New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms

btarunr · Jun 18, 2020

AMD on Wednesday disclosed a new security vulnerability affecting certain client- and APU processors launched between 2016 and 2019. Called the SMM Callout Privilege Escalation Vulnerability, discovered by Danny Odler, and chronicled under CVE-2020-12890, the vulnerability involves an attacker with elevated system privileges to manipulate the AGESA microcode encapsulated in the platform's UEFI firmware to execute arbitrary code undetected by the operating system. AMD plans to release AGESA updates that mitigate the vulnerability (at no apparent performance impact), to motherboard vendors and OEMs by the end of June 2020. Some of the latest platforms are already immune to the vulnerability.

A statement by AMD follows.

AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.

The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.

AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.

We thank Danny Odler for his ongoing security research.

View at TechPowerUp Main Site

wurschti · Jun 18, 2020

I'm curious to see the performance impact on this one. They promise none, but who knows.

cucker tarlson · Jun 18, 2020

software patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.

mtcn77 · Jun 18, 2020

Funny how these flags are raised only at launch dates.

evernessince · Jun 18, 2020

3rold said:
I'm curious to see the performance impact on this one. They promise none, but who knows.

Given that this exploit has nothing to do with the way the processor handles data, yeah the performance impact will be 0. It's a security hole that allows the attacker to manipulate AGESA in order to execute code

cucker tarlson said:
software patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.

You do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.

Chrispy_ · Jun 18, 2020

See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

TheLostSwede · Jun 18, 2020

Chrispy_ said:
See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

And AMD even said thanks to the guy who found it...

laszlo · Jun 18, 2020

Chrispy_ said:
See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

how we really know if amd(or others in the field) din't had covered/bribed security flaws?

Chrispy_ · Jun 18, 2020

laszlo said:
how we really know if amd(or others in the field) din't had covered/bribed security flaws?

We don't.

But this instance is being reported by an independent organisation (mitre.org) so I'm not entirely sure what you're getting at....

champsilva · Jun 18, 2020

mtcn77 said:
Funny how these flags are raised only at launch dates.

Usually AMD receive this information months ago and when the deadline arrive they do a blog post.

Verpal · Jun 18, 2020

''execute arbitrary code undetected by the operating system. ''

Hmm..... I have a sneaking suspicion that unpatched AGESA will come in handy to test the true limit of AMD X86 CPU, if they will actually try to run anything we feed the pipeline.

bug · Jun 18, 2020

evernessince said:
You do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.

AGESA is firmware. Operating systems have long had the ability to load more recent firmware versions than what's in the BIOS on startup. It's how one gets updates long after the manufacturer forgets about your model

95Viper · Jun 18, 2020

Enough of the mossad remarks.
Stay on the topic.
And, remember.... keep it civil !

Have a Good Day and Stay Safe.

1d10t · Jun 18, 2020

These are fine example from underdog and slow CPU maker, assertive prevention and quick to respond.
Unlike our neighboring , doesn't announce anything and yet their system getting slower each Windows update, fine example my office's notebook i5-8350U is miles slower than Ryzen 3 2200U :wtf:

mamisano · Jun 18, 2020

Per the AMD website (https://www.amd.com/en/corporate/product-security)

...requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.

The attacker first needs privileged access to the system in order to take advantage of the vulnerability.

zlobby · Jun 18, 2020

mamisano said:
Per the AMD website (https://www.amd.com/en/corporate/product-security)

The attacker first needs privileged access to the system in order to take advantage of the vulnerability.

Not too hard to obtain such access, to be fair.
It's worse that once the firmware is altered it's game over. That's pwnage of the highest order.

Camm · Jun 18, 2020

I'm somewhat concerned that such an elevation of rings is even possible.

Still, its patched (or will be for those on older systems) at no performance cost so whilst questionable, its not the end of the world.

Arumio · Jun 19, 2020

... and almost every time i see such articles there is always something like this
attacker with elevated system privileges
Does it make sense for an attacker with elevated system privileges to attack to begin with???

Bill_Bright · Jun 20, 2020

Arumio said:
... and almost every time i see such articles there is always something like this
attacker with elevated system privileges

No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

medi01 · Jun 20, 2020

A new portion of "AMD too" FUD from the known offenders.
I mean "requires privileged physical or administrative access to a system ", you gotta be kidding me...

HTC · Jun 20, 2020

Bill_Bright said:
No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

Perhaps a burglar with a specific agenda?

