www.amd.com
Open in
urlscan Pro
23.35.228.87
Public Scan
Submitted URL: https://www.amd.com/en/resources/product-security.html#security
Effective URL: https://www.amd.com/en/resources/product-security.html
Submission: On March 13 via api from IN — Scanned from DE
Effective URL: https://www.amd.com/en/resources/product-security.html
Submission: On March 13 via api from IN — Scanned from DE
Form analysis
0 forms found in the DOMText Content
* Products Processors Accelerators Graphics Adaptive SoCs, FPGAs, & SOMs Software, Tools, & Apps Processors SERVERS * EPYC BUSINESS SYSTEMS * Laptops * Desktops * Ryzen AI for Business WORKSTATIONS * Ryzen Threadripper * Ryzen PRO for Mobile Workstations * Ryzen EMBEDDED * EPYC and Ryzen * Partner Ecosystem * Industry Solutions PERSONAL LAPTOPS * AMD Advantage Premium * Ryzen with Radeon Graphics * Athlon with Radeon Graphics * Ryzen AI for Consumer PERSONAL DESKTOPS * AMD Advantage Premium * Ryzen * Athlon with Radeon Graphics HANDHELD * Ryzen Z1 Series RESOURCES * Data Center Blogs & Insights * Client & Data Center Tech Docs * EPYC White Papers & Briefs * EPYC Tuning Guides * Product Specifications Accelerators GPU ACCELERATORS * Instinct Accelerators * Documentation ADAPTIVE ACCELERATORS * Alveo Data Center Accelerator Cards * Telco Accelerator Cards * Computational Storage Drives DPU ACCELERATORS * Aruba CX 10000 with Pensando * AMD Pensando DSC-200 SMARTNICS & ETHERNET ADAPTERS * Alveo X3 Series * NIC X2 Series Offload Graphics WORKSTATIONS * Radeon PRO DESKTOPS * AMD Advantage Premium * Radeon RX LAPTOPS * AMD Advantage Premium * Radeon Mobile Graphics RESOURCES * Product Specifications * Documentation Adaptive SoCs, FPGAs, & SOMs ADAPTIVE SOCS & FPGAS * Versal Portfolio * SoC Portfolio * FPGA Portfolio * Cost-Optimized Portfolio SYSTEM-ON-MODULES (SOMS) * SOM Overview * Kria SOMs * KD240 Drives Starter Kit * KV260 Vision AI Starter Kit * KR260 Robotics Starter Kit TECHNOLOGIES * AI Engine * Design Security * Digital Signal Processing * Functional Safety * High Speed Serial * Memory Solutions * Power Efficiency RESOURCES * Intellectual Property * Design Hubs * Developer Hub * Customer Training EVALUATION BOARDS & KITS * Evaluation Boards * Boards & Kits Accessories Software, Tools, & Apps PROCESSOR TOOLS * Ryzen Master Overclocking Utility * PRO Manageability / DMTF DASH * Zen Software Studio * StoreMI GRAPHICS TOOLS & APPS * AMD Software: Adrenalin Edition * AMD Software: PRO Edition * FidelityFX * Radeon ProRender ADAPTIVE SOC & FPGA TOOLS * Design Tools * Vivado Software * Vitis Software * Vitis Model Composer * Vitis HLS * Vitis AI * Embedded Software INTELLECTUAL PROPERTY & APPS * Pre-Built IP Cores * Alveo Accelerator App Store * Kria SOM App Store GPU ACCELERATOR TOOLS & APPS * ROCm Open Software * Infinity Hub Software Containers DPU ACCELERATOR TOOLS * Pensando Data Plane Development Kit * Solutions AI Industries Data Center & Cloud Gaming AI OVERVIEW * AI Solutions * Blogs * Case Studies * Press Releases FOR DATA CENTER & CLOUD * GPU Accelerators * Adaptive Accelerators * Adaptive SoCs for Data Center * Server Processors FOR EDGE & ENDPOINTS * Ryzen AI for Business * Ryzen AI for Consumer * Radeon Graphics Cards * Adaptive SoCs for Edge * Adaptive SoCs for Embedded * System-on-Modules (SOMs) FOR DEVELOPERS * ROCm Developer Hub * Vitis AI Development Platform * ZenDNN Inference Libraries * Ryzen AI Software Industries INDUSTRIES INDUSTRIES * Aerospace & Defense * Architecture, Engineering, & Construction * Automotive * Broadcast & Pro AV * Business & Government * Consumer Electronics INDUSTRIES * Design & Manufacturing * Education * Emulation & Prototyping * Healthcare & Sciences * Industrial & Vision * Media & Entertainment INDUSTRIES * Robotics * Software & Sciences * Supercomputing & Research * Telco & Networking * Test & Measurement * Wired & Wireless Communications Data Center & Cloud WORKLOADS * AI * Database & Analytics * Design & Simulation * Financial Technologies * Supercomputing & Research * Video Transcoding DEPLOYMENTS * Cloud Computing * Cloud Gaming * Gaming-as-a-Service * HCI / Virtualization * Hosting NETWORK, INFRASTRUCTURE, & STORAGE * Computational Storage * DPU Infrastructure Acceleration * Network Acceleration * Telco & Networking RESOURCES * Blogs & Insights * Client & Data Center Tech Docs * EPYC White Papers & Briefs * EPYC Tuning Guides Gaming GAMING * Red Team Community * Featured Games TECHNOLOGIES * Noise Suppression * Privacy View * FidelityFX Super Resolution * Radeon Super Resolution * Smart Technologies SYSTEMS * AMD Advantage * AMD Gaming Laptops * AMD Gaming Desktops * AMD Gaming Handhelds * Resources & Support Downloads Developer Resources Partner Resources Support Downloads EPYC PROCESSORS * Client & Data Center Tech Docs * EPYC White Papers & Briefs * EPYC Tuning Guides RADEON GRAPHICS & AMD CHIPSETS * Drivers * Radeon ProRender Plug-ins * PRO Certified ISV Applications ADAPTIVE SOCS & FPGAS * Vivado ML Developer Tools * Vitis Software Platform * Vitis Accelerated Libraries * Vitis Embedded Platforms * PetaLinux Tools