CVE-2024-56161
Published: 03 February 2025
Description
Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.
Security Summary
CVE-2024-56161 involves improper signature verification (CWE-347) in the AMD CPU ROM microcode patch loader. This vulnerability affects AMD processors, particularly those supporting Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), where it may enable the loading of malicious CPU microcode. Published on 2025-02-03, it carries a CVSS v3.1 base score of 7.2 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability effects.
Exploitation requires local access, high attack complexity, and local administrator privileges. A successful attacker can load malicious CPU microcode, resulting in the loss of confidentiality and integrity for a confidential guest running under AMD SEV-SNP.
AMD has issued security bulletins AMD-SB-3019 and AMD-SB-7033 detailing mitigations, available at amd.com resources. Additional announcements appear on oss-security mailing lists (2025/02/04 and 2025/03/06) and Debian LTS announce (2025/03/msg00024.html).
Details
- CWE(s)