Could invade the worker's home while he's @ work or invade the workplace @ night when there's nobody in the office, thus gaining physical access to the computer(s) in question @ which point the burglar would carry out his nefarious plan ...

Sure: both the home owner and the work place would become aware of the break in, but would they be aware their computer(s) was / were compromised?

Just a scenario i thought of.

Bill_Bright · Jun 20, 2020

HTC said:
Perhaps a burglar with a specific agenda?
Just a scenario i thought of.

Yeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety.

HTC · Jun 20, 2020

Bill_Bright said:
Yeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety.

While true, the burglary could be done in a way to divert the owner's "eyes" away from the computer so that the owner changed locks and computer passwords. And if instead of a home break in it were an office break in, they'd likely do the exact same thing: change locks and computer passwords.

Would that be sufficient or would the computer(s) be compromised already, despite the changed passwords?

Bill_Bright · Jun 20, 2020

Nobody is saying you are wrong. But that just is not the point. The point is about many in the IT media seeking attention with sensationalized headlines, fanboys (on one side or the other) seeking to discredit the other side, tinfoil hat wearers believing they are constantly being watched, and the Chicken Littles who are convinced the world is about to end.

You are citing an extreme exception to the norm in order to justify your claim. Sure a burglar could break into my house or place of work. All they have to do is get by security cameras, guards, coworkers, nosy neighbors, alarm systems, the deadbolts on my doors, my dogs, and my Glock - without being noticed, and get out again.

And while burglaries do happen, the vast majority are to grab valuables to sell for drug money. Not to plant malware on our systems.

Exceptions don't make the rule. Just because a vulnerability exists, that does not, in any way, mean it is easy to exploit, or that it will be exploited.

Is this AMD vulnerability (or the Intel vulnerability a few days ago) a bad thing? Sure. Is it going to affect any of us here at TPU? Highly unlikely.

zlobby · Jun 20, 2020

Bill_Bright said:
No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

Hard doesn't mean impossible.
Obviously this attack won't be scripted en masse but it is just sad that it is there in a first place.

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	ASUS ROG Strix B450-E Gaming
Cooling	DeepCool Gammax L240 V2
Memory	2x 8GB G.Skill Sniper X
Video Card(s)	Palit GeForce RTX 2080 SUPER GameRock
Storage	Western Digital Black NVMe 512GB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

System Name	Steam Deck LCD \| AluMaster
Processor	AMD Van Gogh 4-Core 8-Threads \| Core i7 5820k @ 4.5GHz
Motherboard	Stock \| GB G1 X99 Gaming
Cooling	Stock + MX4 Thermal Paste \| Thermalright Macho + 2x Arctic Cooling P12
Memory	16GB DDR5 5500 \| 32GB DDR4 2133
Video Card(s)	AMD Van Gogh 8 CUs \| RTX 3060 Ti Undervolt + OC @ 120W
Storage	512GB NVMe + 512GB MicroSD \| 512GB M.2 NVMe + 480GB SATA SSD
Display(s)	7" 800p (Deck) \| LG 34" Ultrawide + 27" both 75Hz \| 58" UHD TV
Case	Stock + Airflow Backplate (5C less and a lot less noise) \| Jonsbo RM2 Alu ATX 20L
Audio Device(s)	Jabra Elite 65T Bluetooth Headphones
Power Supply	Stock \| FSP 500W SFX
Mouse	Logitech MX-Master 3 Bluetooth \| PS4 controller (because gyro)
Keyboard	Logitech MX-Keys Bluetooth
Software	SteamOS \| Windows 10 IoT

System Name	Purple rain
Processor	10.5 thousand 4.2G 1.1v
Motherboard	Zee 490 Aorus Elite
Cooling	Noctua D15S
Memory	16GB 4133 CL16-16-16-31 Viper Steel
Video Card(s)	RTX 2070 Super Gaming X Trio
Storage	SU900 128,8200Pro 1TB,850 Pro 512+256+256,860 Evo 500,XPG950 480, Skyhawk 2TB
Display(s)	Acer XB241YU+Dell S2716DG
Case	P600S Silent w. Alpenfohn wing boost 3 ARGBT+ fans
Audio Device(s)	K612 Pro w. FiiO E10k DAC,W830BT wireless
Power Supply	Superflower Leadex Gold 850W
Mouse	G903 lightspeed+powerplay,G403 wireless + Steelseries DeX + Roccat rest
Keyboard	HyperX Alloy SilverSpeed (w.HyperX wrist rest),Razer Deathstalker
Software	Windows 10
Benchmark Scores	A LOT

