oss-security - Re: AMD Microcode Signature Verification Vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <Z5EUUMd1xkSSKAEM@thinkstation.cmpxchg8b.net>
Date: Wed, 22 Jan 2025 07:52:48 -0800
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: AMD Microcode Signature Verification Vulnerability

On Tue, Jan 21, 2025 at 11:38:16PM -0500, Demi Marie Obenour wrote:
> On Tue, Jan 21, 2025 at 06:31:31PM -0800, Tavis Ormandy wrote:
> > It looks like an OEM leaked the patch for a major upcoming CPU
> > vulnerability, i.e. "AMD Microcode Signature Verification
> > Vulnerability":
> > 
> > https://rog.asus.com/motherboards/rog-strix/rog-strix-x870-i-gaming-wifi/helpdesk_bios/
> > 
> > I'm not thrilled about this - the patch is *not* currently in
> > linux-firmware, so this is the only publicly available patch.
> > 
> > However, other people are discussing how to extract them:
> > 
> > https://winraid.level1techs.com/t/offer-intel-amd-via-cpu-microcode-archives-1995-present/102857/53
> 
> Is this fix effective, or can it be bypassed via a downgrade attack?
> 

I'm not sure yet, the vendor has been really excruciating to deal with,
this is the first time I've been allowed to see the patch!! :(

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@....org
_\_V _( ) _( )  @taviso

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.