Re: AMD Microcode Signature Verification Vulnerability

[Solar Designer <solar () openwall com>]

On Wed, Jan 22, 2025 at 07:52:48AM -0800, Tavis Ormandy wrote:
> On Tue, Jan 21, 2025 at 11:38:16PM -0500, Demi Marie Obenour wrote:
> > On Tue, Jan 21, 2025 at 06:31:31PM -0800, Tavis Ormandy wrote:
> > > It looks like an OEM leaked the patch for a major upcoming CPU
> > > vulnerability, i.e. "AMD Microcode Signature Verification
> > > Vulnerability":
> > >
> > > https://rog.asus.com/motherboards/rog-strix/rog-strix-x870-i-gaming-wifi/helpdesk_bios/
> > >
> > > I'm not thrilled about this - the patch is *not* currently in
> > > linux-firmware, so this is the only publicly available patch.
> > >
> > > However, other people are discussing how to extract them:
> > >
> > > https://winraid.level1techs.com/t/offer-intel-amd-via-cpu-microcode-archives-1995-present/102857/53
> >
> > Is this fix effective, or can it be bypassed via a downgrade attack?
>
> I'm not sure yet, the vendor has been really excruciating to deal with,
> this is the first time I've been allowed to see the patch!! :(

Much of the info is finally public (with more planned for March):

https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w

> AMD: Microcode Signature Verification Vulnerability
> sirdarckcat published GHSA-4xq7-4mgh-gp6w Feb 3, 2025
>
> Package
> AMD CPUs
>
> Affected versions
> Zen 1-4 CPUs
>
> Patched versions
> Naples/Rome/Milan PI 2024-12-13 and Genoa 2024-12-16
>
> Description
>
> Summary
>
> Google Security Team has identified a security vulnerability in some AMD
> Zen-based CPUs. This vulnerability allows an adversary with local
> administrator privileges (ring 0 from outside a VM) to load malicious
> microcode patches. We have demonstrated the ability to craft arbitrary
> malicious microcode patches on Zen 1 through Zen 4 CPUs. The
> vulnerability is that the CPU uses an insecure hash function in the
> signature validation for microcode updates. This vulnerability could be
> used by an adversary to compromise confidential computing workloads
> protected by the newest version of AMD Secure Encrypted Virtualization,
> SEV-SNP or to compromise Dynamic Root of Trust Measurement.
>
> AMD SEV-SNP users can verify the fix by confirming TCB values for SNP in
> their attestation reports (can be observed from a VM, consult AMD's
> security bulletin for further details).
>
> Severity
>
> HIGH - Improper signature verification in AMD CPU ROM microcode patch
> loader may allow an attacker with local administrator privilege to load
> malicious CPU microcode resulting in loss of confidentiality and
> integrity of a confidential guest running under AMD SEV-SNP.
>
> Proof of Concept
>
> A test payload for Milan and Genoa CPUs that makes the RDRAND
> instruction return 4 can be downloaded here (applying it requires the
> user to be root from outside of a VM).
>
> Timeline
>
> Date reported: September 25, 2024
> Date fixed: December 17, 2024
> Date disclosed: February 3, 2025
>
> Google notified AMD of this vulnerability on September 25, 2024. AMD
> subsequently provided an embargoed fix to its customers on December 17,
> 2024. To coordinate with AMD, we made a one-off exception to our
> standard vulnerability disclosure policy and delayed public disclosure
> until today, February 3, 2025. This joint disclosure occurs 46 days
> after AMD shared the fix with its customers and 131 days after Google's
> initial report. Due to the deep supply chain, sequence and coordination
> required to fix this issue, we will not be sharing full details at this
> time in order to give users time to re-establish trust on their
> confidential-compute workloads. We will share additional details and
> tools on March 5, 2025.

> CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
> CVE-2024-56161
>
> Credits
>
>     @josheads josheads Finder
>     @spq spq Finder
>     @matrizzo matrizzo Finder
>     @sirdarckcat sirdarckcat Finder
>     @taviso taviso Finder

There's a PoC in:

https://github.com/google/security-research/tree/master/pocs/cpus/entrysign

> Tested on AMD EPYC 7B13 64-Core Processor (Milan) and AMD Ryzen 9 7940HS
> w/ Radeon 780M Graphics (Phoenix).

> We've provided these PoCs to demonstrate that this vulnerability allows
> an adversary to produce arbitrary microcode patches. They cause the
> RDRAND instruction to always return the constant 4, but also set the
> carry flag (CF) to 0 to indicate that the returned value is invalid.
> Because correct use of the RDRAND instruction requires checking that CF
> is 1, this PoC can not be used to compromise correctly functioning
> confidential computing workloads. Additional tools and resources will be
> made public on March 5.

The corresponding AMD security bulletin is:

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html

> AMD SEV Confidential Computing Vulnerability

> AMD has made available a mitigation for this issue which requires
> updating microcode on all impacted platforms to help prevent an attacker
> from loading malicious microcode. Additionally, an SEV firmware update
> is required for some platforms to support SEV-SNP attestation. Updating
> the system BIOS image and rebooting the platform will enable attestation
> of the mitigation. A confidential guest can verify the mitigation has
> been enabled on the target platform through the SEV-SNP attestation
> report.

Alexander