CVE-2024-36347 - Vulnerability Details - OpenCVE

A flaw was found in AMD processors. This flaw allows an attacker with system administration privileges to exploit an issue in the signature verification in the AMD CPU ROM microcode patch loader, allowing the load of malicious microcode. This issue could impact the integrity of x86 instruction execution, confidentiality, and data integrity in x86 CPU-privileged context and compromise the SMM execution environment.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-36347
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
https://www.cve.org/CVERecord?id=CVE-2024-36347

History

Fri, 07 Mar 2025 02:45:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in AMD processors. This flaw allows an attacker with system administration privileges to exploit an issue in the signature verification in the AMD CPU ROM microcode patch loader, allowing the load of malicious microcode. This issue could impact the integrity of x86 instruction execution, confidentiality, and data integrity in x86 CPU-privileged context and compromise the SMM execution environment.

Thu, 06 Mar 2025 02:00:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		kernel: hw:amd: Improper signature verification in AMD CPU ROM microcode patch loader
Weaknesses		CWE-99
References		https://nvd.nist.gov/vuln/detail/CVE-2024-36347 https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html https://www.cve.org/CVERecord?id=CVE-2024-36347
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}` threat_severity `Important`

MITRE

No data.

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Important

Publid Date: 2025-03-05T00:00:00Z

Links: CVE-2024-36347 - Bugzilla

{"bugzilla": {"description": "kernel: hw:amd: Improper signature verification in AMD CPU ROM microcode patch loader", "id": "2336412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336412"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-99", "details": ["A flaw was found in AMD processors. This flaw allows an attacker with system administration privileges to exploit an issue in the signature verification in the AMD CPU ROM microcode patch loader, allowing the load of malicious microcode. This issue could impact the integrity of x86 instruction execution, confidentiality, and data integrity in x86 CPU-privileged context and compromise the SMM execution environment."], "mitigation": {"lang": "en:us", "value": "Mitigation requires updating the BIOS for updating the CPU firmware. The bug affects hardware in processors of the AMD EPYC\u2122 family: Naples, Rome, Milan, Milan-X, Genoa, Genoa-X, Bergamo/Siena and Raphael."}, "name": "CVE-2024-36347", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36347\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36347\nhttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html"], "statement": "Red Hat has very limited to no visibility and control over binary blobs provided by third-party vendors. Red Hat relies heavily on the vendors to provide timely updates and information about included changes for this content and in most cases merely acts as a release vehicle between the third-party vendor and Red Hat customers with no possibility of influencing or even documenting the changes. Unless explicitly stated, the level of insight, oversight, and control Red Hat has does not meet the criteria required (in terms of Red Hat ownership of development processes, QA, and documentation) for releasing this content as a RHSA. For more information, please contact the binary content vendor.\nAMD believes this issue is caused by a weakness in the signature verification algorithm and the vulnerability could allow an administrator privileged attacker, the ability to load arbitrary CPU microcode patches.\nMalicious CPU microcode results in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment.", "threat_severity": "Important"}