7.2 CVE-2024-56161

 

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.
https://nvd.nist.gov/vuln/detail/CVE-2024-56161

Categories

CWE-347 : Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Does not properly verify signatures for "trusted" entities. Insufficient verification allows spoofing. Insufficient verification allows spoofing. Accepts a configuration file without a Message Integrity Check (MIC) signature.

References


 

CPE

cpe start end


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
463 Padding Oracle Crypto Attack
High
475 Signature Spoofing by Improper Validation
High