Back to Security Bulletins

AMD Server Vulnerabilities – November 2021

Bulletin ID: AMD-SB-1021
Potential Impact: Varies by CVE, see descriptions below
Severity: Varies by CVE, see descriptions below

Summary

During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Secure Processor (ASP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV), and other platform components were discovered and have been mitigated in AMD EPYC™ AGESA™ PI packages.

CVE Details

See Below

Affected Products

1st/2nd/3rd Gen AMD EPYC™ Processors

CVE

1st Gen AMD EPYC™

2nd Gen AMD EPYC™

3rd Gen AMD EPYC™

CVE-2020-12944

CVE-2020-12946

NA

CVE-2020-12951

CVE-2020-12954

CVE-2020-12961

NA

CVE-2020-12988

CVE-2021-26312

CVE-2021-26315

NA

NA

CVE-2021-26320

CVE-2021-26321

CVE-2021-26322

CVE-2021-26323

NA

NA

CVE-2021-26325

NA

NA

CVE-2021-26326

NA

NA

CVE-2021-26327

NA

NA

CVE-2021-26329

CVE-2021-26330

● 

CVE-2021-26331

● 

CVE-2021-26335

CVE-2021-26336

NA

CVE-2021-26337

NA

CVE-2021-26338

NA

Mitigation

The AGESA™ versions listed below have been released to the Original Equipment Manufacturers (OEM) to mitigate these issues. Please refer to your OEM for the BIOS update specific to your product.

Platform

AGESA Version

 Release Date

1st Gen AMD EPYC™

NaplesPI-SP3_1.0.0.G

 July 23, 2021

2nd Gen AMD EPYC™

RomePI-SP3_1.0.0.C

 July 22, 2021

3rd Gen AMD EPYC™

MilanPI-SP3_1.0.0.4

 June 26, 2021

Acknowledgement

AMD thanks the following for reporting these issues and engaging in coordinated vulnerability disclosure.

Reported by Oracle and discovered by internal Oracle security researcher Hugo Magalhaes: CVE-2020-12954, CVE-2020-12961, CVE-2021-26329, CVE-2021-26330, CVE-2021-26331 

Reported by Oracle and discovered by internal Oracle security researcher Volodymyr Pikhur: CVE-2020-12988  

Reported by Shawn Hoffman (Microsoft Offensive Security Research): CVE-2021-26315, CVE-2021-26335, CVE-2021-26336, CVE-2021-26337, CVE-2021-26338, CVE-2021-26351, CVE-2021-26352

Reported by Cfir Cohen, Jann Horn, Mark Brand of Google: CVE-2020-12944, CVE-2020-12946, CVE-2020-12951, CVE-2021-26312, CVE-2021-26320, CVE-2021-26321, CVE-2021-26322, CVE-2021-26323, CVE-2021-26325, CVE-2021-26326, CVE-2021-26327, CVE-2020-12951, CVE-2021-26324, CVE-2021-26332, CVE-2021-26408

Internally found: CVE-2021-26353, CVE-2021-26370, CVE-2021-26390, CVE-2021-46771

CVE

CVSS 3.1 Base Score

Description

CVE-2020-12954

7.9 (High)

A side effect of an integrated chipset option can be used by an attacker to bypass SPI ROM protections, allowing unauthorized SPI ROM modification.

CVE-2020-12961

7.9 (High)

A vulnerability exists in AMD Platform Security Processor (PSP) that may allow an attacker to zero any privileged register on the System Management Network which may lead to bypassing SPI ROM protections.

CVE-2021-26331

7.9 (High)

AMD System Management Unit (SMU) contains an issue where a malicious user may be able to manipulate mailbox entries leading to arbitrary code execution.

CVE-2021-46771

7.5 (High)

Insufficient validation of addresses in AMD Secure Processor (ASP) firmware system call may potentially lead to arbitrary code execution by a compromised user application.

CVE-2021-26335

7.5 (High)

Improper input and range checking in the AMD Secure Processor (ASP) boot loader image header may allow an attacker to use attacker-controlled values prior to signature validation potentially resulting in arbitrary code execution.

CVE-2021-26315

6.9 (Medium)

A CPU internal ROM improperly implements decryption of signed off-chip firmware. An attacker with physical access or high privileges could potentially exploit this vulnerability leading to the execution of arbitrary code on the PSP, compromising the authenticity of the attestation state.

CVE-2020-12946

6.8 (Medium)

Insufficient input validation in PSP firmware for discrete TPM commands could allow a potential loss of integrity and denial of service.

CVE-2021-26353

6.7 (Medium)

Due to a mishandled error, it is possible to leave the DRTM UApp in a partially initialized state, which can result in unchecked memory writes when the UApp handles subsequent mailbox commands.

CVE-2021-26351

6.1 (Medium)

Insufficient DRAM address validation in System Management Unit (SMU) may result in a DMA (Direct Memory Access) read/write from/to invalid DRAM address that could result in denial of service.

CVE-2021-26352

6.1 (Medium)

Insufficient bound checks in System Management Unit (SMU) PCIe Hot Plug table may result in access/updates from/to invalid address space that could result in denial of service.

