AMD said it plans to release firmware updates to fix a trifecta of bugs that impact some of its notebook and embedded systems CPUs.
The three bugs, which AMD refers to as “SMM Callout,” allow attackers to take control over the UEFI firmware of AMD CPUS, and inherently of the entire computer.
AMD said the bugs impact a small fraction of Accelerated Processing Unit (APU) CPUs released between 2016 and 2019. AMD APU processors, formerly known as AMD Fusion, are small-sized 64-bit microprocessors that include both a central processing unit (CPU) and graphics processing unit (GPU) on the same silicon die.
SMM Callout bugs
News of the three bugs came to light last weekend, on Saturday, June 13, when a security researcher named Danny Odler published a Medium blog post detailing one of the three SMM Callout bugs (the one that was already patched).
Odler said the vulnerabilities impact an area of AMD processors known as the SMM.
The SMM, which stands for System Management Mode, is a layer that sits at the deepest level inside some types of AMD processors.
The SMM is a part of the CPU’s UEFI firmware, and SMM code is usually employed to manage deep hardware-related features such as power management, system sleep, hibernations, device emulations, memory errors, and CPU safety functions.
Due to its role in keeping the CPU running and interacting with adjacent hardware components, SMM code runs with the highest level of privileges on a computer, having full control over the operating system kernel and any hypervisors (virtual machines). In technical jargon, the SMM runs on the deepest level of the CPU ring, at Ring -2.
As such, any attacker that manages to infect the SMM usually has full control not only of the OS but also a computer’s hardware.
Last week, Odler said he found three bugs in AMD’s SMM module that can allow him to implant malicious code inside the SMRAM (the SMM’s internal memory) and run it with the SMM’s privileges.
“Code execution in SMM is a game over for all security boundaries such as SecureBoot, Hypervisor, VBS, Kernel, and more,” the security researcher said.
Exploiting the SMM Callout bugs requires either physical access to the device or malware on the victim’s computer that can run malicious code with admin privileges.
These conditions for a successful SMM Callout attack might look prohibitive; however, they haven’t stopped rootkit developers for the past 15 years, and they’re likely not going to stop a determined attacker either.
Full patches coming later this month
Odler said he reported the three bugs to AMD at the start of April, this year. At the time of writing, Odler said AMD had already released patches for the first bug, tracked as CVE-2020-14032.
Two other bugs remain unpatched, but in a security advisory published this week, AMD said it plans to have AGESA patches ready by the end of the month.
AGESA stands for AMD Generic Encapsulated Software Architecture and is AMD’s branded codename for UEFI (Unified Extensible Firmware Interface) firmware.
Once the AGESA updates are ready with the patches for the two other SMM Callout bugs, AMD said it will share the firmware with motherboard vendors and embedded system manufacturers.