All AMD EPYC processors could be vulnerable to some serious security flaws

AMD has only offered mitigations for the latest generation of EPYC processors

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

AMDhas acknowledged several arbitrary code execution vulnerabilities that impact the first three generations of itsEPYC processorsas well as theAMDEPYC embedded processors.

The vulnerabilities center around AMD’s Secure Encrypted Virtualization (SEV) and are outlined in two research papers, due to be presented at a prestigious security conference later in the year.

The first exploit, tracked as CVE-2020-12967, comes courtesy of researchers at Fraunhofer AISEC and the Technical University of Munich. AMD said the academic researchers leveraged previously discussed research around the lack of nested page table protection in the SEV/SEV-Encrypted State (SEV-ES) feature.

We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.

Click here to start the survey in a new window«

The second exploit, tracked as CVE-2021-26311, was discovered by researchers at the University of Lübeck. As per AMD this research demonstrates that memory in the feature can be rearranged in the guest address space that is not detected by the attestation mechanism in SEV/SEV-ES.

Mitigations in place

While acknowledging the vulnerabilities, AMD added that exploiting them both would require physical access to theservers, which makes the vulnerabilities less severe than the ones that can be exploitedremotely.

The papers, which will be presented at the 15th IEEE Workshop on Offensive Technologies (WOOT’21), exploit the vulnerabilities in AMD SEV to run arbitrary code within a guest.

Surprisingly though, while the hardware, even though the exploits impact three generations of EPYC processors, AMD has published mitigations only for the third-generation EPYC processors.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

For the other two, it simply recommends “following security best practices”. It isn’t clear whether the company plans to release mitigations for these processors at a later date.

ViaTom’s Hardware

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Black Friday sale preview at Walmart – the best deals I’d buy starting at just $10