AMD has fixed SMM Callout Privilege Escalation high-severity vulnerability in its processors but CVE-2020–12890 and another flaw remain unpatched
AMD today announced that it has fixed one high-severity vulnerability affecting its client and embedded processors. But the sad news is that AMD processors have two other very critical flaws which are yet to be fixed by the company. The good news is that AMD says it will release fixes for the other two by the end of June 2020.
Security researcher, Danny Odler had found three high-severity vulnerabilities in AMD processors that were manufactured between 2016 and 2019. He had reported all the three vulnerabilities to AMD on April 2, 2020. All three vulnerabilities allowed any potential hacker with physical or privileged access to certain AMD powered systems to exploit the flaws to execute arbitrary code or take control of the firmware and thereby the entire system.
Out of the three, the vulnerability called “SMM Callout Privilege Escalation” bugs with the identifier CVE-2020–14032 was fixed by AMD on June 8 and it has asked AMD users to update the firmware. “AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020,” AMD said in a statement.
All three flaws exist in System Management Mode (SMM). SMM is an operating mode that’s mainly responsible for CPU and chipset configurations, motherboard manufacturer code, and secured operations such as setting secure boot hashes, TPM (Trusted Platform Module) configurations and power management. SMM exists on microprocessors manufactured both by Intel and AMD.
The other two flaws, one with the identifier CVE-2020–12890 and another that has yet to be issued a CVE identifier have still not been patched.