November 15, 2023 at 05:09AM
Chipmakers Intel and AMD released security advisories this week, disclosing a total of more than 130 vulnerabilities in their products. Intel addressed 105 vulnerabilities, including a critical flaw in Data Center Manager software. AMD disclosed 27 vulnerabilities, with one impacting AMD Secure Encrypted Virtualization and another in SMM Supervisor. Both companies released patches to fix the vulnerabilities.
During the meeting, it was noted that Intel and AMD both released security advisories on Patch Tuesday, informing customers about a significant number of vulnerabilities in their products.
Intel provided 31 advisories covering approximately 105 vulnerabilities. One of the notable vulnerabilities patched by Intel is a CPU flaw called Reptar (CVE-2023-23583), which was discovered internally by the company and independently by Google researchers. This vulnerability has the potential to cause crashes on the host machine and other guest machines in a multi-tenant virtualized environment. It could also lead to information disclosure or privilege escalation. Intel also highlighted a critical vulnerability (CVE-2023-31273) in their Data Center Manager (DCM) software, which can allow an unauthenticated attacker to escalate privileges through network access. Other advisories addressed high-severity vulnerabilities in various Intel software and firmware.
AMD, on the other hand, published five security advisories discussing a total of 27 vulnerabilities. One of the advisories focused on CacheWarp (CVE-2023-20592), an AMD CPU vulnerability that could pose risks to virtual machines (VMs) by potentially allowing attackers to hijack control flow, break into an encrypted VM, and escalate privileges. Additionally, AMD addressed security holes in components such as Secure Processor (ASP), System Management Unit (SMU), and graphics drivers. These vulnerabilities range from high-severity issues that could lead to arbitrary code execution or privilege escalation to medium-severity flaws that could allow for arbitrary code execution or cause a denial-of-service (DoS) condition.
The meeting notes also mentioned related news articles on the topic, such as one discussing how Intel and AMD addressed over 100 vulnerabilities and another detailing a speculative execution attack targeting Intel and AMD processors called “Retbleed.”