Motherboard manufacturers have begun rolling out BIOS updates based on AGESA 1.2.0.3C firmware with a fix for the critical EntrySign vulnerability in AMD Zen 5 processors. This vulnerability affected processors based on the Zen architecture of all generations – updates for models from Zen 1 to Zen 4 were released earlier.
Image source: amd.com
AMD started sending out the firmware update to motherboard makers in late March. It takes some time for each one to integrate it into their BIOS code, so the BIOS updates are only now starting to roll out — MSI, in particular, has already released one for some 800-series motherboards.
The EntrySign vulnerability discovered by Google experts allows unsigned code, including malicious code, to be executed on the processor. It arose due to incorrect operation of the AMD signature verification process, which used a weak AES-CMAC hashing algorithm. Exploiting the vulnerability requires access to the operating system kernel (ring 0), meaning that in most cases potential attackers will need to take advantage of several other errors to reach this level of access. In addition, such microcode with a “hot” boot is not saved when rebooting. When the computer is turned off and rebooted, the microcode is reset to the one built into the processor from the factory and can later be changed using BIOS and OS tools, which serves as another protective barrier.
In addition to PCs, this vulnerability poses a threat to server processors, including the AMD Turin family (EPYC 9005), allowing bypassing protection measures such as SEV and SEV-SNP — and opening access to private data from virtual machines. At the moment, the error has been fixed for all processors based on the AMD Zen 5 architecture, including Granite Ridge, Turin, Strix Point, Krackan Point, and Strix Halo, but not Fire Range (Ryzen 9000HX).
In the case of a regular user, to exploit this vulnerability, it would be necessary to conduct an attack of a different kind, for example, according to the BYOVD (Bring Your Own Vulnerable Driver) scheme – when vulnerabilities in trusted and signed drivers at the kernel level are exploited in order to gain access to ring 0. One of such vulnerabilities was previously discovered in the Genshin Impact anti-cheat – its exploitation allowed obtaining privileges at the kernel level. Therefore, it is recommended to monitor BIOS updates from manufacturers indicating the use of AGESA 1.2.0.3C firmware.