www.amd.com
Open in
urlscan Pro
23.35.228.87
Public Scan
Submitted URL: https://www.amd.com/en/resources/product-security.html#security
Effective URL: https://www.amd.com/en/resources/product-security.html
Submission: On March 13 via api from IN — Scanned from DE
Effective URL: https://www.amd.com/en/resources/product-security.html
Submission: On March 13 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Products
Processors Accelerators Graphics Adaptive SoCs, FPGAs, & SOMs Software,
Tools, & Apps
Processors
SERVERS
* EPYC
BUSINESS SYSTEMS
* Laptops
* Desktops
* Ryzen AI for Business
WORKSTATIONS
* Ryzen Threadripper
* Ryzen PRO for Mobile Workstations
* Ryzen
EMBEDDED
* EPYC and Ryzen
* Partner Ecosystem
* Industry Solutions
PERSONAL LAPTOPS
* AMD Advantage Premium
* Ryzen with Radeon Graphics
* Athlon with Radeon Graphics
* Ryzen AI for Consumer
PERSONAL DESKTOPS
* AMD Advantage Premium
* Ryzen
* Athlon with Radeon Graphics
HANDHELD
* Ryzen Z1 Series
RESOURCES
* Data Center Blogs & Insights
* Client & Data Center Tech Docs
* EPYC White Papers & Briefs
* EPYC Tuning Guides
* Product Specifications
Accelerators
GPU ACCELERATORS
* Instinct Accelerators
* Documentation
ADAPTIVE ACCELERATORS
* Alveo Data Center Accelerator Cards
* Telco Accelerator Cards
* Computational Storage Drives
DPU ACCELERATORS
* Aruba CX 10000 with Pensando
* AMD Pensando DSC-200
SMARTNICS & ETHERNET ADAPTERS
* Alveo X3 Series
* NIC X2 Series Offload
Graphics
WORKSTATIONS
* Radeon PRO
DESKTOPS
* AMD Advantage Premium
* Radeon RX
LAPTOPS
* AMD Advantage Premium
* Radeon Mobile Graphics
RESOURCES
* Product Specifications
* Documentation
Adaptive SoCs, FPGAs, & SOMs
ADAPTIVE SOCS & FPGAS
* Versal Portfolio
* SoC Portfolio
* FPGA Portfolio
* Cost-Optimized Portfolio
SYSTEM-ON-MODULES (SOMS)
* SOM Overview
* Kria SOMs
* KD240 Drives Starter Kit
* KV260 Vision AI Starter Kit
* KR260 Robotics Starter Kit
TECHNOLOGIES
* AI Engine
* Design Security
* Digital Signal Processing
* Functional Safety
* High Speed Serial
* Memory Solutions
* Power Efficiency
RESOURCES
* Intellectual Property
* Design Hubs
* Developer Hub
* Customer Training
EVALUATION BOARDS & KITS
* Evaluation Boards
* Boards & Kits Accessories
Software, Tools, & Apps
PROCESSOR TOOLS
* Ryzen Master Overclocking Utility
* PRO Manageability / DMTF DASH
* Zen Software Studio
* StoreMI
GRAPHICS TOOLS & APPS
* AMD Software: Adrenalin Edition
* AMD Software: PRO Edition
* FidelityFX
* Radeon ProRender
ADAPTIVE SOC & FPGA TOOLS
* Design Tools
* Vivado Software
* Vitis Software
* Vitis Model Composer
* Vitis HLS
* Vitis AI
* Embedded Software
INTELLECTUAL PROPERTY & APPS
* Pre-Built IP Cores
* Alveo Accelerator App Store
* Kria SOM App Store
GPU ACCELERATOR TOOLS & APPS
* ROCm Open Software
* Infinity Hub Software Containers
DPU ACCELERATOR TOOLS
* Pensando Data Plane Development Kit
* Solutions
AI Industries Data Center & Cloud Gaming
AI
OVERVIEW
* AI Solutions
* Blogs
* Case Studies
* Press Releases
FOR DATA CENTER & CLOUD
* GPU Accelerators
* Adaptive Accelerators
* Adaptive SoCs for Data Center
* Server Processors
FOR EDGE & ENDPOINTS
* Ryzen AI for Business
* Ryzen AI for Consumer
* Radeon Graphics Cards
* Adaptive SoCs for Edge
* Adaptive SoCs for Embedded
* System-on-Modules (SOMs)
FOR DEVELOPERS
* ROCm Developer Hub
* Vitis AI Development Platform
* ZenDNN Inference Libraries
* Ryzen AI Software
Industries
INDUSTRIES
INDUSTRIES
* Aerospace & Defense
* Architecture, Engineering, & Construction
* Automotive
* Broadcast & Pro AV
* Business & Government
* Consumer Electronics
INDUSTRIES
* Design & Manufacturing
* Education
* Emulation & Prototyping
* Healthcare & Sciences
* Industrial & Vision
* Media & Entertainment
INDUSTRIES
* Robotics
* Software & Sciences
* Supercomputing & Research
* Telco & Networking
* Test & Measurement
* Wired & Wireless Communications
Data Center & Cloud
WORKLOADS
* AI
* Database & Analytics
* Design & Simulation
* Financial Technologies
* Supercomputing & Research
* Video Transcoding
DEPLOYMENTS
* Cloud Computing
* Cloud Gaming
* Gaming-as-a-Service
* HCI / Virtualization
* Hosting
NETWORK, INFRASTRUCTURE, & STORAGE
* Computational Storage
* DPU Infrastructure Acceleration
* Network Acceleration
* Telco & Networking
RESOURCES
* Blogs & Insights