ALVEO ACCELERATORS & KRIA SOMS * Alveo Package Files * Alveo App Store * Kria App Store RYZEN PROCESSORS * Ryzen Master Overclocking Utility * StoreMI * PRO Manageability Tools for IT Administrators ETHERNET ADAPTERS * NIC Software & Downloads Developer Resources OVERVIEW * Developer Central PROCESSORS * Zen Software Studio * EPYC Tuning Guides * EPYC Whitepapers & Briefs ACCELERATORS, SOMS & NICS * ROCm Developer Hub * ROCm Documentation * Infinity Hub Software Containers * Vivado ML Hardware Developer Tools * Vitis Software Developer Tools * Vitis AI Developer Tools ADAPTIVE SOCS & FPGAS * Vivado ML Hardware Developer Tools * Documentation * Product Training * Developer Program * Partner Solutions GRAPHICS * GPUOpen Open Source Tools * Documentation Partner Resources OVERVIEW * Partner Hub PRODUCT INFORMATION & TRAINING * Arena Training * AI Sales & Marketing Tools * AMD vs the Competition * AMD Advantage Resources * Meet the Experts Webinars * Partner Insights PRODUCT SPECIFICATIONS * Partner Motherboards * Partner Graphics Cards * AMD Products RESOURCES * Marketing Materials * Partner Resource Library * Authorized Distributors * For System Integrators * Data Center Marketers Support PROCESSORS & GRAPHICS * Technical & Warranty Help * Support Forums * Product Specifications * Product Security (PSIRT) DPU ACCELERATORS * AMD Pensando Product Support ADAPTIVE SOCS & FPGAS * Support Home * Knowledge Base * Community Forums * Documentation * Design Hubs * Product Return * Shop Shop AMD Shop AMD GAMING & PERSONAL COMPUTING * Ryzen Processors * Radeon Graphics Cards * Promotions & Bundles * Shop All ADAPTIVE & EMBEDDED COMPUTING * System on Modules (SOMs) * Data Center Accelerator Cards * Adaptive SoC & FPGA Evaluation Kits GET AMD FAN GEAR * Visit the Store SHOP OUR RETAIL PARTNERS * Ryzen Processors * Radeon Graphics Cards * Advantage Laptops * Advantage Desktops * Gaming Handhelds * * * My Account * Create Account * * * English * 简体中文 * 繁體中文 * Français * Deutsch * 日本語 * 한국어 * Português * Español * * * Shopping Cart YOUR CART IS EMPTY Looks like you have no items in your shopping cart. 1. 2. Product Security AMD PRODUCT SECURITY ON THIS PAGE * Security Bulletins * Vulnerability Disclosure Policy * Security Support Policy * AMD PGP Key * Archive SECURITY IS A PRIORITY AMD drives innovation in high-performance computing, graphics, and visualization technologies - the building blocks for gaming, immersive platforms, cloud and datacenters. Security is a priority consideration from the moment our products are conceived, including intensive security reviews during the hardware and software development process. Throughout the lifetime of a product, AMD seeks more efficient ways to make our products more secure, including working closely with partners, academics, researchers, and end users in the ecosystem. As a CNA (CVE Numbering Authority) member we follow coordinated vulnerability disclosure practices and seek to respond quickly and appropriately to reported issues. As members of FIRST (Forum of Incident Response and Security Teams) our PSIRT team is trained to respond systematically to potential issues reported to AMD. AMD also recommends users follow security best practices, including keeping your operating system up-to-date, running the latest versions of firmware and software, and regularly running antivirus software. SECURITY BULLETINS Product Security Bulletins are listed below. Click on the Title link in the table to view more details. Show 102550100 entries Search: Bulletin IDTitleCVESPublished DateLast Updated Date AMD-SB-7016 Speculative Race Conditions (SRCs) CVE-2024-2193 Mar 12, 2024 Mar 12, 2024 AMD-SB-6011 WebGPU Browser-based GPU Cache Side-Channel N/A Mar 12, 2024 Mar 12, 2024 AMD-SB-1000 AMD Graphics Driver for Windows 10 CVE-2020-12902, CVE-2020-12891, CVE-2020-12892, CVE-2020 -12893, CVE-2020-12894, CVE-2020-12895, CVE-2020-12898, CVE-2020-12901, CVE-2020-12903, CVE-2020-12900, CVE-2020-12929, CVE-2020-12960, CVE-2020-12980, CVE-2020-12981, CVE-2020-12982, CVE-2020-12983, CVE-2020-12985, CVE-2020-12962, CVE-2020-12904, CVE-2020-12905, CVE-2020-12920, CVE-2020-12964, CVE-2020-12987, CVE-2020-12920, CVE-2020-12899, CVE-2020-12897, CVE-2020-12963 Nov 09, 2021 Mar 04, 2024 AMD-SB-1021 AMD Server Vulnerabilities – November 2021 CVE-2020-12944, CVE-2020-12946, CVE-2020-12951, CVE-2020-12954, CVE-2020-12961, CVE-2020-12988, CVE-2021-26312, CVE-2021-26315, CVE-2021-26320, CVE-2021-26321, CVE-2021-26322, CVE-2021-26323, CVE-2021-26325, CVE-2021-26326, CVE-2021-26327, CVE-2021-26329, CVE-2021-26330, CVE-2021-26331, CVE-2021-26335, CVE-2021-26336, CVE-2021-26337, CVE-2021-26338, CVE-2020-12951, CVE-2021-26324, CVE-2021-26332, CVE-2021-26351, CVE-2021-26352, CVE-2021-26353, CVE-2021-26370, CVE-2021-26390, CVE-2021-26408, CVE-2021-46771 Nov 08, 2021 Mar 04, 2024 AMD-SB-7005 Return Address Security Bulletin CVE-2023-20569 Aug 08, 2023 Feb 28, 2024 AMD-SB-8002 AMD UltraScale™/UltraScale+™ FPGA Series RSA Authentication CVE-2023-20570 Feb 13, 2024 Feb 13, 2024 AMD-SB-3007 SEV-SNP Firmware Vulnerabilities