Security flaw means AMD Zen CPUs can be "jailbroken"

News
By published

Google showed everyone how to push microcode updates

AMD logo
(Image credit: Shutterstock / JHVEPhoto)
  • Google's researchers found a vulnerability in AMD Zen 1 - 4 chips
  • It allows anyone to push microcode updates, even malicious ones
  • The bug requires high privilege level in advance

AMD processors, from Zen 1 all the way to Zen 4, are carrying a major vulnerability that allows threat actors to push microcode updates on affected chips.

This is according to researchers from Google, who also released a tool to install the updates, or “jailbreak” the device.

Google’s researchers called the vulnerability “EntrySign”. They explained that it stems from the way AMD uses AES-CMAC as a hash function in a signature verification process, which is essentially a cryptographic error, since CMAC is designed as a message authentication code. The vulnerability is tracked as CVE-2024-56161, and was given a severity score of 7.2/10 (high).

Zentool

The researchers also found AMD was using a published example key from NIST documentation all this time, which helped them forge signatures and install any updates to the microcode they saw fit. In theory, a threat actor could abuse the vulnerability to bypass security mechanisms and trigger information leakage.

In practice, however, it’s a lot more difficult than that. The attackers would need to have local admin privileges beforehand, which is difficult enough on its own. Furthermore, the attacks would only persist until the next system reboot.

In any case, Google released an open source tool called ‘zentool’, which allows security researchers (and, unfortunately, threat actors) to drop custom microcode patches.

It consists of tools for microcode patch examination (including limited disassembly), microcode patch authoring, signing, and loading. The researchers said they’re planning on releasing details on how to decrypt and encrypt microcode patches in the future, as well. “A significant portion of the ongoing research is focused on building an accurate understanding of the AMD microcode instruction set – the current disassembly and assembly are not always accurate due to this challenge,” the report stated.

AMD has released BIOS updates to address this vulnerability, so if you fear you might be targeted, make sure to update your systems to versions dated December 17, 2024, or later.

Via Tom's Hardware

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
AMD logo
AMD patches high severity security flaw affecting Zen chips
AMD Ryzen 5 7600X processor
AMD confirms processor security flaws after Asus patch slips out early
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Security
Intel slams Nvidia and AMD, claims chip giants have huge numbers of security flaws
MediaTek
MediaTek reveals host of security vulnerabilities, so patch now
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
New UEFI Secure Boot flaw exposes systems to bootkits
Latest in Security
person at a computer
Many workers are overconfident at spotting phishing attacks
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Latest in News
European Union technical background
EU tech companies push for digital sovereignty, reducing reliance on US and others
Star Wars Knights of the Old Republic
Knights of the Old Republic remake developer Saber Interactive states all its projects are 'still in development'
google nest
Google is slowly phasing out its Assistant helper to make room for Gemini's reign in smartphones - here’s how it’s doing the same for smart home devices
Circular smart ring
Circular's new smart ring is getting blood pressure and blood glucose monitoring before the Apple Watch
Gemini on a mobile phone.
Worryingly, Google Gemini’s new AI image generation features can be used to remove watermarks from images and I'm concerned
iPad mini 2021
Huawei might have beaten Apple to the folding phone finish line by creating a foldable 'iPad mini'
More about security
person at a computer

Many workers are overconfident at spotting phishing attacks
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
3D version of the Adobe logo

Adobe Summit 2025 - all the news and updates as it happens
See more latest
Most Popular
3D version of the Adobe logo
Adobe Summit 2025 - all the news and updates as it happens
google nest
Google is slowly phasing out its Assistant helper to make room for Gemini's reign in smartphones - here’s how it’s doing the same for smart home devices
European Union technical background
EU tech companies push for digital sovereignty, reducing reliance on US and others
Gemini on a mobile phone.
Worryingly, Google Gemini’s new AI image generation features can be used to remove watermarks from images and I'm concerned
Star Wars Knights of the Old Republic
Knights of the Old Republic remake developer Saber Interactive states all its projects are 'still in development'
Percy walks into a forest camp in Percy Jackson and the Olympians' Disney Plus series
Disney+ renews Percy Jackson and the Olympians for season 3, unleashing an epic new odyssey based on the The Titan's Curse
Circular smart ring
Circular's new smart ring is getting blood pressure and blood glucose monitoring before the Apple Watch
Apple Intelligence
It’s crunch time for Apple Intelligence as Apple execs look for a solution to the company’s AI woes
Various SwitchBot smart home automation devices
Switchbot has totally redesigned its smart home hub – and it's great news for renters
iPad mini 2021
Huawei might have beaten Apple to the folding phone finish line by creating a foldable 'iPad mini'