In a press release, AMD has acknowledged a potential vulnerability in UEFI motherboard firmware and promised to roll out fixes by the end of June. The security flaw called, “SMM Callout Privilege Escalation” is supposedly present in the AGESA microcode provided by AMD to board partners. It allows an attacker to execute arbitrary code without the OS being aware (via AGESA).
Originally reported by security researcher Danny Odler, the vulnerability exists in the “System Management Mode” (SSM, Ring -2) code that is part of the UEFI image. This is part of the most low-level and privileged code executable on an x86 based processor. It can attack not only the kernel, but the hypervisor as well as any low-level OS component.
As per AMD’s official statement, this flaw affects only certain client and embedded APUs launched between 2016 and 2019. Team Red has already supplied most vendors with the updated AGESA code while the rest are slated to be delivered by June end.