AMD and Google disclose critical microcode vulnerabilities in Zen 1 to Zen 4 EPYC CPUs - 산업 동향 | Heisener Electronics
고객 문의
SalesDept@heisener.com 86-755-83210559-827
로그인/등록
Language Translation

* Please refer to the English Version as our Official Version.

BOM
카트 0

AMD and Google disclose critical microcode vulnerabilities in Zen 1 to Zen 4 EPYC CPUs

에 게시 2월 8, 2025

AMD and Google have publicly disclosed a critical microcode vulnerability in the AMD Zen 1 to Zen 4 family of CPUs, discovered in September 2024, that primarily affects EPYC CPUs on server/enterprise platforms. The vulnerability, numbered CVE-2024-56161, is discussed in more detail in a GitHub post from Google's Security Research Team and in a security bulletin issued by AMD in response to the vulnerability. The vulnerability is discussed in more detail in a GitHub post by Google's security research team and in a security advisory issued by AMD in response to the vulnerability.


According to Google's documentation, the issue was originally reported on September 25, 2024, and then fixed by AMD on December 17, 2024, about two and a half months later. The public disclosure date was pushed back to yesterday to give AMD customers time to apply the fix before the issue became widespread.


AMD's official statement says: “Researchers at Google provided AMD with information about a potential vulnerability that, if successfully exploited, could cause SEV-based confidential visitor protection to fail.”


SEV refers to Secure Encrypted Virtualization, a feature used by server-class AMD CPUs to enable virtualization. Typically, this means a remote or local “thin client (AMD)” whose data is stored and managed on a central server. The device that the user uses to access the data has relatively little, and sometimes almost no, processing power. The exact setup may vary, but the purpose of virtualizing multiple users is usually to save hardware costs or to provide a higher level of security, sometimes both.


Disabling SEV protection through a microcode attack means that otherwise confidential data can be stolen from virtualized users affected by this attack. Additionally, malicious microcode loading could lead to additional attacks beyond data theft.


The specific families of AMD EPYC CPUs affected include AMD EPYC 7001 (Naples), AMD Epyc 7002 (Rome), AMD Epyc 7003 (Milan and Milan - X), and AMD Epyc 9004 (Genoa, Genoa - X, and Bergamo / Siena). The good news is that AMD has already released microcode updates for the affected CPUs, which should resolve the issue using the appropriate update tools (e.g. BIOS updates, etc.). However, AMD notes that for some platforms, a SEV firmware update may be required to properly support the fix via SEV-SNP certification.


Translated with DeepL.com (free version)