CVE-2023-31346, CVE-2023-31347 Feb 13, 2024 Feb 13, 2024 AMD-SB-7009 AMD Processor Vulnerabilities CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, CVE-2023-20587 Feb 13, 2024 Feb 13, 2024 AMD-SB-5001 AMD Embedded Processors Vulnerabilities – February 2024 CVE-2020-12930, CVE-2020-12931, CVE-2021-46757, CVE-2022-23820, CVE-2022-23821, CVE-2023-20563, CVE-2023-20565, CVE-2021-46754, CVE-2021-46774, CVE-2023-20533, CVE-2023-20566, CVE-2023-20571, CVE-2021-26345, CVE-2021-46762, CVE-2021-46766, CVE-2022-23830, CVE-2023-20521, CVE-2023-20526, CVE-2021-26392, CVE-2021-26393 Feb 13, 2024 Feb 13, 2024 AMD-SB-7011 AMD SMM Supervisor Vulnerability Security Notice CVE-2023-20596 Nov 14, 2023 Jan 16, 2024 Showing 1 to 10 of 58 entries * Previous * 1 * 2 * 3 * 4 * 5 * 6 * Next VULNERABILITY DISCLOSURE POLICY At AMD, we treat potential security vulnerabilities seriously and seek to respond swiftly and comprehensively. From inception to production, AMD aims to incorporate security features into its products, and we actively review for potential security vulnerabilities. AMD is committed to working across the ecosystem, including customers, vendors, academics, researchers, and users, to provide a secure computing environment. SCOPE The AMD Vulnerability Disclosure Policy covers AMD APUs, CPUs, DPUs, GPUs, FPGAs, and software. We encourage well-researched reports that focus on real-world security threats, including a PoC (Proof of Concept) with minimal dependencies. Reported issues requiring physical access to the system to exploit are out of scope in some situations. AMD encourages finding and reporting potential security vulnerabilities through psirt@amd.com if individuals: * Conduct research that does not harm AMD or our customers * Test within the scope of this Vulnerability Disclosure Policy (VDP) * Adhere to the applicable laws both in their location and the United States * Refrain from disclosing vulnerability details before a mutually agreed-upon date Currently, AMD PSIRT does not have a bug bounty program. HOW TO SUBMIT A VULNERABILITY REPORT To report a potential security vulnerability in any AMD product, please send an email to the AMD Product Security Team at psirt@amd.com. Encryption is not required, but if preferred, you can see our public key below. AMD follows Coordinated Vulnerability Disclosure (CVD), and expects all security researchers to do the same. Security researchers who submit a validated report and follow CVD will be given credit in our published security bulletin. We request the following information for triage and analysis: * Well-researched reports in English * Product name, including software or firmware version * Reports that include proof-of-concept code * Description of how the issue was found, the impact and any potential remediation * Plans or intentions for public disclosure Providing this information helps us triage more efficiently. Any missing information may cause delays in our ability to address the vulnerability. WHAT YOU CAN EXPECT FROM AMD The AMD Product Security Incident Response Team (PSIRT) is the focal point for reporting potential AMD product security issues; AMD PSIRT interfaces with the product security ecosystem, including security researchers, industry peers, government organizations, customers, and vendors, working together to report potential AMD product security issues. The PSIRT team, working with various teams within AMD, follows the following high-level process: TRIAGE Review submitted information, logs issue and assigns ticket ID, and identifies appropriate engineering team(s). ANALYSIS Validates issues determining severity, impact and criticality. REMEDIATE If remediation is required works with business units and product development to define approach and plans. DISCLOSURE Appropriate notification to affected customers and/or issuance of public security bulletin. REVIEW Leverage feedback from customers, researchers and internal teams to further improve product security. CYCLE TIME FOR MITIGATION As an upstream provider and participant in Coordinated Vulnerability Disclosure (CVD), AMD requires sufficient time between the initial report and public disclosure. Some issues require AMD to provide a mitigation to our customers who then integrate and ship patched products. Other issues require a coordinated approach where part of a mitigation may be made by AMD and other parts by various eco-system vendors. In all cases, we work to integrate the changes and validate the mitigations in addition to coordinating any associated disclosures. Disclosure timeliness is determined on an issue-by-issue basis, and with the protection of the end-user in mind. A general operating principle is to disclose in a timeframe appropriate to the situation. In some cases, this may be completed in the common embargo timeframe of 90 days. In most cases, because of eco-system and product complexity, mitigations take longer to develop, integrate, and provide to end-users. In these cases, the embargo will be longer to allow vendors and partners to adequately patch systems. SECURITY SUPPORT POLICY Refer to the AMD Security Support Policy to learn how AMD provides support for security related issues. See Policy AMD PGP KEY View Key BULLETINS ARCHIVE 1. 