'

SMM Callout Privilege Escalation Vulnerability found to impact AMD APU platforms

The issue will be fixed with AGESA updates, seemingly with no performance impact.

SMM Callout Privilege Escalation Vulnerability found to impact AMD APU platforms

SMM Callout Privilege Escalation Vulnerability found to impact AMD APU platforms

AMD has released a statement regarding a newly discovered vulnerability within the company's client and embedded APU platforms, security issues which impact product which were launched between 2016 and 2019.  

This vulnerability has been called SMM Callout Privilege Escalation (CVE-2020-12890), an issue which has been found to impact the AMD software that has been supplied to motherboard manufacturers for use with their Unified Extensible Firmware Interface (UEFI) infrastructure. As such, this security flaw can be addressed through a UEFI/BIOS update, seemingly with no negative performance impacts. These new UEFI/AGESA updates will be ready before the end of this month. 

SMM Callout Privilege Escalation was discovered by the security researched Danny Odler, who found that those with privileged physical or administrative access to affected systems could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code. This attack method is undetectable by the user's OS. 

Note that this is not a Speculative Execution style vulnerability. CVE-2020-12890 is a platform software vulnerability, which AMD has seemingly rectified in its latest AGESA code. The nature of this vulnerability means that it can be addressed with no performance impact, which is great news for users of AMD APUs. 

Below is what AMD has to say about the vulnerability. 


    AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.

The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.

AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.

We thank Danny Odler for his ongoing security research.

SMM Callout Privilege Escalation Vulnerability found to impact AMD APU platforms  

You can join the discussion on AMD's APUs being affected by an SMM Callout Privilege Escalation Vulnerability on the OC3D Forums

«Prev 1 Next»

Most Recent Comments

x

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.