* Client & Data Center Tech Docs
* EPYC White Papers & Briefs
* EPYC Tuning Guides
Gaming
GAMING
* Red Team Community
* Featured Games
TECHNOLOGIES
* Noise Suppression
* Privacy View
* FidelityFX Super Resolution
* Radeon Super Resolution
* Smart Technologies
SYSTEMS
* AMD Advantage
* AMD Gaming Laptops
* AMD Gaming Desktops
* AMD Gaming Handhelds
* Resources & Support
Downloads Developer Resources Partner Resources Support
Downloads
EPYC PROCESSORS
* Client & Data Center Tech Docs
* EPYC White Papers & Briefs
* EPYC Tuning Guides
RADEON GRAPHICS & AMD CHIPSETS
* Drivers
* Radeon ProRender Plug-ins
* PRO Certified ISV Applications
ADAPTIVE SOCS & FPGAS
* Vivado ML Developer Tools
* Vitis Software Platform
* Vitis Accelerated Libraries
* Vitis Embedded Platforms
* PetaLinux Tools
ALVEO ACCELERATORS & KRIA SOMS
* Alveo Package Files
* Alveo App Store
* Kria App Store
RYZEN PROCESSORS
* Ryzen Master Overclocking Utility
* StoreMI
* PRO Manageability Tools for IT Administrators
ETHERNET ADAPTERS
* NIC Software & Downloads
Developer Resources
OVERVIEW
* Developer Central
PROCESSORS
* Zen Software Studio
* EPYC Tuning Guides
* EPYC Whitepapers & Briefs
ACCELERATORS, SOMS & NICS
* ROCm Developer Hub
* ROCm Documentation
* Infinity Hub Software Containers
* Vivado ML Hardware Developer Tools
* Vitis Software Developer Tools
* Vitis AI Developer Tools
ADAPTIVE SOCS & FPGAS
* Vivado ML Hardware Developer Tools
* Documentation
* Product Training
* Developer Program
* Partner Solutions
GRAPHICS
* GPUOpen Open Source Tools
* Documentation
Partner Resources
OVERVIEW
* Partner Hub
PRODUCT INFORMATION & TRAINING
* Arena Training
* AI Sales & Marketing Tools
* AMD vs the Competition
* AMD Advantage Resources
* Meet the Experts Webinars
* Partner Insights
PRODUCT SPECIFICATIONS
* Partner Motherboards
* Partner Graphics Cards
* AMD Products
RESOURCES
* Marketing Materials
* Partner Resource Library
* Authorized Distributors
* For System Integrators
* Data Center Marketers
Support
PROCESSORS & GRAPHICS
* Technical & Warranty Help
* Support Forums
* Product Specifications
* Product Security (PSIRT)
DPU ACCELERATORS
* AMD Pensando Product Support
ADAPTIVE SOCS & FPGAS
* Support Home
* Knowledge Base
* Community Forums
* Documentation
* Design Hubs
* Product Return
* Shop
Shop AMD
Shop AMD
GAMING & PERSONAL COMPUTING
* Ryzen Processors
* Radeon Graphics Cards
* Promotions & Bundles
* Shop All
ADAPTIVE & EMBEDDED COMPUTING
* System on Modules (SOMs)
* Data Center Accelerator Cards
* Adaptive SoC & FPGA Evaluation Kits
GET AMD FAN GEAR
* Visit the Store
SHOP OUR RETAIL PARTNERS
* Ryzen Processors
* Radeon Graphics Cards
* Advantage Laptops
* Advantage Desktops
* Gaming Handhelds
*
* * My Account
* Create Account
*
* * English
* 简体中文
* 繁體中文
* Français
* Deutsch
* 日本語
* 한국어
* Português
* Español
*
* *
Shopping Cart
YOUR CART IS EMPTY
Looks like you have no items in your shopping cart.
1.
2. Product Security
AMD PRODUCT SECURITY
ON THIS PAGE
* Security Bulletins
* Vulnerability Disclosure Policy
* Security Support Policy
* AMD PGP Key
* Archive
SECURITY IS A PRIORITY
AMD drives innovation in high-performance computing, graphics, and visualization
technologies - the building blocks for gaming, immersive platforms, cloud and
datacenters. Security is a priority consideration from the moment our products
are conceived, including intensive security reviews during the hardware and
software development process.
Throughout the lifetime of a product, AMD seeks more efficient ways to make our
products more secure, including working closely with partners, academics,
researchers, and end users in the ecosystem. As a CNA (CVE Numbering Authority)
member we follow coordinated vulnerability disclosure practices and seek to
respond quickly and appropriately to reported issues.
As members of FIRST (Forum of Incident Response and Security Teams) our PSIRT
team is trained to respond systematically to potential issues reported to AMD.
AMD also recommends users follow security best practices, including keeping your
operating system up-to-date, running the latest versions of firmware and
software, and regularly running antivirus software.
SECURITY BULLETINS
Product Security Bulletins are listed below. Click on the Title link in the
table to view more details.
