Monday, May 17th 2021
Two New Security Vulnerabilities to Affect AMD EPYC Processors
AMD processors have been very good at the field of security, on par with its main competitor, Intel. However, from time to time, researchers find new ways of exploiting a security layer and making it vulnerable to all kinds of attacks. Today, we have information that two new research papers are being published at this year's 15th IEEE Workshop on Offensive Technologies (WOOT'21) happening on May 27th. Both papers are impacting AMD processor security, specifically, they show how AMD's Secure Encrypted Virtualization (SEV) is compromised. Researchers from the Technical University of Munich and the University of Lübeck are going to present their papers on CVE-2020-12967 and CVE-2021-26311, respectfully.
While we do not know exact details of these vulnerabilities until papers are presented, we know exactly which processors are affected. As SEV is an enterprise feature, AMD's EPYC lineup is the main target of these two new exploits. AMD says that affected processors are all of the EPYC embedded CPUs and the first, second, and third generation of regular EPYC processors. For third-generation EPYC CPUs, AMD has provided mitigation in SEV-SNP, which can be enabled. For prior generations, the solution is to follow best security practices and try to avoid an exploit.
Source:
AMD Security
While we do not know exact details of these vulnerabilities until papers are presented, we know exactly which processors are affected. As SEV is an enterprise feature, AMD's EPYC lineup is the main target of these two new exploits. AMD says that affected processors are all of the EPYC embedded CPUs and the first, second, and third generation of regular EPYC processors. For third-generation EPYC CPUs, AMD has provided mitigation in SEV-SNP, which can be enabled. For prior generations, the solution is to follow best security practices and try to avoid an exploit.
39 Comments on Two New Security Vulnerabilities to Affect AMD EPYC Processors
May 27th is the date for that little get together.
nvd.nist.gov/vuln/detail/CVE-2020-12967
nvd.nist.gov/vuln/detail/CVE-2021-26311
on par withsuperior to its main competitor, Intel."Fixed that.
Someone had there head in the sand with the amount of security exploits Intel has had with there CPUs from the last 15yrs lol
It will be nice when two more generations of hardware mitigation have been implemented. As stated in other articles in the past two years, all processor companies are suppose to implement by the end of 2023. Hopefully by then most of these flaws will be fixed.
research yourself, on google or bing etc.
what if companies deliberately leave these vulnerabilities in and then themselves expose these leading them to have to fix it at the cost of performance so they can sell you newer "now MUCH faster" processors, aka, form of planned obsolescence. :eek:
time to wake up sheeple !
"
The exploits mentioned in both papers require a malicious administrator to have access in order to compromise the server hypervisor.
"
This is not that much of an issue for many, it defends My VM at Microsoft, Amazon or wherever from other VM's.
However, AMD SEV also has a sales point of protecting me against Microsoft, Amazon or whatever as they should not know what's even going on in my VM hosted by them, so while it's not meltdown levels of security flaw it's a security issue that goes straight up against one of amd's sales points of SEV.
We'll have to wait and see if it matters, or is purely proof of concept or if it's patched or just.. broken SEV from that point of view.
CVE-2020-12967
Basically its possible, but not on guest or hosted VM side, for user / consumer perspective this should be harmless.
So from average users perspective these vulnerabilities do matter but not in terms of security.