2021 2. 2020 3. 2019 4. 2018 3/26/21 PREDICTIVE STORE FORWARDING https://community.amd.com/t5/amd-business-blog/predictive-store-forwarding/ba-p/456422 UPDATED 2/24/21 (originally posted 11/10/2020) RAPL (CVE-2020-12912) In a paper titled, "PLATYPUS: Software-based Power Side-Channel Attacks on x86", researchers from Graz University of Technology and CISPA Helmholtz Center for Information Security describe a differential power analysis method to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access. The change is in the process of being integrated into Linux distributions. TPM VULNERABILITY - NON ORDERLY SHUTDOWN FAILED TRIES (CVE-2020 12926) AMD was notified by the Trusted Computing Group (TCG) that its Trusted Platform Modules (TPM) reference software may not properly track the number of times a failed shutdown happens. This can leave the TPM in a state where confidential key material in the TPM may be able to be compromised. AMD believes that the attack requires physical access of the device because the power must be repeatedly turned on and off. This potential attack may be used to change confidential information, alter executables signed by key material in the TPM, or create a denial of service of the device. AMD has provided mitigations to motherboard vendors. PRIVILEGE ESCALATION IN ATILLK64.SYS (CVE-2020-12927) A researcher (h0mbre pwner) notified AMD of a potential vulnerability in a driver created with the AMD VBIOS Flash Tool Software Development Kit (SDK). The disclosed vulnerability may allow low privileged users to potentially escalate privilege to administrator privileges on Windows. The potential vulnerability is in the AMD VBIOS Flash Tool Software Development Kit (SDK) used by customers to create drivers. AMD has provided mitigations in the AMD VBIOS Flash Tool Software Development Kit (SDK) 3.12. ESCAPE HANDLER (CVE-2020-12933) 10/13/2020 Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. The issue was addressed in Radeon™ Software Adrenalin 2020 Edition available here. AMD believes that confidential information and long-term system functionality are not impacted, and users can resolve the issue by restarting the computer. A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from a non-privileged account. We thank the researchers for their ongoing collaboration and coordinated disclosure. More information on their research can be found on the Cisco Talos website. AMD RYZEN MASTER™ DRIVER VULNERABILITY (CVE-2020-12928) 10/13/2020 A researcher has discovered a potential security vulnerability impacting AMD Ryzen™ Master that may allow authenticated users to elevate from user to system privileges. AMD has released a mitigation in AMD Ryzen Master 2.2.0.1543. AMD believes that the attack must come from a non-privileged process already running on the system when the local user runs AMD Ryzen™ Master and that a remote attack has not been demonstrated. The latest version of the software is available for download at https://www.amd.com/en/technologies/ryzen-master. We thank the researcher for the ongoing collaboration and coordinated disclosure. CREATEALLOCATION (CVE-2020-12911) 10/7/2020 Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. AMD believes that confidential information and long-term system functionality are not impacted, and that the user can resolve the issue by restarting the computer. AMD plans to issue updated graphics drivers to address the issue in the first quarter of 2021. The research finds that a specially crafted D3DKMTCreateAllocation API request can cause an out-of-bounds read and denial of service (BSOD). This vulnerability can be triggered from non-privileged accounts. We thank the researchers for their ongoing collaboration and coordinated disclosure. More information on their research can be found on the Cisco Talos website. PIXEL SHADER ON HYPER-V (CVE-2020-6100, CVE-2020-6101, CVE-2020-6102, CVE-2020-6103) 7/14/20 New research from our ecosystem collaborator Cisco Talos explores potential vulnerabilities in a specific virtual machine (VM) configuration using AMD GPU or APU processors. AMD will issue updated graphics drivers to help remediate the issues in September 2020. The research finds that on a compromised Windows guest Microsoft Hyper-V VM based on an AMD GPU or APU with an AMD graphics driver installed and with Microsoft’s RemoteFX 3D feature enabled, an attacker could potentially pass maliciously malformed pixel shaders and gain access to a host machine. RemoteFX 3D is a Microsoft feature that was previously discontinued as a new feature for VMs running Windows 10 in 2018 and in Windows Server in 2019. On July 14, 2020, Microsoft released an advisory announcing the immediate disabling and eventual removal of its RemoteFX 3D feature. AMD will issue updated graphics drivers to remediate these issues for existing VMs that use the RemoteFX 3D feature in September 2020 on the AMD