Show 102550100 entries
Search:
Bulletin IDTitleCVESPublished DateLast Updated Date AMD-SB-7016 Speculative Race
Conditions (SRCs) CVE-2024-2193 Mar 12, 2024 Mar 12, 2024 AMD-SB-6011 WebGPU
Browser-based GPU Cache Side-Channel N/A Mar 12, 2024 Mar 12, 2024 AMD-SB-1000
AMD Graphics Driver for Windows 10 CVE-2020-12902, CVE-2020-12891,
CVE-2020-12892, CVE-2020 -12893, CVE-2020-12894, CVE-2020-12895, CVE-2020-12898,
CVE-2020-12901, CVE-2020-12903, CVE-2020-12900, CVE-2020-12929, CVE-2020-12960,
CVE-2020-12980, CVE-2020-12981, CVE-2020-12982, CVE-2020-12983, CVE-2020-12985,
CVE-2020-12962, CVE-2020-12904, CVE-2020-12905, CVE-2020-12920, CVE-2020-12964,
CVE-2020-12987, CVE-2020-12920, CVE-2020-12899, CVE-2020-12897, CVE-2020-12963
Nov 09, 2021 Mar 04, 2024 AMD-SB-1021 AMD Server Vulnerabilities – November 2021
CVE-2020-12944, CVE-2020-12946, CVE-2020-12951, CVE-2020-12954, CVE-2020-12961,
CVE-2020-12988, CVE-2021-26312, CVE-2021-26315, CVE-2021-26320, CVE-2021-26321,
CVE-2021-26322, CVE-2021-26323, CVE-2021-26325, CVE-2021-26326, CVE-2021-26327,
CVE-2021-26329, CVE-2021-26330, CVE-2021-26331, CVE-2021-26335, CVE-2021-26336,
CVE-2021-26337, CVE-2021-26338, CVE-2020-12951, CVE-2021-26324, CVE-2021-26332,
CVE-2021-26351, CVE-2021-26352, CVE-2021-26353, CVE-2021-26370, CVE-2021-26390,
CVE-2021-26408, CVE-2021-46771 Nov 08, 2021 Mar 04, 2024 AMD-SB-7005 Return
Address Security Bulletin CVE-2023-20569 Aug 08, 2023 Feb 28, 2024 AMD-SB-8002
AMD UltraScale™/UltraScale+™ FPGA Series RSA Authentication CVE-2023-20570 Feb
13, 2024 Feb 13, 2024 AMD-SB-3007 SEV-SNP Firmware Vulnerabilities
CVE-2023-31346, CVE-2023-31347 Feb 13, 2024 Feb 13, 2024 AMD-SB-7009 AMD
Processor Vulnerabilities CVE-2023-20576, CVE-2023-20577, CVE-2023-20579,
CVE-2023-20587 Feb 13, 2024 Feb 13, 2024 AMD-SB-5001 AMD Embedded Processors
Vulnerabilities – February 2024 CVE-2020-12930, CVE-2020-12931, CVE-2021-46757,
CVE-2022-23820, CVE-2022-23821, CVE-2023-20563, CVE-2023-20565, CVE-2021-46754,
CVE-2021-46774, CVE-2023-20533, CVE-2023-20566, CVE-2023-20571, CVE-2021-26345,
CVE-2021-46762, CVE-2021-46766, CVE-2022-23830, CVE-2023-20521, CVE-2023-20526,
CVE-2021-26392, CVE-2021-26393 Feb 13, 2024 Feb 13, 2024 AMD-SB-7011 AMD SMM
Supervisor Vulnerability Security Notice CVE-2023-20596 Nov 14, 2023 Jan 16,
2024
Showing 1 to 10 of 58 entries
* Previous
* 1
* 2
* 3
* 4
* 5
* 6
* Next
VULNERABILITY DISCLOSURE POLICY
At AMD, we treat potential security vulnerabilities seriously and seek to
respond swiftly and comprehensively. From inception to production, AMD aims to
incorporate security features into its products, and we actively review for
potential security vulnerabilities. AMD is committed to working across the
ecosystem, including customers, vendors, academics, researchers, and users, to
provide a secure computing environment.
SCOPE
The AMD Vulnerability Disclosure Policy covers AMD APUs, CPUs, DPUs, GPUs,
FPGAs, and software.
We encourage well-researched reports that focus on real-world security threats,
including a PoC (Proof of Concept) with minimal dependencies. Reported issues
requiring physical access to the system to exploit are out of scope in some
situations.
AMD encourages finding and reporting potential security vulnerabilities through
psirt@amd.com if individuals:
* Conduct research that does not harm AMD or our customers
* Test within the scope of this Vulnerability Disclosure Policy (VDP)
* Adhere to the applicable laws both in their location and the United States
* Refrain from disclosing vulnerability details before a mutually agreed-upon
date
Currently, AMD PSIRT does not have a bug bounty program.
HOW TO SUBMIT A VULNERABILITY REPORT
To report a potential security vulnerability in any AMD product, please send an
email to the AMD Product Security Team at psirt@amd.com. Encryption is not
required, but if preferred, you can see our public key below. AMD follows
Coordinated Vulnerability Disclosure (CVD), and expects all security researchers
to do the same. Security researchers who submit a validated report and follow
CVD will be given credit in our published security bulletin.
We request the following information for triage and analysis:
* Well-researched reports in English
* Product name, including software or firmware version
* Reports that include proof-of-concept code
* Description of how the issue was found, the impact and any potential
remediation
* Plans or intentions for public disclosure
Providing this information helps us triage more efficiently. Any missing
information may cause delays in our ability to address the vulnerability.
