Image via Tweetsell on Pixby
AMD said it plans to release firmware updates to fix a tripartite bug that affects its notebooks and embedded system CPUs.
The three bugs, which AMD refers to as “SMM callouts”, allow attackers to take control of the UEFI firmware of the AMD CPUs and underlying the entire computer.
AMD said the bugs affected a small fraction of the Accelerated Processing Unit (APU) CPUs between 2016 and 2017. AMD APU processors, formerly known as AMD Fusion, are sized 4-bit microprocessors that include both central processing units (CPUs) and are graphics processing units (GPUs) in the same silicon die.
SMM callout bug
News of the three bugs was published last weekend, Saturday, June 13, when a security researcher named Danny Odler published a medium blog post of one of the three SMM callout bugs (one that had already been patched).
Weaknesses affect a region of the AMD processor known as SMM, Odler said.
SMM standing for system management mode is a layer that sits deep inside some types of AMD processors.
SMM is a part of the CPU’s UEFI firmware, and SMM code is typically assigned to handle hardware-related features such as power management, system slip, hibernations, device emulation, memory errors, and CPU protection functions.
Because of its role in running the CPU and interacting with adjacent hardware components, SMM code carries the highest levels of benefits to a computer with full control of the operating system’s kernel and a hypervisor (virtual machine). In the technological world, SMM Ring-2 runs at the deepest level of the CPU ring.
For example, any attacker who tries to infect SMM usually has complete control not only of the OS but also of the computer hardware.
Last week, Odler said he found three bugs in AMD’s SMM module that could allow him to implant malicious code inside SMRM (SMM’s internal memory) and run it with the benefits of SMM.
“Code execution in SMM is the end of a game for securityboots, hypervisors, VBS, kernels and many more security boundaries,” said the security researcher.
(Embed) https://www.youtube.com/watch?v=yUrb3lzl-Fo (/ embed)
Searching for SMM callout bugs requires physical access to the device on the victim’s computer or malware that can run malicious code with admin convenience.
These conditions may seem prohibitive for a successful SMM callout attack; However, they haven’t stopped rootkit developers in the last 15 years, and they probably won’t be able to stop any static attackers either.
Full patches are coming later this month
Odler said he reported three bugs to AMD in early April this year. At the time of writing, Odler said that AMD has already released patches for the first bug, marked as CVE-2020-14032.
The other two bugs remain unchanged, but in a security advisory released this week, AMD said it plans to prepare AGSA patches later this month.
AGSA stands for AMD Generic Encapsulated Software Architecture and is AMD’s branded codename for the UEFI (Unified Extensible Firmware Interface) firmware.
Once the Ajax updates with the patches for the other two SMM callout bugs are ready, AMD said it will share the firmware with motherboard vendors and embedded system manufacturers.