AMD on Monday issued two patches for severe microcode security flaws, defects that AMD said “could lead to the loss of Secure Encrypted Virtualization (SEV) protection.” The bugs were inadvertently revealed by a partner last week.
The most dangerous time for this kind of security hole is right after it is disclosed and before patches are applied. Due to the nature of microcode patches, enterprise users now have to wait for OEMs and other partners to implement the fixes in their hardware-specific microcode.
“This places more burden on hardware vendor OEMs to distribute and install. That may cause a delay in adoption,” said John Price, CEO at Cleveland-based security firm SubRosa. “This could potentially create a gap. The speed of adoption might not be as quick as we would like to see.”
Another security specialist, Flavio Villanustre, global chief information security officer of LexisNexis Risk Solutions, agreed with Price about the potential industry delays at issue. But Villanustre stressed that the delays, if any, will be different for each enterprise, depending on who their OEMs are and how quickly they move on these updates.
“Some OEMs have already fixed this issue in the last few weeks. I can’t say that every OEM has released, so some people could still be exposed,” Villanustre said. “It’s likely that many people are already on their way to getting this fixed. It may be fixed in the next couple of days, but if an OEM doesn’t have the resources, it might take weeks.”
Villanustre generally endorsed the way AMD has handled this situation. “This process was well-orchestrated,” he said.
Matt Kimball, VP and principal analyst at Moor Insights & Strategy, also said he believed that AMD did well in how it handled this situation.
“It’s good to see AMD working with its community to solve for these vulnerabilities quickly. The amount of work that goes into providing a fix — and thoroughly testing it — is extensive. It’s a big resource strain, so good coordination from AMD,” Kimball said. “It is an unfortunate reality that these vulnerabilities find their way into systems, but it’s a reality nonetheless. The real measure of a vendor is how quickly they respond to mitigating and nullifying these vulnerabilities. In the case of AMD, the response was swift and thorough.”
What is critical, Villanustre added, is that admins focus on the UEFI (Unified Extensible Firmware Interface), which is the interface between the OS and the firmware. If the UEFI, which used to be known as system BIOS, is not updated, the microcode problem will keep returning every time servers reboot, Villanustre explained. “This can be simply addressed by updating your UEFI.”
“This situation highlights how deeply firmware issues have become [embedded] in modern computing,” Price said. “It is going to make emergency patches more difficult in the future. Future microcode patches will require full system reboots.”
AMD released two patches for the problem. “AMD has made available a mitigation for this issue which requires updating microcode on all impacted platforms to help prevent an attacker from loading malicious microcode,” AMD said. “Additionally, an SEV firmware update is required for some platforms to support SEV-SNP attestation. Updating the system BIOS image and rebooting the platform will enable attestation of the mitigation. A confidential guest can verify the mitigation has been enabled on the target platform through the SEV-SNP attestation report.”
AMD said the cybersecurity risk of not deploying the patch is significant, explaining, “improper signature verification in the AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.”
The company stressed that “Microcode cannot be hot-loaded after updating to this PI [Platform Initialization] version” and that “minimum MilanPI_1.0.0.F is required to allow for hot-loading future microcode versions higher than those listed in the PI. #GP fault will occur if attempting to hot load microcode on older BIOS.”
AMD also issued a patch for a cache-based side-channel attack, which also impacts SEV. That side-channel issue impacts “1st Gen AMD EPYC Processors formerly codenamed Naples, 2nd Gen AMD EPYC Processors formerly codenamed Rome, 3rd Gen AMD EPYC Processors formerly codenamed Milan, 4th Gen AMD EPYC Processors formerly codenamed Genoa” and specifically AMD EPYC Embedded 3000, AMD EPYC Embedded 7002, AMD EPYC Embedded 7003 and AMD EPYC Embedded 9004.
The concern with these holes is that if an attacker can get access to the microcode, the bugs would enable potentially critical access.
Attackers that do have such capabilities, such as state sponsored actors, could use this flaw to deliver fake microcode that would appear to be signed by AMD or some other trusted source. The glitch hampers the chip’s ability to authenticate, which means the microcode might be able to modify CPU functionality.
Source:: Network World