WHAT YOU CAN EXPECT FROM AMD
The AMD Product Security Incident Response Team (PSIRT) is the focal point for
reporting potential AMD product security issues; AMD PSIRT interfaces with the
product security ecosystem, including security researchers, industry peers,
government organizations, customers, and vendors, working together to report
potential AMD product security issues. The PSIRT team, working with various
teams within AMD, follows the following high-level process:
TRIAGE
Review submitted information, logs issue and assigns ticket ID, and identifies
appropriate engineering team(s).
ANALYSIS
Validates issues determining severity, impact and criticality.
REMEDIATE
If remediation is required works with business units and product development to
define approach and plans.
DISCLOSURE
Appropriate notification to affected customers and/or issuance of public
security bulletin.
REVIEW
Leverage feedback from customers, researchers and internal teams to further
improve product security.
CYCLE TIME FOR MITIGATION
As an upstream provider and participant in Coordinated Vulnerability Disclosure
(CVD), AMD requires sufficient time between the initial report and public
disclosure. Some issues require AMD to provide a mitigation to our customers who
then integrate and ship patched products. Other issues require a coordinated
approach where part of a mitigation may be made by AMD and other parts by
various eco-system vendors. In all cases, we work to integrate the changes and
validate the mitigations in addition to coordinating any associated disclosures.
Disclosure timeliness is determined on an issue-by-issue basis, and with the
protection of the end-user in mind. A general operating principle is to disclose
in a timeframe appropriate to the situation. In some cases, this may be
completed in the common embargo timeframe of 90 days. In most cases, because of
eco-system and product complexity, mitigations take longer to develop,
integrate, and provide to end-users. In these cases, the embargo will be longer
to allow vendors and partners to adequately patch systems.
SECURITY SUPPORT POLICY
Refer to the AMD Security Support Policy to learn how AMD provides support for
security related issues.
See Policy
AMD PGP KEY
View Key
BULLETINS ARCHIVE
1. 2021
2. 2020
3. 2019
4. 2018
3/26/21
PREDICTIVE STORE FORWARDING
https://community.amd.com/t5/amd-business-blog/predictive-store-forwarding/ba-p/456422
UPDATED 2/24/21 (originally posted 11/10/2020)
RAPL (CVE-2020-12912)
In a paper titled, "PLATYPUS: Software-based Power Side-Channel Attacks on
x86", researchers from Graz University of Technology and CISPA Helmholtz Center
for Information Security describe a differential power analysis method to use
the Linux-based Running Average Power Limit (RAPL) interface to show various
side channel attacks.
In line with industry partners, AMD has updated the RAPL interface to require
privileged access. The change is in the process of being integrated into Linux
distributions.
TPM VULNERABILITY - NON ORDERLY SHUTDOWN FAILED TRIES (CVE-2020 12926)
AMD was notified by the Trusted Computing Group (TCG) that its Trusted Platform
Modules (TPM) reference software may not properly track the number of times a
failed shutdown happens. This can leave the TPM in a state where confidential
key material in the TPM may be able to be compromised. AMD believes that the
attack requires physical access of the device because the power must be
repeatedly turned on and off. This potential attack may be used to change
confidential information, alter executables signed by key material in the TPM,
or create a denial of service of the device.
AMD has provided mitigations to motherboard vendors.
PRIVILEGE ESCALATION IN ATILLK64.SYS (CVE-2020-12927)
A researcher (h0mbre pwner) notified AMD of a potential vulnerability in a
driver created with the AMD VBIOS Flash Tool Software Development Kit (SDK). The
disclosed vulnerability may allow low privileged users to potentially escalate
privilege to administrator privileges on Windows. The potential vulnerability is
in the AMD VBIOS Flash Tool Software Development Kit (SDK) used by customers to
create drivers. AMD has provided mitigations in the AMD VBIOS Flash Tool
Software Development Kit (SDK) 3.12.
ESCAPE HANDLER (CVE-2020-12933)
10/13/2020
Our ecosystem collaborator Cisco Talos has published a new potential
vulnerability in AMD graphics drivers, which may result in a blue screen. The
issue was addressed in Radeon™ Software Adrenalin 2020 Edition available here.
AMD believes that confidential information and long-term system functionality
are not impacted, and users can resolve the issue by restarting the computer.
A specially crafted D3DKMTEscape request can cause an out-of-bounds read in
Windows OS kernel memory area. This vulnerability can be triggered from a
non-privileged account.
We thank the researchers for their ongoing collaboration and coordinated
disclosure. More information on their research can be found on the Cisco Talos
website.
AMD RYZEN MASTER™ DRIVER VULNERABILITY (CVE-2020-12928)
10/13/2020
A researcher has discovered a potential security vulnerability impacting AMD
Ryzen™ Master that may allow authenticated users to elevate from user to system
privileges. AMD has released a mitigation in AMD Ryzen Master 2.2.0.1543. AMD
believes that the attack must come from a non-privileged process already running
on the system when the local user runs AMD Ryzen™ Master and that a remote
attack has not been demonstrated. The latest version of the software is
available for download at https://www.amd.com/en/technologies/ryzen-master.
We thank the researcher for the ongoing collaboration and coordinated
disclosure.
