Thursday, June 18th 2020
New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms
AMD on Wednesday disclosed a new security vulnerability affecting certain client- and APU processors launched between 2016 and 2019. Called the SMM Callout Privilege Escalation Vulnerability, discovered by Danny Odler, and chronicled under CVE-2020-12890, the vulnerability involves an attacker with elevated system privileges to manipulate the AGESA microcode encapsulated in the platform's UEFI firmware to execute arbitrary code undetected by the operating system. AMD plans to release AGESA updates that mitigate the vulnerability (at no apparent performance impact), to motherboard vendors and OEMs by the end of June 2020. Some of the latest platforms are already immune to the vulnerability.A statement by AMD follows.
Source:
AMD
AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.
The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.
AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.
We thank Danny Odler for his ongoing security research.
25 Comments on New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.
The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.
Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.
But this instance is being reported by an independent organisation (mitre.org) so I'm not entirely sure what you're getting at....
Hmm..... I have a sneaking suspicion that unpatched AGESA will come in handy to test the true limit of AMD X86 CPU, if they will actually try to run anything we feed the pipeline.
Stay on the topic.
And, remember.... keep it civil !
Have a Good Day and Stay Safe.
Unlike our neighboring , doesn't announce anything and yet their system getting slower each Windows update, fine example my office's notebook i5-8350U is miles slower than Ryzen 3 2200U :wtf:
It's worse that once the firmware is altered it's game over. That's pwnage of the highest order.
Still, its patched (or will be for those on older systems) at no performance cost so whilst questionable, its not the end of the world.
attacker with elevated system privileges
Does it make sense for an attacker with elevated system privileges to attack to begin with???
Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?
I mean "requires privileged physical or administrative access to a system ", you gotta be kidding me...
Could invade the worker's home while he's @ work or invade the workplace @ night when there's nobody in the office, thus gaining physical access to the computer(s) in question @ which point the burglar would carry out his nefarious plan ...
Sure: both the home owner and the work place would become aware of the break in, but would they be aware their computer(s) was / were compromised?
Just a scenario i thought of.
Would that be sufficient or would the computer(s) be compromised already, despite the changed passwords?
You are citing an extreme exception to the norm in order to justify your claim. Sure a burglar could break into my house or place of work. All they have to do is get by security cameras, guards, coworkers, nosy neighbors, alarm systems, the deadbolts on my doors, my dogs, and my Glock - without being noticed, and get out again.
And while burglaries do happen, the vast majority are to grab valuables to sell for drug money. Not to plant malware on our systems.
Exceptions don't make the rule. Just because a vulnerability exists, that does not, in any way, mean it is easy to exploit, or that it will be exploited.
Is this AMD vulnerability (or the Intel vulnerability a few days ago) a bad thing? Sure. Is it going to affect any of us here at TPU? Highly unlikely.
Obviously this attack won't be scripted en masse but it is just sad that it is there in a first place.
Of course any vulnerability is sad. But it is unrealistic to think something as complex as a computer CPU, with many billions of transistor gates in each, could be flaw-free. Humans just are not capable of that "divine" feat.
But if something is possible, that still does not mean it is probable, either - especially considering all the other security precautions and measures one must defeat to get in there (and safely back out).