In a recent security advisory, chipmaker AMD has confirmed the discovery of four new vulnerabilities in its processors. These issues are related to a type of side-channel attack, similar in nature to the well-known Spectre and Meltdown bugs that were revealed back in 2018.
This time, however, the flaws appear to affect only AMD chips. The company’s research team identified the vulnerabilities during an internal investigation triggered by a Microsoft report. The findings point to specific weaknesses in how AMD processors handle certain instructions at the hardware level, under rare and complex conditions.
The newly disclosed flaws are being tracked under four identifiers: CVE-2024-36350, CVE-2024-36357, CVE-2024-36348, and CVE-2024-36349. According to AMD, the first two are considered medium-risk, while the others are low-risk. The company is calling this group of flaws “Transient Scheduler Attacks” (TSA).
These vulnerabilities involve exploiting the timing of certain CPU operations to potentially access protected data. However, AMD says the practical risk is limited because the attacks require direct access to the affected computer. In other words, someone would need to physically run malicious software on the system in order to take advantage of these issues. They cannot be triggered through a web browser or remotely over the internet.
The impact of a successful attack could, in theory, allow an attacker to view parts of the system memory that should remain private — such as data from the operating system. This might allow a hacker to raise their access level, install hidden malware, or carry out further attacks. Still, AMD stresses that the difficulty of executing these attacks makes them unlikely in most real-world scenarios.
To address the flaws, AMD is working with software partners to release updates. Fixes include firmware (microcode) updates and changes to operating systems or virtualization software. One possible fix, involving a command called VERW, might slow system performance slightly. System administrators are encouraged to assess whether applying this mitigation is necessary in their environments.
So far, firmware updates have been shared with hardware vendors to patch the two higher-severity issues. The company does not plan to patch the two lower-severity ones, due to their limited risk. Microsoft and other software vendors are expected to release system updates soon.
The vulnerabilities have been shown to affect multiple AMD product lines, including EPYC, Ryzen, Instinct, and older Athlon chips. While the flaws are not easy to exploit, their wide reach means that updates and caution are still important.
