According to this practice, developers and researchers in the field of information security inform suppliers of compromised products about their discoveries, so that they have the opportunity to eliminate the gaps. Only after that the information about them is publicized. In September last year, Google found vulnerabilities in the AMD EPYC processors of the server class related to Zen 4 architectures.
Image Source: AMD
As noted by the authors of the ballot, the found vulnerability allowed attackers with the rights of a local administrator to load the malicious patches of the microcode, launch malicious software on the virtual machines of the victim and gain access to his data. The vulnerability is that the processor uses an unsafe hash-function when checking the signature signatures of the microcode. This vulnerability can be used by attackers to compromise confidential computing workloads, protected by the latest version of AMD Security Encrypted Virtualization, SEV-SNP, or for compromising Dynamic Root of Trust Measurement.
Epyc Naples, Rome, Milan and Genoa server processors were at risk, but Google experts transferred all the information necessary to eliminate vulnerability to confidential channels on September 25 last year, after which by December 17, AMD was able to distribute the necessary updates among its customers.
Having withstand the AMD pause necessary for the full elimination of vulnerabilities, Google reported the found vulnerability on GitHub pages. In order to additionally protect AMD customers, Google representatives have promised additional details about vulnerability and tools for working with it no earlier than March 5 of this year.