SMM Callout, a series of vulnerabilities that affect AMD


Recently AMD announced the work it did to power fix a number of vulnerabilities that affect your products. The vulnerabilities were discovered by security researcher Danny Odler, which in its report reveals that the flaws reside in the AMD Mini PC that could allow attackers to manipulate secure firmware and execute arbitrary code.

This series of vulnerabilities were named as "SMM Callout" (CVE-2020-12890) and the investigation of the bugs shows the complete exploitation of 1 of the 3 vulnerabilities that they were found in the UEFI image.

SMM Callout allows you to gain control over UEFI firmware and run code at the SMM level (System administration mode). An attack requires physical access to the computer or access to a system with administrator rights.

In case of a successful attack, an attacker can use the AGESA interface (Generic AMD Encapsulated Software Architecture) to execute arbitrary code it cannot be detected from the operating system.

The vulnerabilities are present in the code included in the UEFI firmware, executed in the SMM mode (Ring -2), which has a higher priority than the hypervisor mode and the zero protection ring, and which has unlimited access to all the memory of the system .

When the code runs in SMM, all physical memory can be accessed and nothing can stop you from overwriting critical data on the physical pages of the kernel or hypervisor. The SMM code acts as a kind of mini OS: it has I / O services, memory mapping services, ability to map private interfaces, SMM interrupt management, event notifications, and more.

To summarize: SMM code is the most privileged code executed on the CPU, the code is completely hidden from the running operating system, it cannot be modified by the kernel and even by DMA devices and the most important SMM code can access any physical memory.

For example, after gaining access to the operating system as a result of exploiting other vulnerabilities or social engineering methods, an attacker can use vulnerabilities by SMM Callout to bypass safe boot mode (UEFI Secure Boot), introduce malicious code or rootkits invisible to the system in SPI Flash, and also for attacks on hypervisors for bypass the integrity checking mechanisms of virtual environments.

“AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete the delivery of updated versions designed to mitigate the problem at the end of June 2020. »reads AMD's announcement.

“The targeted attack described in the research requires privileged physical or administrative access to a system based on an AMD laptop or embedded processors. If this level of access is acquired, an attacker could potentially manipulate AMD's Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code without being detected by the operating system.

The vulnerabilities are due to an error in the SMM code due to to the lack of verification of the address of the buffer target when the SmmGetVariable () function is called in the SMI 0xEF handler.

Due to this bug, an attacker can write arbitrary data to internal SMM memory (SMRAM) and execute it as code with SMM rights. AMD noted that only certain processors launched between 2016 and 2019 they are affected by vulnerability.

"SMM is the most privileged code that can run on the x86 CPU, allowing it to attack any low-level component, including Kernel and Hypervisor." read the analysis published by Odler.

The chip vendor has already delivered most of the updated versions of AGESA to its partners. AMD encourages users to keep their systems up to date by installing the latest patches.

If you want to know more about it, you can consult the report by going to the following link.


Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.