AMD patches high severity security flaw affecting Zen chips

News
By
published

The patch was released in mid-December

AMD logo
(Image credit: Shutterstock / JHVEPhoto)
  • AMD advisory warns about a new high-severity security flaw
  • The bug affects Zen 1 to Zen 4 CPUs
  • Abuse could lead to the loss of SEV-based protection of a confidential guest

Chipmaking giant AMD has confirmed it recently patched a high-severity vulnerability affecting its Zen 1 to Zen 4 CPUs.

The company published a new security advisory, detailing the bug and its potential for exploitation, noting, “Researchers from Google have provided AMD with information on a potential vulnerability that, if successfully exploited, could lead to the loss of SEV-based protection of a confidential guest."

SEV is short for Secure Encrypted Virtualization - a hardware-based security feature designed to enhance the confidentiality and integrity of virtual machines (VMs) running on AMD EPYC processors. It encrypts the memory of individual VMs using unique encryption keys, ensuring that neither the hypervisor nor other VMs can access their data.

Mitigations available

The vulnerability is tracked as CVE-2024-56161, and has a severity score of 7.2/10 (high). It is described as an improper signature verification flaw in AMD CPU ROM microcode patch loader, which could allow threat actors with local admin privileges to load malicious CPU microcode. As a result, the confidentiality and integrity of a confidential guest running under AMD SEV-SNP would be lost.

“AMD has made available a mitigation for this issue which requires updating microcode on all impacted platforms to help prevent an attacker from loading malicious microcode,” the company concluded.

“Additionally, an SEV firmware update is required for some platforms to support SEV-SNP attestation. Updating the system BIOS image and rebooting the platform will enable attestation of the mitigation. A confidential guest can verify the mitigation has been enabled on the target platform through the SEV-SNP attestation report.”

The company only publicly disclosed the flaw recently, but the patch was actually released in mid-December 2024. AMD decided to delay the announcement to give its customers enough time to mitigate the problem.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Image of laptop infected with malware threat

This devious new macOS malware disguises itself as Chrome, Zoom installers
China

Chinese hackers develop effective new hacking technique to go after business networks
A photo of the Bizontech ZX5500 on a black background

Absurdly powerful PC with 7 liquid-cooled Nvidia RTX 5090 GPUs has just gone on sale — and it is in stock
See more latest