Support webpage for AMD customers that purchased an AMD GPU or APU. For original equipment manufacturer (OEM) and add-in-board (AIB) products, AMD recommends users contact the manufacturer. We thank the researchers for their ongoing collaboration and coordinated disclosure. More information on their research can be found on the Cisco Talos website. SMM CALLOUT PRIVILEGE ESCALATION (CVE-2020-12890) 6/17/20 AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020. The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system. AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer. We thank Danny Odler for his ongoing security research. TRRESPASS (CVE-2020-10255) UPDATED 5/22/20 (originally posted 3/10/20) AMD is aware of new research related to an industry-wide DRAM issue called TRRespass whereby researchers demonstrated a method that claims to bypass existing Targeted Row Refresh (TRR) mitigations. AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications, and we have enabled platform providers with an expanded set of controls that can be configured into their BIOS’ in consultation with DRAM vendors. Susceptibility varies based on DRAM device, vendor, technology and system settings. AMD recommends contacting the DRAM or system manufacturer to determine any susceptibility to this issue, in addition to enabling existing DRAM mitigations that reduce a system’s susceptibility to Row Hammer-style attacks like TRRespass, including: * Using DRAM supporting Error Correcting Codes (ECC) * Using DRAM and memory controllers supporting Targeted Row Refresh (TRR) * Using memory refresh rates above 1x * Using AMD CPUs with memory controllers that support a Maximum Activate Count (MAC) We thank the researchers for their collaboration and participating in the industry best practice of coordinated disclosure. For more information on their research, visit their website. TAKE A WAY 3/7/20 We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way. The researchers then pair this data path with known and mitigated software or speculative execution side channel vulnerabilities. AMD believes these are not new speculation-based attacks. AMD continues to recommend the following best practices to help mitigate against side-channel issues: * Keeping your operating system up-to-date by operating at the latest version revisions of platform software and firmware, which include existing mitigations for speculation-based vulnerabilities * Following secure coding methodologies * Implementing the latest patched versions of critical libraries, including those susceptible to side channel attacks * Utilizing safe computer practices and running antivirus software SHADER FUNCTIONALITY REMOTE CODE EXECUTION (CVE-2019-5049, CVE-2019-5098, CVE-2019-5146, CVE-2019-5147, CVE-2019-5124, CVE-2019-5183) UPDATED 1/27/20 and 12/3/19 to add new CVE# (originally posted 9/16/19) Through ongoing collaboration with industry partners, AMD became aware of a potential vulnerability in a specific virtual machine application when using an AMD GPU or APU and has delivered an updated graphics driver to remediate the exploit. The specific conditions of this exploit require a virtual machine with an AMD GPU or APU running VMware Workstation Pro on a compromised guest Windows OS. Under these conditions, an attacker could modify a compiled shader and use it to expose sensitive user information. AMD updated the kernel mode driver code in its graphics drivers starting with version 19.8.1 to remediate this application exploit. The updated graphics drivers are available on the AMD Support webpage for AMD customers that purchased an AMD GPU or APU. For original equipment manufacturer (OEM) and add-in-board (AIB) products, AMD recommends users contact the manufacturer. We thank Cisco Talos for their collaboration on this matter and allowing us the necessary time to prepare mitigations. For more information, visit their website. SCREWED DRIVERS 8/11/19 At AMD, security is a top priority. We were made aware of the public disclosure of potential industry-wide, driver-related vulnerabilities on August 11, 2019 and, after gaining new information from the researcher, AMD now believes this is related to a disclosure communicated to us earlier this year regarding the AMDVBFlash graphics driver tool that was temporarily made available on our website so early adopters of older AMD graphics products could perform a needed Video BIOS refresh and has since been removed. AMD is continuing to investigate the issue to determine if any other of our drivers may be affected. SWAPGS (CVE-2019-1125) 8/6/19 AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1. Specific details by published description: Description AMD Recommendation SWAPGS instruction speculation at CPL3 (Scenario 1) AMD believed not impacted SWAPGS instruction speculation at CPL0 (Scenario 2, Variant 1) AMD believed not impacted GS base value speculation (Scenario 2, Variant 2) AMD recommends implementing existing mitigations for Spectre variant 1 SECURE ENCRYPTED VIRTUALIZATION INVALID ECC CURVE POINTS (CVE-2019-9836) 