Control: severity -1 grave On 2025-02-08 10:53, Markus Koschany wrote: > The following vulnerability was published for amd64-microcode. > > CVE-2024-56161[0]: > | Improper signature verification in AMD CPU ROM microcode patch > | loader may allow an attacker with local administrator privilege to > | load malicious CPU microcode resulting in loss of confidentiality > | and integrity of a confidential guest running under AMD SEV-SNP.
The Google Security Team has now released a tool [1] with which the microcode can be manipulated, and the key has been leaked [2] (or rather it was public anyway, but was now identified as the key being re-used here). I think a bump to grave is warranted, but it should be serious at least. I have Zen 2, 3, 5 consumer CPUs at home, if I can help with testing. Best, Christian > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-56161 > https://www.cve.org/CVERecord?id=CVE-2024-56161 [1]: https://github.com/google/security-research/blob/master/pocs/cpus/entrysign/zentool/README.md [2]: https://www.openwall.com/lists/oss-security/2025/03/06/2