CREATEALLOCATION (CVE-2020-12911)
10/7/2020
Our ecosystem collaborator Cisco Talos has published a new potential
vulnerability in AMD graphics drivers, which may result in a blue screen. AMD
believes that confidential information and long-term system functionality are
not impacted, and that the user can resolve the issue by restarting the
computer. AMD plans to issue updated graphics drivers to address the issue in
the first quarter of 2021.
The research finds that a specially crafted D3DKMTCreateAllocation API request
can cause an out-of-bounds read and denial of service (BSOD). This vulnerability
can be triggered from non-privileged accounts.
We thank the researchers for their ongoing collaboration and coordinated
disclosure. More information on their research can be found on the Cisco Talos
website.
PIXEL SHADER ON HYPER-V (CVE-2020-6100, CVE-2020-6101, CVE-2020-6102,
CVE-2020-6103)
7/14/20
New research from our ecosystem collaborator Cisco Talos explores potential
vulnerabilities in a specific virtual machine (VM) configuration using AMD GPU
or APU processors. AMD will issue updated graphics drivers to help remediate the
issues in September 2020.
The research finds that on a compromised Windows guest Microsoft Hyper-V VM
based on an AMD GPU or APU with an AMD graphics driver installed and with
Microsoft’s RemoteFX 3D feature enabled, an attacker could potentially pass
maliciously malformed pixel shaders and gain access to a host machine.
RemoteFX 3D is a Microsoft feature that was previously discontinued as a new
feature for VMs running Windows 10 in 2018 and in Windows Server in 2019. On
July 14, 2020, Microsoft released an advisory announcing the immediate disabling
and eventual removal of its RemoteFX 3D feature.
AMD will issue updated graphics drivers to remediate these issues for existing
VMs that use the RemoteFX 3D feature in September 2020 on the AMD Support
webpage for AMD customers that purchased an AMD GPU or APU. For original
equipment manufacturer (OEM) and add-in-board (AIB) products, AMD recommends
users contact the manufacturer.
We thank the researchers for their ongoing collaboration and coordinated
disclosure. More information on their research can be found on the Cisco Talos
website.
SMM CALLOUT PRIVILEGE ESCALATION (CVE-2020-12890)
6/17/20
AMD is aware of new research related to a potential vulnerability in AMD
software technology supplied to motherboard manufacturers for use in their
Unified Extensible Firmware Interface (UEFI) infrastructure and plans to
complete delivery of updated versions designed to mitigate the issue by the end
of June 2020.
The targeted attack described in the research requires privileged physical or
administrative access to a system based on select AMD notebook or embedded
processors. If this level of access is acquired, an attacker could potentially
manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute
arbitrary code undetected by the operating system.
AMD believes this only impacts certain client and embedded APU processors
launched between 2016 and 2019. AMD has delivered the majority of the updated
versions of AGESA to our motherboard partners and plans to deliver the remaining
versions by the end of June 2020. AMD recommends following the security best
practice of keeping devices up-to-date with the latest patches. End users with
questions about whether their system is running on these latest versions should
contact their motherboard or original equipment/system manufacturer.
We thank Danny Odler for his ongoing security research.
TRRESPASS (CVE-2020-10255)
UPDATED 5/22/20 (originally posted 3/10/20)
AMD is aware of new research related to an industry-wide DRAM issue called
TRRespass whereby researchers demonstrated a method that claims to bypass
existing Targeted Row Refresh (TRR) mitigations. AMD microprocessor products
include memory controllers designed to meet industry-standard DDR
specifications, and we have enabled platform providers with an expanded set of
controls that can be configured into their BIOS’ in consultation with DRAM
vendors. Susceptibility varies based on DRAM device, vendor, technology and
system settings.
AMD recommends contacting the DRAM or system manufacturer to determine any
susceptibility to this issue, in addition to enabling existing DRAM mitigations
that reduce a system’s susceptibility to Row Hammer-style attacks like
TRRespass, including:
* Using DRAM supporting Error Correcting Codes (ECC)
* Using DRAM and memory controllers supporting Targeted Row Refresh (TRR)
* Using memory refresh rates above 1x
* Using AMD CPUs with memory controllers that support a Maximum Activate Count
(MAC)
We thank the researchers for their collaboration and participating in the
industry best practice of coordinated disclosure. For more information on their
research, visit their website.
TAKE A WAY
3/7/20
We are aware of a new white paper that claims potential security exploits in AMD
CPUs, whereby a malicious actor could manipulate a cache-related feature to
potentially transmit user data in an unintended way. The researchers then pair
this data path with known and mitigated software or speculative execution side
channel vulnerabilities. AMD believes these are not new speculation-based
attacks.
AMD continues to recommend the following best practices to help mitigate against
side-channel issues:
* Keeping your operating system up-to-date by operating at the latest version
revisions of platform software and firmware, which include existing
mitigations for speculation-based vulnerabilities
* Following secure coding methodologies
* Implementing the latest patched versions of critical libraries, including
those susceptible to side channel attacks
* Utilizing safe computer practices and running antivirus software
SHADER FUNCTIONALITY REMOTE CODE EXECUTION (CVE-2019-5049, CVE-2019-5098,
CVE-2019-5146, CVE-2019-5147, CVE-2019-5124, CVE-2019-5183)
UPDATED 1/27/20 and 12/3/19 to add new CVE# (originally posted 9/16/19)
Through ongoing collaboration with industry partners, AMD became aware of a
potential vulnerability in a specific virtual machine application when using an
AMD GPU or APU and has delivered an updated graphics driver to remediate the
exploit.
