AMD recently revealed a new security vulnerability that affects certain processors and embedded APUs released between 2016 and 2019.
Under the descriptive name of “SMM Callout Privilege Escalation” Vulnerability , labeled as CVE-2020-12890 , this new vulnerability allows the attacker access to high levels of system privileges to the point of manipulating the “AGESA” microcode encapsulated in the firmware UEFI of the platform to execute arbitrary code, without being detected by the operating system.
The company has already indicated that it has a mitigation in the form of a new “microcode” to solve the problem. Unfortunately, AMD did not disclose a full list of the affected embedded CPUs or APUs, but it doesn’t matter much since physical or administrative access to the system is required to exploit this new security vulnerability.
AMD plans to release new AGESA updates to mitigate this vulnerability, without having any performance impact on systems, to motherboard vendors and OEMs by the end of June 2020. Some of the latest AMD platforms are already immune to the vulnerability to some extent.
The targeted attack method described requires privileged administrative or physical access to a system based on a select group of AMD laptops or embedded processors. An attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code without being detected by the operating system. Like mentioned before, AMD believes this only affects certain customers and embedded APUs launched between 2016 and 2019.
AMD has already delivered updated versions of AGESA to motherboard partners and plans to release the remaining versions by the end of June 2020. AMD recommends keeping all the devices up-to-date with the latest patches. End users who are not sure whether the latest version works on their system should contact their motherboard manufacturer or original equipment manufacturer/OEM.
To quote the statement from AMD.
“AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.
The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.
AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.
We thank Danny Odler for his ongoing security research.”