to manipulate computational processes and access memory.

AMD has acknowledged the vulnerability and released updated microcode for server processors. Updates for desktop Ryzen and Threadripper processors will follow. Systems can automatically check the authenticity of uploaded updates and block unofficial versions with a BIOS update containing the fixed microcode.

The vulnerability has been assigned the identifier CVE-2024-56161 and given a severity rating of 7.2 on the CVSS scale. AMD recommends that all users update their motherboard firmware to safeguard against potential attacks. Google plans to disclose additional details about the vulnerabilities on March 5, 2025.

/Reports, release notes, official announcements.