The specific conditions of this exploit require a virtual machine with an AMD
GPU or APU running VMware Workstation Pro on a compromised guest Windows OS.
Under these conditions, an attacker could modify a compiled shader and use it to
expose sensitive user information. AMD updated the kernel mode driver code in
its graphics drivers starting with version 19.8.1 to remediate this application
exploit.
The updated graphics drivers are available on the AMD Support webpage for AMD
customers that purchased an AMD GPU or APU. For original equipment manufacturer
(OEM) and add-in-board (AIB) products, AMD recommends users contact the
manufacturer.
We thank Cisco Talos for their collaboration on this matter and allowing us the
necessary time to prepare mitigations. For more information, visit their
website.
SCREWED DRIVERS
8/11/19
At AMD, security is a top priority. We were made aware of the public disclosure
of potential industry-wide, driver-related vulnerabilities on August 11, 2019
and, after gaining new information from the researcher, AMD now believes this is
related to a disclosure communicated to us earlier this year regarding the
AMDVBFlash graphics driver tool that was temporarily made available on our
website so early adopters of older AMD graphics products could perform a needed
Video BIOS refresh and has since been removed. AMD is continuing to investigate
the issue to determine if any other of our drivers may be affected.
SWAPGS (CVE-2019-1125)
8/6/19
AMD is aware of new research claiming new speculative execution attacks that may
allow access to privileged kernel data. Based on external and internal analysis,
AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD
products are designed not to speculate on the new GS value following a
speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation
is to implement our existing recommendations for Spectre variant 1.
Specific details by published description:
Description
AMD Recommendation
SWAPGS instruction speculation at CPL3
(Scenario 1)
AMD believed not impacted
SWAPGS instruction speculation at CPL0
(Scenario 2, Variant 1)
AMD believed not impacted
GS base value speculation
(Scenario 2, Variant 2)
AMD recommends implementing existing mitigations for Spectre variant 1
SECURE ENCRYPTED VIRTUALIZATION INVALID ECC CURVE POINTS (CVE-2019-9836)
6/25/19
At AMD, security remains a top priority and we continue to work to identify any
potential risks for our customers. Through ongoing collaboration with industry
researchers AMD became aware that, if using the user-selectable AMD secure
encryption feature on a virtual machine running the Linux operating system, an
encryption key could be compromised by manipulating the encryption technology’s
behavior. AMD released firmware-based cryptography updates to our ecosystem
partners and on the AMD website to remediate this risk.
RAMBLEED (CVE-2019-0174)
6/12/19
Researchers reported a new vulnerability called RamBleed that exploits the
electrical interaction between close-packed DDR3 and DDR4 DRAM circuitry to
potentially expose kernel privileges and confidential information. Based on our
internal analysis, AMD believes the industry-known mitigations for RowHammer, in
addition to AMD Secure Memory Encryption (SME) and AMD Secure Encrypted
Virtualization (SEV), protect against RamBleed.
Previous RowHammer Guidance
The RowHammer issue identified in the Google release is an industry-wide DRAM
issue that affects DRAMs manufactured on newer process technologies that are not
designed to address this issue. AMD microprocessor products include memory
controllers designed to meet industry-standard DDR specifications.
The possibility of this issue happening on a system depends on the DRAM in the
system. Susceptibility to this issue varies by DRAM vendor, technology, and DRAM
device. Contact your system vendor to see if you have susceptible DRAM.
Mitigations include:
* Upgrade the system BIOS to double the refresh rate to reduce the error rate;
or
* Use memory manufactured on older and unaffected technologies or newer memory
that has design fixes to address this problem and upgrade your BIOS to
recognize the newer memory.
FALLOUT, ROGUE IN-FLIGHT DATA LOAD (RIDL), AND ZOMBIELOAD ATTACK
(CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091)
5/14/19
At AMD we develop our products and services with security in mind. Based on our
analysis and discussions with the researchers, we believe our products are not
susceptible to ‘Fallout’, ‘RIDL’ or ‘ZombieLoad Attack’ because of the hardware
protection checks in our architecture. We have not been able to demonstrate
these exploits on AMD products and are unaware of others having done so.
For more information, see our new white paper, titled “Speculation Behavior in
AMD Micro-Architectures.”
SPOILER (CVE-2019-0162)
3/15/19
We are aware of the report of a new security exploit called SPOILER which can
gain access to partial address information during load operations. The SPOILER
exploit can gain access to partial address information above address bit 11
during load operations. AMD processors do not use partial address matches above
address bit 11 when resolving load conflicts.
SPLITSPECTRE
12/6/18
AMD is aware of the latest research published claiming new approaches to
speculative execution attacks called SplitSpectre. AMD believes the mitigation
is to implement our existing speculative execution recommendations.
PORTSMASH (CVE-2018-5407)
11/27/18
AMD does not believe the PortSmash issue
(https://seclists.org/oss-sec/2018/q4/123) is related to previously found
speculative execution issues like Spectre. Instead, AMD believes the issues are
related to any processor that uses simultaneous multithreading (SMT), including
those from AMD, that is vulnerable to software that exposes the activity of one
process to another running on the same processor. We believe this issue can be
mitigated in software by using side-channel counter measures. For example,
OpenSSL, which was used in the researcher’s proof of concept, has already been
updated to address this type of attack.
