SB2022052620 - Multiple vulnerabilities in various AMD processors

Description

This security bulletin contains information about 28 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2020-12951)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in ASP firmware. A local user can exploit the race and perform ASP SMM (System Management Mode) operations.

2) Security features bypass (CVE-ID: CVE-2021-26382)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to missing verification of the signing key when processing ACP firmware images. A local privileged user can load any legitimately signed firmware image into the Audio Co-Processor (ACP) irrespective of the respective signing key being declared as usable for authenticating an ACP firmware image, and perform a denial of service (DoS) attack.

3) Out-of-bounds write (CVE-ID: CVE-2021-26384)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in System Management Interface. A local user can run a specially crafted SMI command to establish a corrupted SMI Trigger Info data structure and perform a denial of service (DoS) attack.

4) Input validation error (CVE-ID: CVE-2021-26368)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient check of the process type in Trusted OS (TOS). A local user can enable a lesser privileged process to unmap memory owned by a higher privileged process and perform a denial of service (DoS) attack.

5) Buffer overflow (CVE-ID: CVE-2020-12944)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing BIOS image length in ASP Firmware. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

6) Input validation error (CVE-ID: CVE-2021-26362)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input. A malicious or compromised UApp or ABL can issue a malformed system call, which results in mapping sensitive System Management Network (SMN) registers, and escalate privileges on the system.

7) Buffer overflow (CVE-ID: CVE-2021-26390)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A malicious or compromised UApp or ABL can trigger memory corruption and execute arbitrary code with elevated privileges.

8) Input validation error (CVE-ID: CVE-2021-26351)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient DRAM address validation in System Management Unit (SMU). A local user can force DMA (Direct Memory Access) to read or write from/to invalid DRAM address and perform a denial of service (DoS) attack.

9) Buffer overflow (CVE-ID: CVE-2021-26352)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in System Management Unit (SMU) PCIe Hot Plug table. A local user can trigger memory corruption and perform a denial of service (DoS) attack.

10) Input validation error (CVE-ID: CVE-2021-26337)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient DRAM address validation in System Management Unit (SMU). A local user can force DMA to read from invalid DRAM address to SRAM and perform a denial of service (DoS) attack.

11) Insufficient verification of data authenticity (CVE-ID: CVE-2021-26317)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to failure to verify the protocol in AMD System Management Mode (SMM). A local user can modify SPI flash and execute arbitrary code with elevated privileges.

12) Buffer overflow (CVE-ID: CVE-2021-26336)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in System Management Unit (SMU). A local user can trigger memory corruption and perform a denial of service (DoS) attack.

13) Buffer overflow (CVE-ID: CVE-2021-26386)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A malicious or compromised UApp or ABL can issue a malformed system call to the Stage 2 Bootloader, trigger memory corruption and execute arbitrary code with elevated privileges.

14) Out-of-bounds write (CVE-ID: CVE-2021-26369)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A malicious or compromised UApp or ABL can send a malformed system call to the bootloader and escalate privileges on the system.

15) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-26366)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to unspecified error. A local privileged user can read data from Boot ROM resulting in a loss of system integrity.

16) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-26363)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions. A malicious or compromised UApp or ABL can modify value used by ASP for its reserved DRAM to one outside of the fenced area and gain access to sensitive information.

17) Information disclosure (CVE-ID: CVE-2021-26361)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to unspecified error. A malicious or compromised User Application (UApp) or AGESA Boot Loader (ABL) can be used to exfiltrate arbitrary memory from the ASP stage 2 bootloader potentially leading to information disclosure.

18) Input validation error (CVE-ID: CVE-2020-12946)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in ASP firmware for discrete TPM commands. A local user can perform a denial of service (DoS) attack.

19) Security features bypass (CVE-ID: CVE-2021-39298)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to unspecified error in AMD System Management Mode (SMM) interrupt handler. A local privileged user can bypass security mechanisms provided in the UEFI firmware and execute arbitrary code.

20) Input validation error (CVE-ID: CVE-2021-26335)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the AMD Secure Processor (ASP) boot loader image header. A local user can escalate privileges on the system.

21) Buffer overflow (CVE-ID: CVE-2021-26373)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the System Management Unit (SMU). A local user can trigger a system voltage malfunction and perform a denial of service (DoS) attack.

22) Input validation error (CVE-ID: CVE-2021-26376)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in System Management Unit (SMU) FeatureConfig. A local user can re-enable certain features, which can lead to denial of service.

23) Buffer overflow (CVE-ID: CVE-2021-26375)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in System Management Unit (SMU). A local user can trigger memory corruption and perform a denial of service (DoS) attack.

24) Buffer overflow (CVE-ID: CVE-2021-26378)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in System Management Unit (SMU). A local user can trigger memory corruption and perform a denial of service (DoS) attack.

25) Buffer overflow (CVE-ID: CVE-2021-26372)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in System Management Unit (SMU). A local user can trigger memory corruption and perform a denial of service (DoS) attack.

26) Input validation error (CVE-ID: CVE-2021-26339)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in the AMD CPU’s core logic when using specific code from an unprivileged VM. A remote user with low-privileged access to guest OS can send a specific x86 instruction sequence that triggers CPU core hang.

27) Out-of-bounds read (CVE-ID: CVE-2021-26388)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in the BIOS directory that allows for searches to read beyond the directory table copy in RAM. A local user can perform a denial of service (DoS) attack.

28) Out-of-bounds write (CVE-ID: CVE-2021-26312)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error caused by failure to flush the Translation Lookaside Buffer (TLB) of the I/O memory management unit (IOMMU). A local user can force an IO device to write to memory it should not be able to access and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027