Thursday, June 18th 2020

New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms

AMD on Wednesday disclosed a new security vulnerability affecting certain client- and APU processors launched between 2016 and 2019. Called the SMM Callout Privilege Escalation Vulnerability, discovered by Danny Odler, and chronicled under CVE-2020-12890, the vulnerability involves an attacker with elevated system privileges to manipulate the AGESA microcode encapsulated in the platform's UEFI firmware to execute arbitrary code undetected by the operating system. AMD plans to release AGESA updates that mitigate the vulnerability (at no apparent performance impact), to motherboard vendors and OEMs by the end of June 2020. Some of the latest platforms are already immune to the vulnerability.
A statement by AMD follows.

AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.

The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.

AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.

We thank Danny Odler for his ongoing security research.
Source: AMD
Add your own comment

25 Comments on New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms

#1
3rold
I'm curious to see the performance impact on this one. They promise none, but who knows.
Posted on Reply
#2
cucker tarlson
software patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.
Posted on Reply
#3
mtcn77
Funny how these flags are raised only at launch dates.
Posted on Reply
#4
evernessince
3rold
I'm curious to see the performance impact on this one. They promise none, but who knows.
Given that this exploit has nothing to do with the way the processor handles data, yeah the performance impact will be 0. It's a security hole that allows the attacker to manipulate AGESA in order to execute code
cucker tarlson
software patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.
You do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.
Posted on Reply
#5
Chrispy_
See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.
Posted on Reply
#6
TheLostSwede
Chrispy_
See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.
And AMD even said thanks to the guy who found it...
Posted on Reply
#7
laszlo
Chrispy_
See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.
how we really know if amd(or others in the field) din't had covered/bribed security flaws?
Posted on Reply
#8
Chrispy_
laszlo
how we really know if amd(or others in the field) din't had covered/bribed security flaws?
We don't.

But this instance is being reported by an independent organisation (mitre.org) so I'm not entirely sure what you're getting at....
Posted on Reply
#9
champsilva
mtcn77
Funny how these flags are raised only at launch dates.
Usually AMD receive this information months ago and when the deadline arrive they do a blog post.
Posted on Reply
#10
Verpal
''execute arbitrary code undetected by the operating system. ''

Hmm..... I have a sneaking suspicion that unpatched AGESA will come in handy to test the true limit of AMD X86 CPU, if they will actually try to run anything we feed the pipeline.
Posted on Reply
#11
bug
evernessince
You do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.
AGESA is firmware. Operating systems have long had the ability to load more recent firmware versions than what's in the BIOS on startup. It's how one gets updates long after the manufacturer forgets about your model ;)
Posted on Reply
#12
95Viper
Enough of the mossad remarks.
Stay on the topic.
And, remember.... keep it civil !

Have a Good Day and Stay Safe.
Posted on Reply
#13
1d10t
These are fine example from underdog and slow CPU maker, assertive prevention and quick to respond.
Unlike our neighboring , doesn't announce anything and yet their system getting slower each Windows update, fine example my office's notebook i5-8350U is miles slower than Ryzen 3 2200U :wtf:
Posted on Reply
#14
mamisano
Per the AMD website (www.amd.com/en/corporate/product-security)
...requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system. :wtf:
The attacker first needs privileged access to the system in order to take advantage of the vulnerability.
Posted on Reply
#15
zlobby
mamisano
Per the AMD website (www.amd.com/en/corporate/product-security)


The attacker first needs privileged access to the system in order to take advantage of the vulnerability.
Not too hard to obtain such access, to be fair.
It's worse that once the firmware is altered it's game over. That's pwnage of the highest order.
Posted on Reply
#16
Camm
I'm somewhat concerned that such an elevation of rings is even possible.

Still, its patched (or will be for those on older systems) at no performance cost so whilst questionable, its not the end of the world.
Posted on Reply
#17
Arumio
... and almost every time i see such articles there is always something like this
attacker with elevated system privileges
Does it make sense for an attacker with elevated system privileges to attack to begin with???
Posted on Reply
#18
Bill_Bright
Arumio
... and almost every time i see such articles there is always something like this
attacker with elevated system privileges
No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?
Posted on Reply
#19
medi01
A new portion of "AMD too" FUD from the known offenders.
I mean "requires privileged physical or administrative access to a system ", you gotta be kidding me...
Posted on Reply
#20
HTC
Bill_Bright
No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?
Perhaps a burglar with a specific agenda?

Could invade the worker's home while he's @ work or invade the workplace @ night when there's nobody in the office, thus gaining physical access to the computer(s) in question @ which point the burglar would carry out his nefarious plan ...

Sure: both the home owner and the work place would become aware of the break in, but would they be aware their computer(s) was / were compromised?

Just a scenario i thought of.
Posted on Reply
#21
Bill_Bright
HTC
Perhaps a burglar with a specific agenda?
Just a scenario i thought of.
Yeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety. :(
Posted on Reply
#22
HTC
Bill_Bright
Yeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety. :(
While true, the burglary could be done in a way to divert the owner's "eyes" away from the computer so that the owner changed locks and computer passwords. And if instead of a home break in it were an office break in, they'd likely do the exact same thing: change locks and computer passwords.

Would that be sufficient or would the computer(s) be compromised already, despite the changed passwords?
Posted on Reply
#23
Bill_Bright
:( Nobody is saying you are wrong. But that just is not the point. The point is about many in the IT media seeking attention with sensationalized headlines, fanboys (on one side or the other) seeking to discredit the other side, tinfoil hat wearers believing they are constantly being watched, and the Chicken Littles who are convinced the world is about to end.

You are citing an extreme exception to the norm in order to justify your claim. Sure a burglar could break into my house or place of work. All they have to do is get by security cameras, guards, coworkers, nosy neighbors, alarm systems, the deadbolts on my doors, my dogs, and my Glock - without being noticed, and get out again.

And while burglaries do happen, the vast majority are to grab valuables to sell for drug money. Not to plant malware on our systems.

Exceptions don't make the rule. Just because a vulnerability exists, that does not, in any way, mean it is easy to exploit, or that it will be exploited.

Is this AMD vulnerability (or the Intel vulnerability a few days ago) a bad thing? Sure. Is it going to affect any of us here at TPU? Highly unlikely.
Posted on Reply
#24
zlobby
Bill_Bright
No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?
Hard doesn't mean impossible.
Obviously this attack won't be scripted en masse but it is just sad that it is there in a first place.
Posted on Reply
#25
Bill_Bright
Hard doesn't mean impossible.
:( Again, nobody said it wasn't. Only a fool would! No doubt those in charge of Ft Knox would like to think it is impossible to steal all the gold there, but would they dare say it is impossible? No way! But is that really the point? No.

Of course any vulnerability is sad. But it is unrealistic to think something as complex as a computer CPU, with many billions of transistor gates in each, could be flaw-free. Humans just are not capable of that "divine" feat.

But if something is possible, that still does not mean it is probable, either - especially considering all the other security precautions and measures one must defeat to get in there (and safely back out).
Posted on Reply
Add your own comment