CVE-2021-26316: Code Execution Flaw in AMD EPYC and Ryzen processors
AMD recently released two security bulletins revealing 31 processor vulnerabilities, 3 of which affected Ryzen, Athlon, Thread Ripper, and Thread Ripper Pro processors, and 28 vulnerabilities affected EPYC processors.
The most severe of these issues is CVE-2021-26316, an arbitrary code execution vulnerability. AMD EPYC and Ryzen processors could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper validating of the communication buffer and communication service in the BIOS. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code in SMM (System Management Mode).
Other flaws CVE-2021-26346, and CVE-2021-46795 also affect Ryzen processors and have been described as a denial of service bug.
AMD also disclosed 28 vulnerabilities affecting EPYC processors, four of which are high risk, fifteen are medium risk, and nine are low risk. Here’s how AMD is documenting the high-risk issues:
| CVE-2021-26316 | High | Failure to validate the communication buffer and communication service in the BIOS may allow an attacker to tamper with the buffer resulting in potential SMM arbitrary code execution. |
| CVE-2021-26398 | High | Insufficient input validation in SYS_KEY_DERIVE system call in a compromised user application or ABL may allow an attacker to corrupt ASP (AMD Secure Processor) OS memory which may lead to potential arbitrary code execution. |
| CVE-2021-26402 | High | Insufficient bounds checking in ASP (AMD Secure Processor) firmware while handling BIOS mailbox commands, may allow an attacker to write partially-controlled data out-of-bounds to SMM or SEV-ES regions which may lead to a potential loss of integrity and availability. |
| CVE-2021-39298 | High | A potential vulnerability in AMD System Management Mode (SMM) interrupt handler may allow an attacker with high privileges to access the SMM resulting in arbitrary code execution which could be used by malicious actors to bypass security mechanisms provided in the UEFI firmware. |
AMD has delivered the AGESA microcode to the OEM manufacturer. Users can visit the official website of the product to check whether there is a new version of BIOS to download. Researchers including Google, Apple, and Oracle have also participated in the discovery and investigation of the vulnerability.