AMD RESPONSE TO SYSTEMATIC EVALUATIONS OF TRANSIENT EXECUTION VARIANTS
11/13/18
AMD is aware of the latest research published claiming new speculative execution
attacks. AMD believes it is not vulnerable to some of these attacks because of
the hardware paging architecture protections in AMD devices and, for those that
are not solved by our paging architecture protections, the mitigation is to
implement our existing recommendations.
Specific recommendations by published description:
New Variants of Spectre v1 – AMD recommends implementing existing mitigations
* Pattern History Table - Cross Address - Out of Place (PHT-CA-OP)
* Pattern History Table - Cross Address - In Place (PHT-CA-IP)
* Pattern History Table - Same Address - Out of Place (PHT-SA-OP)
New Variants of Spectre v2 – AMD recommends implementing existing mitigations
* Branch Target Buffer - Same Address - In Place (BTB-SA-IP)
* Branch Target Buffer - Same Address - Out of Place (BTB-SA-OP)
New Variant of Meltdown
* Meltdown-BK – AMD believes this does not affect its platforms because AMD
does not have this feature in its products
New Variant of Spectre v1 – referred by researchers as a Meltdown variant
* Meltdown-BD – AMD believes 32-bit systems using the BOUND instruction may be
impacted and recommends implementing existing mitigations for Spectre v1 for
such systems.
2018 FIRMWARE TPM UPDATES
9/26/18
Earlier this year, AMD disclosed mitigations related to potential security
vulnerabilities for AMD firmware Trusted Platform Module (fTPM) versions v.96,
v1.22, and v1.37. AMD believes the fTPM vulnerabilities only apply to some of
its client processors as fTPM is not enabled on AMD server, graphics and
embedded products. AMD has delivered a patch to PC manufacturers to address the
issue.
Microsoft Windows users can verify their fTPM version and find instructions to
clear the TPM at:
https://docs.microsoft.com/en-us/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm
AMD has recommended that PC manufacturers qualify and release an updated BIOS
integrating the fTPM patch, as appropriate, into production at the next
available opportunity and provide guidance to end users to apply fixes as
defined based on the product. For fTPM v1.37, AMD has notified PC manufacturers
that they should consider updating the system BIOS ahead of clearing the fTPM to
help protect generated platform-level keys.
AMD recommends users contact their PC manufacturer for platform-specific
instructions as a part of following best security practices to keep devices
up-to-date with the latest patches.
FORESHADOW (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646)
8/14/18 – Updated
As in the case with Meltdown, we believe our processors are not susceptible to
these new speculative execution attack variants: L1 Terminal Fault – SGX (also
known as Foreshadow) CVE 2018-3615, L1 Terminal Fault – OS/SMM (also known as
Foreshadow-NG) CVE 2018-3620, and L1 Terminal Fault – VMM (also known as
Foreshadow-NG) CVE 2018-3646, due to our hardware paging architecture
protections. We are advising customers running AMD EPYC™ processors in their
data centers, including in virtualized environments, to not implement
Foreshadow-related software mitigations for their AMD platforms.
SPECTRE MITIGATION UPDATE
7/13/18
This week, a sub-variant of the original, Google Project (GPZ) variant 1 /
Spectre security vulnerability was disclosed by MIT. Consistent with variant 1,
we believe this threat can be mitigated through the operating system (OS). AMD
is working with the software ecosystem to mitigate variant 1.1 through operating
system updates where necessary. We have not identified any AMD x86 products
susceptible to the Variant 1.2 vulnerability in our analysis to-date. Please
check with your OS provider for the latest information.
AMD has also updated related portions of the Software Techniques for Managing
Speculation on AMD Processors white paper.
TLBLEED
7/12/18
Based on our analysis to date we have not identified any AMD products that are
vulnerable to TLBleed side channel attack identified by researchers. Security
remains a top priority and we will continue to work to identify any potential
risks for our customers and, if needed, potential mitigations.
LAZYFPU (CVE-2018-3665)
6/18/18
Based on our analysis to date, because of our unique processor implementation we
currently do not believe our products are susceptible to the resent security
vulnerability identified around lazy FPU switching
“SPECULATIVE STORE BYPASS” VULNERABILITY MITIGATIONS FOR AMD PLATFORMS
5/21/18
Today, Microsoft and Google Project Zero researchers have identified a new
category of speculative execution side channel vulnerability (Speculative Store
Bypass or SSB) that is closely related to the previously disclosed GPZ/Spectre
variant 1 vulnerabilities. Microsoft has released an advisory on the
vulnerability and mitigation plans.
AMD recommended mitigations for SSB are being provided by operating system
updates back to the Family 15 processors (“Bulldozer” products). For technical
details, please see the AMD white paper. Microsoft is completing final testing
and validation of AMD-specific updates for Windows client and server operating
systems, which are expected to be released through their standard update
process. Similarly, Linux distributors are developing operating system updates
for SSB. AMD recommends checking with your OS provider for specific guidance on
schedules.
Based on the difficulty to exploit the vulnerability, AMD and our ecosystem
partners currently recommend using the default setting that maintains support
for memory disambiguation.
We have not identified any AMD x86 products susceptible to the Variant 3a
vulnerability in our analysis to-date.
As a reminder, security best practices of keeping your operating system and BIOS
up-to-date, utilizing safe computer practices and running antivirus software are
always the first line of defense in maintaining device security.
