Three high-severity vulnerabilities have been disclosed in AMD’s client and embedded processors that came out between 2016 and 2019. An attacker with physical or privileged access to certain AMD powered systems could exploit the flaws to execute arbitrary code or take control of the firmware.
AMD, which dubs the flaws “SMM Callout Privilege Escalation” bugs, released a fix for one of the three, CVE-2020–14032, on June 8. The other two flaws (CVE-2020–12890 and another that has yet to be issued a CVE number) have not yet been fixed. However, in a security update last week, AMD said it plans deliver the fixes for the issues by the end of June 2020.
“AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020,” according to AMD.
The three vulnerabilities were reported by security researcher Danny Odler on April 2, who then went on to publish an analysis for the patched vulnerability earlier on June 13, after it was fixed. Odler told Threatpost, no further details are available on the other two flaws as of now because they are not yet fixed.
Odler said that the flaws exist on AMD’s Accelerated Processing Unit (APU) microprocessors, which are designed to act as both a CPU and GPU on a single die. He specifically tested the issue on the UEFI (Unified Extensible Firmware Interface) of AMD’s Mini PC product. AMD Mini PC was released by AMD in December 2019 as a direct competitor to small form factor computing units, including Intel’s NUC and Gigabyte Brix.
All three flaws exist on technology called System Management Mode (SMM). SMM is an operating mode that’s mainly responsible for CPU and chipset configurations, motherboard manufacturer code, and secured operations such as setting secure boot hashes, TPM (Trusted Platform Module) configurations and power management. SMM exists on microprocessors manufactured both by Intel and AMD. However, Odler confirmed to Threatpost that Intel NUC (which leverages SMM) is not exploitable for the same vulnerability.
The root cause of the SMM vulnerability is a lack of checks on the destination buffer address when calling SmmGetVariable() in the SMI (System Management Interrupt) handler 0xEF. The SMI 0xEF handler implements a wrapper logic for getting data to and from the UEFI variables, which then provide a way to store data that is shared between platform firmware and operating systems or UEFI applications. The SmmGetVariable function uses the ArgsStruct values to find the correct variable, read its data and store the data in a buffer – however, these ArgsStruct values are used directly “as is” without any validation, said Odler.
Because of this lack of validation, “as a result [the] attacker achieves generic write primitive to the most protected memory, SMRAM, and from now code execution in SMM is a trivial task as already explained,” said Odler. “Code execution in SMM is a game over for all security boundaries such as SecureBoot, Hypervisor, VBS, Kernel and more.”
The attacker would then be able to manipulate AMD’s microcode in the motherboard’s UEFI firmware. This microcode is labelled AMD Generic Encapsulated Software Architecture (AGESA). A full proof-of-concept video is available for the attack (below).
AMD, for its part, sought to downplay the attack, saying it requires privileged physical or administrative access to a system based on select AMD notebooks or embedded processors.
“If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system,” said AMD. “AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020.”
It’s only the latest AMD vulnerability. Earlier in March, researchers disclosed the “Take A Way” side channel attack that they said could leak potentially sensitivie data from AMD processors released between 2011 and 2019.
“AMD recommends following the security best practice of keeping devices up-to-date with the latest patches,” said AMD. “End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.