Processor	Ryzen 7800X3D
Motherboard	ASRock X670E Taichi
Cooling	Noctua NH-D15 Chromax
Memory	32GB DDR5 6000 CL30
Video Card(s)	MSI RTX 4090 Trio
Storage	Too much
Display(s)	Acer Predator XB3 27" 240 Hz
Case	Thermaltake Core X9
Audio Device(s)	Topping DX5, DCA Aeon II
Power Supply	Seasonic Prime Titanium 850w
Mouse	G305
Keyboard	Wooting HE60
VR HMD	Valve Index
Software	Win 10

System Name	Bragging Rights
Processor	Atom Z3735F 1.33GHz
Motherboard	It has no markings but it's green
Cooling	No, it's a 2.2W processor
Memory	2GB DDR3L-1333
Video Card(s)	Gen7 Intel HD (4EU @ 311MHz)
Storage	32GB eMMC and 128GB Sandisk Extreme U3
Display(s)	10" IPS 1280x800 60Hz
Case	Veddha T2
Audio Device(s)	Apparently, yes
Power Supply	Samsung 18W 5V fast-charger
Mouse	MX Anywhere 2
Keyboard	Logitech MX Keys (not Cherry MX at all)
VR HMD	Samsung Oddyssey, not that I'd plug it into this though....
Software	W10 21H1, barely
Benchmark Scores	I once clocked a Celeron-300A to 564MHz on an Abit BE6 and it scored over 9000.

New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms

btarunr

Editor & Senior Moderator

wurschti

cucker tarlson

mtcn77

evernessince

Chrispy_

TheLostSwede

News Editor

laszlo

Chrispy_

champsilva

Verpal

bug

95Viper

Super Moderator

1d10t

mamisano

zlobby

Camm

Arumio

Bill_Bright

medi01

HTC

Bill_Bright

HTC

Bill_Bright

zlobby

System Name	Overlord Mk MLI
Processor	AMD Ryzen 7 7800X3D
Motherboard	Gigabyte X670E Aorus Master
Cooling	Noctua NH-D15 SE with offsets
Memory	32GB Team T-Create Expert DDR5 6000 MHz @ CL30-34-34-68
Video Card(s)	Gainward GeForce RTX 4080 Phantom GS
Storage	1TB Solidigm P44 Pro, 2 TB Corsair MP600 Pro, 2TB Kingston KC3000
Display(s)	Acer XV272K LVbmiipruzx 4K@160Hz
Case	Fractal Design Torrent Compact
Audio Device(s)	Corsair Virtuoso SE
Power Supply	be quiet! Pure Power 12 M 850 W
Mouse	Logitech G502 Lightspeed
Keyboard	Corsair K70 Max
Software	Windows 10 Pro
Benchmark Scores	https://valid.x86.fr/yfsd9w

System Name	2nd AMD puppy
Processor	FX-8350 vishera
Motherboard	Gigabyte GA-970A-UD3
Cooling	Cooler Master Hyper TX2
Memory	16 Gb DDR3:8GB Kingston HyperX Beast + 8Gb G.Skill Sniper(by courtesy of tabascosauz &TPU)
Video Card(s)	Sapphire RX 580 Nitro+;1450/2000 Mhz
Storage	SSD :840 pro 128 Gb;Iridium pro 240Gb ; HDD 2xWD-1Tb
Display(s)	Benq XL2730Z 144 Hz freesync
Case	NZXT 820 PHANTOM
Audio Device(s)	Audigy SE with Logitech Z-5500
Power Supply	Riotoro Enigma G2 850W
Mouse	Razer copperhead / Gamdias zeus (by courtesy of sneekypeet & TPU)
Keyboard	MS Sidewinder x4
Software	win10 64bit ltsc
Benchmark Scores	irrelevant for me

Processor	Intel i5-12600k
Motherboard	Asus H670 TUF
Cooling	Arctic Freezer 34
Memory	2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s)	EVGA GTX 1060 SC
Storage	500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s)	Dell U3219Q + HP ZR24w
Case	Raijintek Thetis
Audio Device(s)	Audioquest Dragonfly Red :D
Power Supply	Seasonic 620W M12
Mouse	Logitech G502 Proteus Core
Keyboard	G.Skill KM780R
Software	Arch Linux + Win10

