Cyber Security News

AMD Microcode Vulnerability Allows Attackers to Load Malicious Patches

A critical vulnerability in AMD’s Zen 1 through Zen 4 processors allows attackers to bypass microcode signature validation, potentially undermining hardware-based security mechanisms.

The flaw stems from AMD’s use of AES-CMAC as a hash function during microcode patch verification – a design decision that enables collision attacks and forged RSA keys.

Vulnerability Rooted in Cryptographic MIS Implementation

AMD’s microcode update process relies on RSASSA-PKCS1-v1_5 signatures, where patch integrity is verified using AES-CMAC instead of standardized hash functions like SHA-256.

Unlike secure hashing algorithms, CMAC’s structure allows attackers with knowledge of the AES key to craft collisions by injecting compensating blocks1. Researchers demonstrated this by:

  1. Extracting the Hardcoded AES-CMAC Key: The key (2b7e151628aed2a6abf7158809cf4f3c) matched NIST test vectors and remained consistent across Zen generations1.
  2. Generating Forged RSA Public Keys: Using the formula: N=p×q×0x61×(compensating block)N = p \times q \times \text{0x61} \times \text{(compensating block)}N=p×q×0x61×(compensating block) Researchers created valid modulus values hashing to AMD’s expected CMAC output1.
  3. Bypassing Montgomery Checks: The attack included calculating valid Montgomery parameters (N’) to satisfy: (N⋅N′)mod  22048=−1(N \cdot N’) \mod 2^{2048} = -1(N⋅N′)mod22048=−1 ensuring compatibility with AMD’s modular arithmetic implementation1.

Microcode Manipulation via Zentool Framework

The team released zentool, an open-source toolkit enabling custom microcode patches.

A proof-of-concept modified the RDRAND instruction to always return 4 using:

bash./zentool edit --match 0=@rdrand --seq 0=0x100002 --insn q0i0="mov.qs rax,rax,4"  

This injects micro-ops that override the RDRAND handler in patch RAM, demonstrating arbitrary code execution at the microarchitecture level.

Successful exploitation requires:

RequirementDescription
Ring 0 AccessKernel privileges to write to MSR 0xc0010020
Persistent ExecutionNon-persistent across reboots
CPU TargetingPer-core patching via taskset/isolcpus

Industry Impact and Mitigation

AMD has released microcode updates replacing AES-CMAC with a secure hash function, coordinated with Secure Processor firmware to validate patches pre-boot.

While immediate risks are mitigated by the need for local privilege escalation, the discovery impacts:

  • Confidential Computing: SEV-SNP attestation could be compromised by malicious microcode
  • Supply Chain Security: Malicious OEMs could sideload tampered updates
  • Research Limitations: Prior assumptions about hardware-rooted trust require re-evaluation

Security teams should prioritize applying AMD’s 2024 microcode patches.

Researchers plan to expand Zentool’s capabilities, mirroring earlier Intel microcode projects that enabled performance optimizations and security feature prototyping.

This breakthrough underscores the critical need for open validation of hardware security primitives – a challenge as vendors increasingly rely on opaque, firmware-based protections.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Anupriya

Any Priya is a cybersecurity reporter at GBHackers On Security, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Posts

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

3 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

4 hours ago

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This…

4 hours ago

Hackers Expose 184 Million User Passwords via Open Directory

A major cybersecurity incident has come to light after researcher Jeremiah Fowler discovered a publicly…

5 hours ago

New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data

A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal sensitive…

5 hours ago

GitLab Duo Vulnerability Exploited to Inject Malicious Links and Steal Source Code

A security vulnerability was recently discovered in GitLab Duo, the AI-powered coding assistant integrated into…

5 hours ago