AMD reports that firmware updates will be released for three bugs called SMM Callout by the end of June 2020. These vulnerabilities allow attackers to establish control over the AMD CPU UEFI firmware and, in fact, gain control over the entire computer.
It is reported that are affected Accelerated Processing Unit (APU, formerly AMD Fusion) processors from 2016 to 2019. APUs are small 64-bit hybrid microprocessors that include both CPUs and GPUs on the same chip.
The problems of SMM Callout became known last weekend when independent security researcher Danny Odler published a blog post detailing one of the three vulnerabilities (CVE-2020-14032, which has already been fixed).
“Bugs affect the area of AMD processors known as SMM (System Management Mode) and operate at the deepest level within some company processors”, – says Danny Odler.
SMM is part of UEFI and is typically used to manage hardware features such as power management, system sleep, hibernation, device emulation, memory errors, and CPU protection functions. In fact, SMM works with the highest level of privileges, having full control over the OS kernel and hypervisors.
Thus, any attacker who manages to compromise SMM gets not only full control over the OS, but also over the hardware. Odler writes that he discovered three errors in AMD SMM that allow injecting malicious code into SMRAM (internal SMM memory) and run it with SMM privileges.
“Code execution in SMM is a game over for all security mechanisms, such as SecureBoot, Hypervisor, VBS, Kernel, and so on”, — says the researcher.
Fortunately, exploiting SMM Callout problems requires physical access to the device or a malicious program embedded on the victim’s computer that can run malicious code with administrator privileges. However, the researcher notes that such restrictions have not stopped rootkit developers in the past 15 years, and probably will not stop determined hackers even now.
Odler reported problems to AMD developers in early April of this year. As stated above, AMD has already released fixes for the first bug, CVE-2020-14032.
Two other problems are still uncorrected, but the company’s official announcement states that AMD plans to prepare corrections for AGESA by the end of June 2020. When these updates are ready, AMD will provide firmware for motherboard and system manufacturers.
Let me remind you that we recently said that AMD processors are vulnerable to two more attacks.