AMD has silently expanded its security advisory for the recently disclosed EntrySign vulnerability, now confirming that its latest Zen 5 processors are also affected by the critical security flaw. The updated advisory adds mitigations for embedded processors and corrects a CVE reference number in its documentation.
Originally revealed last month by Google security researchers, EntrySign (tracked as CVE-2024-56161 and CVE-2024-36347) represents a high-severity vulnerability in AMD's microcode signature verification system. The flaw affects processors from Zen 1 through Zen 5 architectures, potentially allowing attackers with kernel privileges to execute unauthorized microcode.
The vulnerability stems from AMD's implementation of AES-CMAC as a hash function in their signature verification process, compounded by the company's use of an example key from NIST documentation across multiple CPU generations. This security oversight enabled researchers to forge signatures and create unauthorized microcode patches.
Google's research team demonstrated the exploit by developing "zentool," a utility suite capable of examining, authoring, signing, and loading custom microcode patches. They modified the RDRAND instruction to return a fixed value instead of random numbers as proof of concept.
While exploiting EntrySign requires kernel-level access and doesn't persist through power cycles, it poses significant implications for confidential computing technologies like AMD SEV-SNP and potential supply chain vulnerabilities.
AMD has addressed the vulnerability through microcode updates (AMD-SB-3019 and AMD-SB-7033), implementing a more secure hash function alongside an AMD Secure Processor update to prevent validation routine bypasses. Users are strongly encouraged to apply the latest security patches to mitigate risks.