AMD PSP Affected By Vulnerability

While all eyes have been on Intel this week with the Spectre and Meltdown vulnerabilities, a disclosure was publicly made this week surrounding AMD's PSP Secure Processor in an unrelated security bulletin.

AMD's Secure Processor / Platform Security Processor (PSP) that is akin to Intel's Management Engine (ME) is reportedly vulnerable to attack.

A member of Google's Cloud Security Team discovered through static analysis that a function in PSP's firmware TPM code is vulnerable to a stack-based overflow due to missing bounds checks. Submitting a specially-crafted certificate to the fTPM trustlet code can lead to an overflow and then full control on the program counter.

Google reported this issue to the AMD Security Team in September and then in December began rolling out a software fix. Following the 90-day disclosure process, the information was made public here.

Update: Contrary to the original security notice, AMD has now confirmed to us this vulnerability isn't subject to remote code execution.