SPECTRE MITIGATION UPDATE
4/10/18 (Updated 5/8/18 to reflect Microsoft release of Windows Server 2016)
Today, AMD is providing updates regarding our recommended mitigations for Google
Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These
mitigations require a combination of processor microcode updates from our OEM
and motherboard partners, as well as running the current and fully up-to-date
version of Windows. For Linux users, AMD recommended mitigations for GPZ Variant
2 were made available to our Linux partners and have been released to
distribution earlier this year.
As a reminder, GPZ Variant 1 (Spectre) mitigation is provided through operating
system updates that were made available previously by AMD ecosystem partners.
GPZ Variant 3 (Meltdown) does not apply to AMD because of our processor design.
While we believe it is difficult to exploit Variant 2 on AMD processors, we
actively worked with our customers and partners to deploy the above described
combination of operating system patches and microcode updates for AMD processors
to further mitigate the risk. A white paper detailing the AMD recommended
mitigation for Windows is available, as well as links to ecosystem resources for
the latest updates.
Operating System Updates for GPZ Variant 2/Spectre
Microsoft is releasing an operating system update containing Variant 2 (Spectre)
mitigations for AMD users running Windows 10 (version 1709) today. Support for
these mitigations for AMD processors in Windows Server 2016 is expected to be
available following final validation and testing. (Note: May 8, 2018 Microsoft
released an operating system update for Windows Server 2016.)
AMD Microcode Updates for GPZ Variant 2/Spectre
In addition, microcode updates with our recommended mitigations addressing
Variant 2 (Spectre) have been released to our customers and ecosystem partners
for AMD processors dating back to the first “Bulldozer” core products introduced
in 2011.
AMD customers will be able to install the microcode by downloading BIOS updates
provided by PC and server manufacturers and motherboard providers. Please check
with your provider for the latest updates.
We will provide further updates as appropriate on this site as AMD and the
industry continue our collaborative work to develop solutions to protect users
from security threats.
Subscribe to the latest news from AMD
* Facebook
* Instagram
* Linkedin
* Twitch
* Twitter
* Youtube
* Subscriptions
COMPANY
* About AMD
* Management Team
* Corporate Responsibility
* Careers
* Contact Us
NEWS & EVENTS
* Newsroom
* Events
* Blogs
* Media Library
COMMUNITY
* Support
* Developer
* Red Team
PARTNERS
* Developer Central
* AMD Partner Hub
* Partner Resource Library
* Authorized Distributors
* AMD University Program
INVESTORS
* Investor Relations
* Financial Information
* Board of Directors
* Governance Documents
* SEC Filings
* Terms and Conditions
* Privacy
* Trademarks
* Statement on Forced Labor
* Fair & Open Competition
* UK Tax Strategy
* Cookies Policy
* Cookies Settings
© 2024 Advanced Micro Devices, Inc.
This site uses cookies from us and our partners to make your browsing experience
more efficient, relevant, convenient and personal. In some cases, they are
essential to making the site work properly. Using the buttons below, you can
accept cookies, refuse cookies, or change your settings at any time by clicking
on the Cookie Settings link. For more information, refer to AMD's privacy policy
and cookie policy.
Cookies Settings Reject All Accept All Cookies
COOKIE SETTINGS
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to recognize and count the number of visitors and to see
how visitors move around the Sites when they use them. This helps us to
understand what areas of the Sites are of interest to you and to improve the way
the Sites work, for example, by helping you find what you are looking for
easily. We may use third party web analytics providers to help us analyze the
use of the Sites, email, and newsletters. These cookies store data such as
online identifiers (including IP address and device identifiers), information
about your web browser and operating system, website usage activity information
(including the frequency of your visits, your actions on the Sites and, if you
arrived at any of the Sites from another website, i.e. the URL of that website),
and content-related activity (including the email and newsletter content you
view and click on).
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies record online identifiers (including IP address and device
identifiers), information about your web browser and operating system, website
usage activity information (such as information about your visit to the Sites,
the pages you have visited, content you have viewed, and the links you have
followed), and content-related activity (including the email and newsletter
content you view and click on). The information is used to try to make the
Sites, emails, and newsletters, and the advertising displayed on them and other
websites more relevant to your interests. For instance, when you visit the
Sites, these targeting cookies are used by third party providers for remarketing
purposes to allow them to show you advertisements for our products when you
visit other websites on the internet. Our third party providers may collect and
combine information collected through the Sites, emails, and newsletters with
other information about your visits to other websites and apps over time, if
those websites and apps also use the same providers.
Cookies Details
FUNCTIONALITY COOKIES
Functionality Cookies
These cookies are used to recognize you when you return to the Sites. This
enables us to remember your preferences (for example, your choice of language or
region) or when you register on areas of the Sites, such as our web programs or
extranets. These cookies store data such as online identifiers (including IP
address and device identifiers) along with the information used to provide the
function.
Cookies Details
STRICTLY NECESSARY COOKIES
Always Active
These are cookies that are technically required for the operation of the Sites.
They are usually only set in response to actions made by you which amount to a
request for services, such as setting your privacy preferences, logging into
secure areas of the Sites or filling in forms. These cookies store data such as
online identifiers (including IP address and device identifiers) along with the
information used to operate the Sites. We may estimate your geographic location
based on your IP address to help us display the content available in your
location and adjust the operation of the Sites.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices