CVE-2024-56161

NameCVE-2024-56161
DescriptionImproper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4098-1
Debian Bugs1095470

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
amd64-microcode (PTS)bullseye/non-free3.20240820.1~deb11u1vulnerable
bullseye/non-free (security)3.20250311.1~deb11u1fixed
bookworm/non-free-firmware3.20240820.1~deb12u1vulnerable
bookworm/non-free-firmware (security)3.20230719.1~deb12u1vulnerable
trixie/non-free-firmware, sid/non-free-firmware3.20250311.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
amd64-microcodesourcebullseye3.20250311.1~deb11u1DLA-4098-1
amd64-microcodesource(unstable)3.20250311.11095470

Notes

[bookworm] - amd64-microcode <no-dsa> (Minor issue in Debian context; AMD-SEV not supported)
https://www.openwall.com/lists/oss-security/2025/01/22/1
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
https://github.com/google/security-research/tree/master/pocs/cpus/entrysign
https://github.com/google/security-research/tree/master/pocs/cpus/entrysign/zentool
https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking
Search for package or bug name: Reporting problems