Summary: Google Security Team discovered a high-severity security vulnerability in some AMD Zen-based CPUs, allowing an attacker with local administrator privileges to load malicious microcode patches. The vulnerability stems from an insecure hash function in the CPU’s signature validation for microcode updates. This flaw could compromise workloads protected by AMD’s latest security features, including SEV-SNP and Dynamic Root of Trust Measurement. The Proof of Concept shows the potential impact on Milan and Genoa CPUs. The timeline reveals that Google notified AMD on September 25, 2024, with a fix provided to customers on December 17, 2024. Full details will be disclosed on March 5, 2025, to allow users to address the issue and restore trust in their systems.
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w