CVE-2021-26336

6.1 (Medium)

Insufficient bounds checking in System Management Unit (SMU) may cause invalid memory accesses/updates that could result in SMU hang and subsequent failure to service any further requests from other components.

CVE-2021-26337

6.1 (Medium)

Insufficient DRAM address validation in System Management Unit (SMU) may result in a DMA read from invalid DRAM address to SRAM resulting in SMU not servicing further requests.

CVE-2021-26338

6.1 (Medium)

Improper access controls in System Management Unit (SMU) may allow for an attacker to override performance control tables located in DRAM resulting in a potential lack of system resources.

CVE-2020-12951

6.1 (Medium)

Race condition in ASP firmware could allow less privileged x86 code to perform ASP SMM (System Management Mode) operations.

CVE-2021-26390

6.0 (Medium)

A malicious or compromised UApp or ABL may coerce the bootloader into corrupting arbitrary memory potentially leading to loss of integrity of data.

CVE-2021-26320

6.0 (Medium)

Insufficient validation of the AMD SEV Signing Key (ASK) in the SEND_START command in the SEV Firmware may allow a local authenticated attacker to perform a denial of service of the PSP.

CVE-2021-26370

5.7 (Medium)

Improper validation of destination address in SVC_LOAD_FW_IMAGE_BY_INSTANCE  and SVC_LOAD_BINARY_BY_ATTRIB in a malicious UApp or ABL may allow an attacker to overwrite arbitrary bootloader memory with SPI ROM contents resulting in a loss of integrity and availability.

CVE-2020-12944

5.5 (Medium)

Insufficient validation of BIOS image length by PSP Firmware could lead to arbitrary code execution.

CVE-2021-26332

5.4 (Medium)

Failure to verify SEV-ES TMR is not in MMIO space, SEV-ES FW could result in a potential loss of integrity or availability.

CVE-2020-12988

4.4 (Medium)

A denial of service (DoS) vulnerability exists in the integrated chipset that may allow a malicious attacker to hang the system when it is rebooted.

CVE-2021-26329

4.4 (Medium)

AMD System Management Unit (SMU) may experience an integer overflow when an invalid length is provided which may result in a potential loss of resources.

CVE-2021-26330

4.4 (Medium)

AMD System Management Unit (SMU) may experience a heap-based overflow which may result in a potential loss of resources.
CVE-2021-26321

4.4 (Medium)

 Insufficient ID command validation in the SEV Firmware may allow a local authenticated attacker to perform a denial of service of the PSP.
CVE-2021-26323

4.4 (Medium)

 Failure to validate SEV Commands while SNP is active may result in a potential impact to memory integrity.
CVE-2021-26324

4.4 (Medium)

 A bug with the SEV-ES TMR may lead to a potential loss of memory integrity for SNP-active VMs.
CVE-2021-26325

4.4 (Medium)

 Insufficient input validation in the SNP_GUEST_REQUEST command may lead to a potential data abort error and a denial of service.
CVE-2021-26326

4.1 (Medium)

 Failure to validate VM_HSAVE_PA during SNP_INIT may result in a loss of memory integrity.
CVE-2021-26322

4.1 (Medium)

 Persistent platform private key may not be protected with a random IV leading to a potential “two-time pad attack”.
CVE-2021-26327

4.1 (Medium)

 Insufficient validation of guest context in the SNP Firmware could lead to a potential loss of guest confidentiality.
CVE-2021-26312

4.1 (Medium)

 PSP protection against side channels improperly configured, which may lead to potential information disclosure.

CVE-2021-26408

1.9 (Low)

 Insufficient validation of elliptic curve points in SEV-legacy firmware may compromise SEV-legacy guest migration potentially resulting in loss of guest's integrity or confidentiality.

 

Revisions

Revision Date   Description  
03-04-2024 Update the “Acknowledgement”
05-06-2022

Adds additional CVEs that are mitigated by the AGESA versions provided in the original bulletin

CVE-2020-12951, CVE-2021-26324, CVE-2021-26332, CVE-2021-26408, CVE-2021-26351, CVE-2021-26352, CVE-2021-26353, CVE-2021-26370, CVE-2021-26390, CVE-2021-46771  
11-09-2021 Initial publication

DISCLAIMER

The information contained herein is for informational purposes only and is subject to change without notice. While every precaution has been taken in the preparation of this document, it may contain technical inaccuracies, omissions, and typographical errors, and AMD is under no obligation to update or otherwise correct this information. Advanced Micro Devices, Inc. makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and assumes no liability of any kind, including the implied warranties of noninfringement, merchantability, or fitness for particular purposes, with respect to the operation or use of AMD hardware, software or other products described herein. Any computer system has risks of security vulnerabilities that cannot be completely prevented or mitigated. No license, including implied or arising by estoppel, to any intellectual property rights is granted by this document. Terms and limitations applicable to the purchase or use of AMD’s products are as set forth in a signed agreement between the parties or in AMD's Standard Terms and Conditions of Sale.

AMD, the AMD Arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.

© 2024 Advanced Micro Devices, Inc. All rights reserved.