System Name	Poor Man's PC
Processor	waiting for 9800X3D...
Motherboard	MSI B650M Mortar WiFi
Cooling	Thermalright Phantom Spirit 120 with Arctic P12 Max fan
Memory	32GB GSkill Flare X5 DDR5 6000Mhz
Video Card(s)	XFX Merc 310 Radeon RX 7900 XT
Storage	XPG Gammix S70 Blade 2TB + 8 TB WD Ultrastar DC HC320
Display(s)	Xiaomi G Pro 27i MiniLED + AOC 22BH2M2
Case	Asus A21 Case
Audio Device(s)	MPow Air Wireless + Mi Soundbar
Power Supply	Enermax Revolution DF 650W Gold
Mouse	Logitech MX Anywhere 3
Keyboard	Logitech Pro X + Kailh box heavy pale blue switch + Durock stabilizers
VR HMD	Meta Quest 2
Benchmark Scores	Who need bench when everything already fast?

System Name	Home PC
Processor	AMD Ryzen 7 1700
Motherboard	ASRock Fatal1ty X370 Gaming K4 AM4
Cooling	AMD Wraith Spire
Memory	16 GB Corsair Vengeance PC3000 DDR4
Video Card(s)	PowerColor RED DRAGON Radeon RX Vega 56
Storage	Samsung 850 Evo 1TB, Crucial MX300 500GB
Display(s)	Dell S2719DGF 1440p
Case	Phanteks Enthoo Pro Series PH-ES614P
Audio Device(s)	Onboard
Power Supply	SeaSonic M12II 620 Bronze
Mouse	Logitech G9X
Keyboard	Dell
Software	Windows 10 Pro

System Name	ATHENA
Processor	AMD 7950X
Motherboard	ASUS Crosshair X670E Extreme
Cooling	ASUS ROG Ryujin III 360, 13 x Lian Li P28
Memory	2x32GB Trident Z RGB 6000Mhz CL30
Video Card(s)	ASUS 4090 STRIX
Storage	3 x Kingston Fury 4TB, 4 x Samsung 870 QVO
Display(s)	Acer X38S, Wacom Cintiq Pro 15
Case	Lian Li O11 Dynamic EVO
Audio Device(s)	Topping DX9, Fluid FPX7 Fader Pro, Beyerdynamic T1 G2, Beyerdynamic MMX300
Power Supply	Seasonic PRIME TX-1600
Mouse	Xtrfy MZ1 - Zy' Rail, Logitech MX Vertical, Logitech MX Master 3
Keyboard	Logitech G915 TKL
VR HMD	Oculus Quest 2
Software	Windows 11 + Universal Blue

System Name	Brightworks Systems BWS-6 E-IV
Processor	Intel Core i5-6600 @ 3.9GHz
Motherboard	Gigabyte GA-Z170-HD3 Rev 1.0
Cooling	Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory	32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s)	EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage	Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s)	Samsung S24E650BW LED x 2
Case	Fractal Design Define R4
Power Supply	EVGA Supernova 550W G2 Gold
Mouse	Logitech M190
Keyboard	Microsoft Wireless Comfort 5050
Software	W10 Pro 64-bit

System Name	M3401 notebook
Processor	5600H
Motherboard	NA
Memory	16GB
Video Card(s)	3050
Storage	500GB SSD
Display(s)	14" OLED screen of the laptop
Software	Windows 10
Benchmark Scores	3050 scores good 15-20% lower than average, despite ASUS's claims that it has uber cooling.

System Name	HTC's System
Processor	Ryzen 5 5800X3D
Motherboard	Asrock Taichi X370
Cooling	NH-C14, with the AM4 mounting kit
Memory	G.Skill Kit 16GB DDR4 F4 - 3200 C16D - 16 GTZB
Video Card(s)	Sapphire Pulse 6600 8 GB
Storage	1 Samsung NVMe 960 EVO 250 GB + 1 3.5" Seagate IronWolf Pro 6TB 7200RPM 256MB SATA III
Display(s)	LG 27UD58
Case	Fractal Design Define R6 USB-C
Audio Device(s)	Onboard
Power Supply	Corsair TX 850M 80+ Gold
Mouse	Razer Deathadder Elite
Software	Ubuntu 20.04.6 LTS