6/25/19 At AMD, security remains a top priority and we continue to work to identify any potential risks for our customers. Through ongoing collaboration with industry researchers AMD became aware that, if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology’s behavior. AMD released firmware-based cryptography updates to our ecosystem partners and on the AMD website to remediate this risk. RAMBLEED (CVE-2019-0174) 6/12/19 Researchers reported a new vulnerability called RamBleed that exploits the electrical interaction between close-packed DDR3 and DDR4 DRAM circuitry to potentially expose kernel privileges and confidential information. Based on our internal analysis, AMD believes the industry-known mitigations for RowHammer, in addition to AMD Secure Memory Encryption (SME) and AMD Secure Encrypted Virtualization (SEV), protect against RamBleed. Previous RowHammer Guidance The RowHammer issue identified in the Google release is an industry-wide DRAM issue that affects DRAMs manufactured on newer process technologies that are not designed to address this issue. AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications. The possibility of this issue happening on a system depends on the DRAM in the system. Susceptibility to this issue varies by DRAM vendor, technology, and DRAM device. Contact your system vendor to see if you have susceptible DRAM. Mitigations include: * Upgrade the system BIOS to double the refresh rate to reduce the error rate; or * Use memory manufactured on older and unaffected technologies or newer memory that has design fixes to address this problem and upgrade your BIOS to recognize the newer memory. FALLOUT, ROGUE IN-FLIGHT DATA LOAD (RIDL), AND ZOMBIELOAD ATTACK (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091) 5/14/19 At AMD we develop our products and services with security in mind. Based on our analysis and discussions with the researchers, we believe our products are not susceptible to ‘Fallout’, ‘RIDL’ or ‘ZombieLoad Attack’ because of the hardware protection checks in our architecture. We have not been able to demonstrate these exploits on AMD products and are unaware of others having done so. For more information, see our new white paper, titled “Speculation Behavior in AMD Micro-Architectures.” SPOILER (CVE-2019-0162) 3/15/19 We are aware of the report of a new security exploit called SPOILER which can gain access to partial address information during load operations. The SPOILER exploit can gain access to partial address information above address bit 11 during load operations. AMD processors do not use partial address matches above address bit 11 when resolving load conflicts. SPLITSPECTRE 12/6/18 AMD is aware of the latest research published claiming new approaches to speculative execution attacks called SplitSpectre. AMD believes the mitigation is to implement our existing speculative execution recommendations. PORTSMASH (CVE-2018-5407) 11/27/18 AMD does not believe the PortSmash issue (https://seclists.org/oss-sec/2018/q4/123) is related to previously found speculative execution issues like Spectre. Instead, AMD believes the issues are related to any processor that uses simultaneous multithreading (SMT), including those from AMD, that is vulnerable to software that exposes the activity of one process to another running on the same processor. We believe this issue can be mitigated in software by using side-channel counter measures. For example, OpenSSL, which was used in the researcher’s proof of concept, has already been updated to address this type of attack. AMD RESPONSE TO SYSTEMATIC EVALUATIONS OF TRANSIENT EXECUTION VARIANTS 11/13/18 AMD is aware of the latest research published claiming new speculative execution attacks. AMD believes it is not vulnerable to some of these attacks because of the hardware paging architecture protections in AMD devices and, for those that are not solved by our paging architecture protections, the mitigation is to implement our existing recommendations. Specific recommendations by published description: New Variants of Spectre v1 – AMD recommends implementing existing mitigations * Pattern History Table - Cross Address - Out of Place (PHT-CA-OP) * Pattern History Table - Cross Address - In Place (PHT-CA-IP) * Pattern History Table - Same Address - Out of Place (PHT-SA-OP) New Variants of Spectre v2 – AMD recommends implementing existing mitigations * Branch Target Buffer - Same Address - In Place (BTB-SA-IP) * Branch Target Buffer - Same Address - Out of Place (BTB-SA-OP) New Variant of Meltdown * Meltdown-BK – AMD believes this does not affect its platforms because AMD does not have this feature in its products New Variant of Spectre v1 – referred by researchers as a Meltdown variant * Meltdown-BD – AMD believes 32-bit systems using the BOUND instruction may be impacted and recommends implementing existing mitigations for Spectre v1 for such systems. 