{"id":1646,"date":"2025-01-24T01:16:14","date_gmt":"2025-01-24T01:16:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1646"},"modified":"2025-01-24T01:16:14","modified_gmt":"2025-01-24T01:16:14","slug":"amds-unpatched-chip-microcode-glitch-may-require-extreme-measures-by-cisos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1646","title":{"rendered":"AMD\u2019s unpatched chip microcode glitch may require extreme measures by CISOs"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

AMD has had to confirm the existence of a major cybersecurity problem in its chip microcode before it can post a fix. <\/p>\n

Microcode often loads during startup and it can change chip capabilities:\u00a0Security specialists are recommending that CISOs consider extreme protective measures, including network isolation, possible air gapping, and ideally blocking all updates and patches until AMD fixes this problem.<\/p>\n

The disclosure was forced on AMD after PC manufacturer Asus released details of the cybersecurity hole as part of a beta BIOS update. Although Asus has since deleted that part of the update, AMD decided to confirm the barest of details about the issue.<\/p>\n

Good news and bad news<\/h2>\n

\u201cAMD is aware of a newly reported processor vulnerability. Execution of the attack requires both local administrator level access to the system, and development and execution of malicious microcode. AMD has provided mitigations and is actively working with its partners and customers to deploy those mitigations,\u201d it said in a statement to CSO on Thursday. \u201cAMD recommends customers continue to follow industry standard security practices and only work with trusted suppliers when installing new code on their systems. AMD plans to issue a security bulletin soon with additional guidance and mitigation options.\u201d<\/p>\n

The technical nature of the problem delivers both good news and bad news. AMD\u2019s statement that \u00a0\u201cexecution of the attack requires both local administrator level access to the system and development and execution of malicious microcode\u201d is critical.\u00a0<\/p>\n

The good news, in a sense, is that this attack vector is beyond the means of most attackers. They first have to achieve full local admin access, and then they have to have the skills and tools to create realistic-looking malicious microcode.\u00a0<\/p>\n

The bad news is that attackers that do have such capabilities, such as state sponsored actors, could use this glitch to deliver fake microcode that would appear to be signed by AMD or some other trusted source. The glitch hampers the chip\u2019s ability to authenticate, which means the microcode might be able to modify CPU functionality.<\/p>\n

On Thursday, one AMD official, who couldn\u2019t speak on the record, told CSO that it will likely be multiple days before the patch would be ready for dissemination.<\/p>\n

The story was broken by The Register<\/a>, which went into detail about how the glitch came to be disclosed. But more importantly for CISOs is what to do about it until the patch is installed on their systems.\u00a0<\/p>\n

Puts CISOs in a bind<\/h2>\n

John Price, CEO at Cleveland-based security firm SubRosa, said there is a history of these patch development timeframes getting longer.<\/p>\n

\u201cWe have no idea how long it is actually going to take. I would proceed as if this will take quite some time,\u201d Price said.\u00a0<\/p>\n

Price said the unpatched glitch puts enterprise CISOs in a horrible bind. It means that nothing external that tries to touch the CPU can be permitted, at least not until the problem is fully patched.<\/p>\n

\u201cRestrict privileges wherever possible and delay non-critical firmware changes, including bios settings that might further increase exposure,\u201d he initially said in a CSO interview, but he then added that even stricter measures might be needed.\u00a0<\/p>\n

\u201cExplore doing strict hardware segmentation, especially on high-priority critical systems. It must be a risk-based approach,\u201d he said, adding that some companies might need to block all firmware changes entirely.<\/p>\n

\u201cIf from a risk perspective it makes sense to air gap, then absolutely do that. Focus on risk elimination. Air gapping might be the way to go,\u201d Price said. \u201cIf someone gets system level access, you have big problems.\u201d<\/p>\n

Price stressed the sophistication an attacker would need to take advantage of this hole, saying, \u201cThe exploit requires highly specialized skills to craft malicious microcode, making it less likely to be widespread. However, if a sophisticated threat actor perfects it, the impact could be severe.\u201d<\/p>\n

Another concern is that firmware issues straddle the lines between chipset design, motherboard vendors, and software, Price said.\u00a0<\/p>\n

Flavio Villanustre, global chief information security officer of LexisNexis Risk Solutions, agreed with Price that the damage from a successful microcode attack could be catastrophic.\u00a0<\/p>\n

\u201cIf a system is compromised to this level, the ability to deploy malicious microcode to the CPU could make for a very insidious attack vector that would be very hard to identify and address,\u201d Villanustre said. \u201cCreating these types of sophisticated attacks would require significant resources, but it could be something that a state sponsored actor could certainly do.\u201d<\/p>\n

Coordinated disclosure is critical<\/h2>\n

Villanustre was one of several security specialists who said that much of the potential damage came not from AMD, but from the disclosure by Asus.<\/p>\n

\u201cIt\u2019s possible that certain resourceful bad actors already knew about it, but making it widely known creates unnecessary exposure to organizations that still don\u2019t have a way to mitigate the risk, since mainstream patches are not available,\u201d Villanustre said, adding that \u201cAsus\u2019 disclosure seems to have been a mistake, but it would have been irresponsible otherwise. In any case, it\u2019s not the first time CPUs are vulnerable and it won\u2019t be the last time either.\u201d<\/p>\n

The Asus leak was \u201cunderscoring the critical importance of coordinated vulnerability disclosure. Prematurely revealing a security flaw heightens the risk of zero-day cyberattacks and spreads confusion, both of which can damage trust in Asus and AMD by users and the public,\u201d said Frank Riccardi, a cybersecurity specialist and the author of the book, Mobilizing the C-suite: Waging War Against Cyberattacks. <\/em>\u201cI appreciate that the leak was accidental, but that will be cold comfort if cybercriminals exploit the vulnerability before AMD releases the official patch.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

AMD has had to confirm the existence of a major cybersecurity problem in its chip microcode before it can post a fix. Microcode often loads during startup and it can change chip capabilities:\u00a0Security specialists are recommending that CISOs consider extreme protective measures, including network isolation, possible air gapping, and ideally blocking all updates and patches […]<\/p>\n","protected":false},"author":0,"featured_media":1635,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1646","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1646"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1646"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1646\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1635"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}