A critical vulnerability in AMD’s Zen 1 through Zen 4 processors allows attackers to bypass microcode signature validation, potentially undermining hardware-based security mechanisms.
The flaw stems from AMD’s use of AES-CMAC as a hash function during microcode patch verification – a design decision that enables collision attacks and forged RSA keys.
AMD’s microcode update process relies on RSASSA-PKCS1-v1_5 signatures, where patch integrity is verified using AES-CMAC instead of standardized hash functions like SHA-256.
Unlike secure hashing algorithms, CMAC’s structure allows attackers with knowledge of the AES key to craft collisions by injecting compensating blocks1. Researchers demonstrated this by:
2b7e151628aed2a6abf7158809cf4f3c
) matched NIST test vectors and remained consistent across Zen generations1.The team released zentool, an open-source toolkit enabling custom microcode patches.
A proof-of-concept modified the RDRAND
instruction to always return 4
using:
bash./zentool edit --match 0=@rdrand --seq 0=0x100002 --insn q0i0="mov.qs rax,rax,4"
This injects micro-ops that override the RDRAND handler in patch RAM, demonstrating arbitrary code execution at the microarchitecture level.
Successful exploitation requires:
Requirement | Description |
---|---|
Ring 0 Access | Kernel privileges to write to MSR 0xc0010020 |
Persistent Execution | Non-persistent across reboots |
CPU Targeting | Per-core patching via taskset/isolcpus |
AMD has released microcode updates replacing AES-CMAC with a secure hash function, coordinated with Secure Processor firmware to validate patches pre-boot.
While immediate risks are mitigated by the need for local privilege escalation, the discovery impacts:
Security teams should prioritize applying AMD’s 2024 microcode patches.
Researchers plan to expand Zentool’s capabilities, mirroring earlier Intel microcode projects that enabled performance optimizations and security feature prototyping.
This breakthrough underscores the critical need for open validation of hardware security primitives – a challenge as vendors increasingly rely on opaque, firmware-based protections.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…
Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This…
A major cybersecurity incident has come to light after researcher Jeremiah Fowler discovered a publicly…
A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal sensitive…
A security vulnerability was recently discovered in GitLab Duo, the AI-powered coding assistant integrated into…