2018 FIRMWARE TPM UPDATES 9/26/18 Earlier this year, AMD disclosed mitigations related to potential security vulnerabilities for AMD firmware Trusted Platform Module (fTPM) versions v.96, v1.22, and v1.37. AMD believes the fTPM vulnerabilities only apply to some of its client processors as fTPM is not enabled on AMD server, graphics and embedded products. AMD has delivered a patch to PC manufacturers to address the issue. Microsoft Windows users can verify their fTPM version and find instructions to clear the TPM at: https://docs.microsoft.com/en-us/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm AMD has recommended that PC manufacturers qualify and release an updated BIOS integrating the fTPM patch, as appropriate, into production at the next available opportunity and provide guidance to end users to apply fixes as defined based on the product. For fTPM v1.37, AMD has notified PC manufacturers that they should consider updating the system BIOS ahead of clearing the fTPM to help protect generated platform-level keys. AMD recommends users contact their PC manufacturer for platform-specific instructions as a part of following best security practices to keep devices up-to-date with the latest patches. FORESHADOW (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) 8/14/18 – Updated As in the case with Meltdown, we believe our processors are not susceptible to these new speculative execution attack variants: L1 Terminal Fault – SGX (also known as Foreshadow) CVE 2018-3615, L1 Terminal Fault – OS/SMM (also known as Foreshadow-NG) CVE 2018-3620, and L1 Terminal Fault – VMM (also known as Foreshadow-NG) CVE 2018-3646, due to our hardware paging architecture protections. We are advising customers running AMD EPYC™ processors in their data centers, including in virtualized environments, to not implement Foreshadow-related software mitigations for their AMD platforms. SPECTRE MITIGATION UPDATE 7/13/18 This week, a sub-variant of the original, Google Project (GPZ) variant 1 / Spectre security vulnerability was disclosed by MIT. Consistent with variant 1, we believe this threat can be mitigated through the operating system (OS). AMD is working with the software ecosystem to mitigate variant 1.1 through operating system updates where necessary. We have not identified any AMD x86 products susceptible to the Variant 1.2 vulnerability in our analysis to-date. Please check with your OS provider for the latest information. AMD has also updated related portions of the Software Techniques for Managing Speculation on AMD Processors white paper. TLBLEED 7/12/18 Based on our analysis to date we have not identified any AMD products that are vulnerable to TLBleed side channel attack identified by researchers. Security remains a top priority and we will continue to work to identify any potential risks for our customers and, if needed, potential mitigations. LAZYFPU (CVE-2018-3665) 6/18/18 Based on our analysis to date, because of our unique processor implementation we currently do not believe our products are susceptible to the resent security vulnerability identified around lazy FPU switching “SPECULATIVE STORE BYPASS” VULNERABILITY MITIGATIONS FOR AMD PLATFORMS 5/21/18 Today, Microsoft and Google Project Zero researchers have identified a new category of speculative execution side channel vulnerability (Speculative Store Bypass or SSB) that is closely related to the previously disclosed GPZ/Spectre variant 1 vulnerabilities. Microsoft has released an advisory on the vulnerability and mitigation plans. AMD recommended mitigations for SSB are being provided by operating system updates back to the Family 15 processors (“Bulldozer” products). For technical details, please see the AMD white paper. Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules. Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation. We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date. As a reminder, security best practices of keeping your operating system and BIOS up-to-date, utilizing safe computer practices and running antivirus software are always the first line of defense in maintaining device security. SPECTRE MITIGATION UPDATE 4/10/18 (Updated 5/8/18 to reflect Microsoft release of Windows Server 2016) Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows. For Linux users, AMD recommended mitigations for GPZ Variant 2 were made available to our Linux partners and have been released to distribution earlier this year. As a reminder, GPZ Variant 1 (Spectre) mitigation is provided through operating system updates that were made available previously by AMD ecosystem partners. GPZ Variant 3 (Meltdown) does not apply to AMD because of our processor design. While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk. A white paper detailing the AMD recommended mitigation for Windows is available, as well as links to ecosystem resources for the latest updates. Operating System Updates for GPZ Variant 2/Spectre Microsoft is releasing an operating system update containing Variant 2 (Spectre) mitigations for AMD users running Windows 10 (version 1709) today. Support for these mitigations for AMD processors in Windows Server 2016 is expected to be available following final validation and testing. (Note: May 