New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms

[btarunr]

AMD on Wednesday disclosed a new security vulnerability affecting certain client- and APU processors launched between 2016 and 2019. Called the SMM Callout Privilege Escalation Vulnerability, discovered by Danny Odler, and chronicled under CVE-2020-12890, the vulnerability involves an attacker with elevated system privileges to manipulate the AGESA microcode encapsulated in the platform's UEFI firmware to execute arbitrary code undetected by the operating system. AMD plans to release AGESA updates that mitigate the vulnerability (at no apparent performance impact), to motherboard vendors and OEMs by the end of June 2020. Some of the latest platforms are already immune to the vulnerability.



A statement by AMD follows.

AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.

The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.

AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.

We thank Danny Odler for his ongoing security research.

View at TechPowerUp Main Site

 

[wurschti]

I'm curious to see the performance impact on this one. They promise none, but who knows.

 

[cucker tarlson]

software patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.

 

[mtcn77]

Funny how these flags are raised only at launch dates.

 

[evernessince]

I'm curious to see the performance impact on this one. They promise none, but who knows.

Given that this exploit has nothing to do with the way the processor handles data, yeah the performance impact will be 0. It's a security hole that allows the attacker to manipulate AGESA in order to execute code

software patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.

You do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.

 

[Chrispy_]

See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

 

[TheLostSwede]

See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

And AMD even said thanks to the guy who found it...

 

[laszlo]

See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

how we really know if amd(or others in the field) din't had covered/bribed security flaws?

 

[Chrispy_]

how we really know if amd(or others in the field) din't had covered/bribed security flaws?

We don't.

But this instance is being reported by an independent organisation (mitre.org) so I'm not entirely sure what you're getting at....

 

[champsilva]

Funny how these flags are raised only at launch dates.

Usually AMD receive this information months ago and when the deadline arrive they do a blog post.

 

[Verpal]

''execute arbitrary code undetected by the operating system. ''

Hmm..... I have a sneaking suspicion that unpatched AGESA will come in handy to test the true limit of AMD X86 CPU, if they will actually try to run anything we feed the pipeline.

 

[bug]

You do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.

AGESA is firmware. Operating systems have long had the ability to load more recent firmware versions than what's in the BIOS on startup. It's how one gets updates long after the manufacturer forgets about your model

 

[95Viper]

Enough of the mossad remarks.
Stay on the topic.
And, remember.... keep it civil !

Have a Good Day and Stay Safe.

 

[1d10t]

These are fine example from underdog and slow CPU maker, assertive prevention and quick to respond.
Unlike our neighboring , doesn't announce anything and yet their system getting slower each Windows update, fine example my office's notebook i5-8350U is miles slower than Ryzen 3 2200U

 

[mamisano]

Per the AMD website (https://www.amd.com/en/corporate/product-security)

...requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.

The attacker first needs privileged access to the system in order to take advantage of the vulnerability.

 

[zlobby]

Per the AMD website (https://www.amd.com/en/corporate/product-security)


The attacker first needs privileged access to the system in order to take advantage of the vulnerability.

Not too hard to obtain such access, to be fair.
It's worse that once the firmware is altered it's game over. That's pwnage of the highest order.

 

[Camm]

I'm somewhat concerned that such an elevation of rings is even possible.

Still, its patched (or will be for those on older systems) at no performance cost so whilst questionable, its not the end of the world.

 

[Arumio]

... and almost every time i see such articles there is always something like this
attacker with elevated system privileges
Does it make sense for an attacker with elevated system privileges to attack to begin with???

 

[Bill_Bright]

... and almost every time i see such articles there is always something like this
attacker with elevated system privileges

No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

 

[medi01]

A new portion of "AMD too" FUD from the known offenders.
I mean "requires privileged physical or administrative access to a system ", you gotta be kidding me...

 

[HTC]

No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

Perhaps a burglar with a specific agenda?

Could invade the worker's home while he's @ work or invade the workplace @ night when there's nobody in the office, thus gaining physical access to the computer(s) in question @ which point the burglar would carry out his nefarious plan ...

Sure: both the home owner and the work place would become aware of the break in, but would they be aware their computer(s) was / were compromised?

Just a scenario i thought of.

 

[Bill_Bright]

Perhaps a burglar with a specific agenda?
Just a scenario i thought of.

Yeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety.

 

[HTC]

Yeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety.

While true, the burglary could be done in a way to divert the owner's "eyes" away from the computer so that the owner changed locks and computer passwords. And if instead of a home break in it were an office break in, they'd likely do the exact same thing: change locks and computer passwords.

Would that be sufficient or would the computer(s) be compromised already, despite the changed passwords?

 

[Bill_Bright]

Nobody is saying you are wrong. But that just is not the point. The point is about many in the IT media seeking attention with sensationalized headlines, fanboys (on one side or the other) seeking to discredit the other side, tinfoil hat wearers believing they are constantly being watched, and the Chicken Littles who are convinced the world is about to end.

You are citing an extreme exception to the norm in order to justify your claim. Sure a burglar could break into my house or place of work. All they have to do is get by security cameras, guards, coworkers, nosy neighbors, alarm systems, the deadbolts on my doors, my dogs, and my Glock - without being noticed, and get out again.

And while burglaries do happen, the vast majority are to grab valuables to sell for drug money. Not to plant malware on our systems.

Exceptions don't make the rule. Just because a vulnerability exists, that does not, in any way, mean it is easy to exploit, or that it will be exploited.

Is this AMD vulnerability (or the Intel vulnerability a few days ago) a bad thing? Sure. Is it going to affect any of us here at TPU? Highly unlikely.

 

[zlobby]

No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

Hard doesn't mean impossible.
Obviously this attack won't be scripted en masse but it is just sad that it is there in a first place.