Summary: A significant security vulnerability (CVE-2024-56161) has been identified in AMD’s Secure Encrypted Virtualization (SEV) system, which could enable an attacker with local administrator privileges to execute malicious CPU microcode. The flaw, assigned a high CVSS score of 7.2, poses risks to the confidentiality and integrity of VMs operating under AMD SEV-SNP. Google security researchers reported the issue, which is linked to insecure hash functions in the signature verification process for microcode updates.

Affected: AMD Secure Encrypted Virtualization (SEV) and related systems

Keypoints :

• Vulnerability allows local admin to load malicious CPU microcode.
• High severity score of 7.2 indicates significant risk to affected systems.
• Google security team credited with discovering the flaw on September 25, 2024.
• Link to insecure hash function in the signature validation for microcode updates.
• Test payload released by Google to demonstrate the vulnerability.