8, 2018 Microsoft released an operating system update for Windows Server 2016.) AMD Microcode Updates for GPZ Variant 2/Spectre In addition, microcode updates with our recommended mitigations addressing Variant 2 (Spectre) have been released to our customers and ecosystem partners for AMD processors dating back to the first “Bulldozer” core products introduced in 2011. AMD customers will be able to install the microcode by downloading BIOS updates provided by PC and server manufacturers and motherboard providers. Please check with your provider for the latest updates. We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop solutions to protect users from security threats. Subscribe to the latest news from AMD * Facebook * Instagram * Linkedin * Twitch * Twitter * Youtube * Subscriptions COMPANY * About AMD * Management Team * Corporate Responsibility * Careers * Contact Us NEWS & EVENTS * Newsroom * Events * Blogs * Media Library COMMUNITY * Support * Developer * Red Team PARTNERS * Developer Central * AMD Partner Hub * Partner Resource Library * Authorized Distributors * AMD University Program INVESTORS * Investor Relations * Financial Information * Board of Directors * Governance Documents * SEC Filings * Terms and Conditions * Privacy * Trademarks * Statement on Forced Labor * Fair & Open Competition * UK Tax Strategy * Cookies Policy * Cookies Settings © 2024 Advanced Micro Devices, Inc. This site uses cookies from us and our partners to make your browsing experience more efficient, relevant, convenient and personal. In some cases, they are essential to making the site work properly. Using the buttons below, you can accept cookies, refuse cookies, or change your settings at any time by clicking on the Cookie Settings link. For more information, refer to AMD's privacy policy and cookie policy. Cookies Settings Reject All Accept All Cookies COOKIE SETTINGS When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All MANAGE CONSENT PREFERENCES PERFORMANCE COOKIES Performance Cookies These cookies allow us to recognize and count the number of visitors and to see how visitors move around the Sites when they use them. This helps us to understand what areas of the Sites are of interest to you and to improve the way the Sites work, for example, by helping you find what you are looking for easily. We may use third party web analytics providers to help us analyze the use of the Sites, email, and newsletters. These cookies store data such as online identifiers (including IP address and device identifiers), information about your web browser and operating system, website usage activity information (including the frequency of your visits, your actions on the Sites and, if you arrived at any of the Sites from another website, i.e. the URL of that website), and content-related activity (including the email and newsletter content you view and click on). Cookies Details TARGETING COOKIES Targeting Cookies These cookies record online identifiers (including IP address and device identifiers), information about your web browser and operating system, website usage activity information (such as information about your visit to the Sites, the pages you have visited, content you have viewed, and the links you have followed), and content-related activity (including the email and newsletter content you view and click on). The information is used to try to make the Sites, emails, and newsletters, and the advertising displayed on them and other websites more relevant to your interests. For instance, when you visit the Sites, these targeting cookies are used by third party providers for remarketing purposes to allow them to show you advertisements for our products when you visit other websites on the internet. Our third party providers may collect and combine information collected through the Sites, emails, and newsletters with other information about your visits to other websites and apps over time, if those websites and apps also use the same providers. Cookies Details FUNCTIONALITY COOKIES Functionality Cookies These cookies are used to recognize you when you return to the Sites. This enables us to remember your preferences (for example, your choice of language or region) or when you register on areas of the Sites, such as our web programs or extranets. These cookies store data such as online identifiers (including IP address and device identifiers) along with the information used to provide the function. Cookies Details STRICTLY NECESSARY COOKIES Always Active These are cookies that are technically required for the operation of the Sites. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging into secure areas of the Sites or filling in forms. These cookies store data such as online identifiers (including IP address and device identifiers) along with the information used to operate the Sites. We may estimate your geographic location based on your IP address to help us display the content available in your location and adjust the operation of the Sites. Cookies Details Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices