Security teams have uncovered a new security vulnerability in AMD Zen 5 processors. A BIOS update should resolve the problem and a fix is forthcoming.
Previously known to be affecting Zen 1 to Zen 4-based CPUs, the CVE-2024-36347 vulnerability now includes Zen 5 chips too. AMD disclosed the issue to the public via Security Bulletin AMD-SB-7033 published on March 5. According to the Google researchers who discovered it, this flaw opens the way for an attack with system administrative privileges to load malicious CPU microcode patches.
This could potentially compromise the integrity of x86 instruction execution, the confidentiality and integrity of data in x86 CPU-privileged contexts, or the System Management Mode (SMM) execution environment. The first ensures that the CPU runs only legitimate and unaltered instructions, shielding against attacks that can modify the CPU’s behaviour. The second protects sensitive data in high-privilege areas like the kernel or hypervisor. The third is a high privilege mode for low-level system functions like power management.
The source of this vulnerability stems from a weakness in the signature verification algorithm of AMD processors’ microcode patch loader which allows the execution of potentially unsafe microcode. The idea is to compromise/replace the microcode applied during the boot sequence. This means that all Zen 5 CPUs are at risk, including Ryzen 9000, EPYC 9005, Ryzen AI 300, and Ryzen 9000HX. Thankfully, these modifications do not persist after a system restart.
AMD has acknowledged the issue and is developing mitigation measures to address it. The brand advises organisations to monitor its official communications for updates and security recommendations. That said, note that the CVE-2024-36347 vulnerability is mainly a concern for servers, data centres, and enterprise systems where attackers could access high-value data. All the same, gamers and more mainstream users would do well to be safe rather than sorry.
