Google Security Team specialists reported details of a vulnerability (CVE-2024-56161) that allows bypassing the digital signature verification mechanism when updating microcode in AMD processors based on the Zen1 to Zen4 microarchitecture, as reported by the OpenNet resource.
The vulnerability has a CVSS severity rating of 7.2 out of 10, indicating it is a serious issue. “An improper signature check in the AMD CPU microcode patch loader could allow an attacker with local administrator privileges to load malicious microcode,” Google said in a statement. The researchers notified AMD of the vulnerability on September 25, 2024.
The vulnerability that allowed custom patches to be loaded into the microcode of AMD Zen 1-4 processors was caused by the use of the CMAC algorithm for verification instead of the recommended hash functions, which is not suitable for this purpose and is not protected from brute-force collisions. AMD fixed the vulnerability in a December microcode update by replacing CMAC with a cryptographically strong hash function.
Image Source: AMD
Google has also released Zentool under the Apache 2.0 license, which can be used to analyze microcode, manipulate it, and create patches to change the microcode in AMD Zen processors. Zentool includes the following commands: zentool edit — edits the parameters of microcode files, changes the microcode, and replaces individual instructions; zentool print — displays information about the structures and parameters of the microcode; zentool load — loads the microcode into the CPU; zentool resign — corrects the digital signature taking into account the changes added to the microcode. Zentool also includes the mcas and mcop utilities with assembler and disassembler implementations for the microcode.
Google has also produced a guide to the RISC86 microarchitecture used in AMD microcode, and guidance on creating your own microcode, explaining how to create your own processor instructions implemented in RISC86 microcode, change the behavior of existing instructions, and load microcode changes into the processor.