AMD update on CVE-2020-12890: SMM Callout Privilege Escalation

AMD issued an update last week saying that it will provide an actual update in a few weeks, and sarcastically advises vendors to stay “up-to-date”…

6/17/20

AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.[…]AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches.[…]

We thank Danny Odler for his ongoing security research.

Full announcement paragraph:
https://www.amd.com/en/corporate/product-security

No news here:
https://developer.arm.com/support/arm-security-updates

AGESA status page:
just kidding, there is no such page, only AMD clients get AGESA status updates under NDA.

I wonder if the Apple macOS or Microsoft Defender UEFI scanners will be updated to catch this on AMD systems. CHIPSEC can’t, it does not work on AMD systems.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s