Introduction
Attackers with local administrative access to AMD Ryzen, Threadripper, or embedded systems can leverage a firmware flaw to execute code at the most privileged level of the processor. This vulnerability, CVE-2024-21947, affects millions of endpoints across consumer, enterprise, and industrial environments, and enables arbitrary code execution in System Management Mode (SMM) due to improper input validation.
About AMD: AMD is one of the world’s leading semiconductor companies, with a significant share of the global CPU and GPU markets. Its Ryzen and Threadripper product lines are widely used in desktops, laptops, and workstations, while AMD’s embedded processors power a range of industrial and IoT devices. Security issues in AMD’s firmware can have far-reaching consequences across the technology landscape.
Technical Information
CVE-2024-21947 is a vulnerability in the System Management Mode (SMM) implementation of multiple AMD processors. SMM is a special-purpose CPU mode in x86 architectures used for low-level system management functions and operates at a higher privilege than the operating system or hypervisor.
The vulnerability is caused by improper input validation (CWE-20) in SMM handlers. Specifically, privileged attackers can supply crafted input to SMM interfaces (such as via System Management Interrupts or shared memory buffers) that is not properly validated by the firmware. This allows the attacker to overwrite arbitrary memory within the SMM context. Successful exploitation can result in arbitrary code execution at the SMM level, which is extremely difficult to detect or remediate from the operating system.
Key technical points:
- Attack requires local access and high privileges (CVSS: AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
- Exploitation is possible via crafted SMI calls or manipulation of SMM communication buffers
- Vulnerability is present in SMM code responsible for handling external input without sufficient validation
- Root cause is the lack of proper bounds or format checking on input data processed by SMM handlers
- No public code snippets or PoC are available as of this writing
Patch Information
To address CVE-2024-21947, AMD has released updated Platform Initialization (PI) firmware versions. These updates are distributed to OEMs for integration into BIOS updates. For AMD Athlon 3000 Series Mobile Processors with Radeon Graphics (Dali), the issue is resolved in firmware version Picasso-FP5 1.0.1.1, released March 7, 2024.
Action required:
- Contact your system OEM to obtain the latest BIOS update that includes the fixed firmware version
- Ensure your system is running at least Picasso-FP5 1.0.1.1 or later for affected Dali processors
- Monitor AMD and OEM advisories for updates covering other processor families
Patch source:
Affected Systems and Versions
CVE-2024-21947 affects a wide range of AMD processors, including:
- AMD Ryzen desktop and mobile CPUs (multiple generations)
- AMD Threadripper workstation CPUs
- AMD embedded processors (R1000, R2000, V3000 series and others)
- AMD Athlon 3000 Series Mobile Processors with Radeon Graphics (Dali)
Specific patch version for Dali (Athlon 3000 Series Mobile):
- Vulnerable: Prior to Picasso-FP5 1.0.1.1
- Fixed: Picasso-FP5 1.0.1.1 (March 7, 2024) and later
Other processor families are listed in AMD’s official advisories. Users should consult the relevant security bulletins and coordinate with their OEM for exact patch availability and applicability.
Vendor Security History
AMD has previously addressed multiple SMM and firmware vulnerabilities, including:
- Speculative execution side-channel flaws (Spectre, Meltdown variants)
- SMM callout vulnerabilities (see AMD-SB-7028)
- Multiple input validation and buffer handling issues in firmware
AMD operates a public bug bounty program and typically provides detailed advisories and firmware updates. Patch deployment speed depends on OEM integration and user update practices. AMD’s transparency and engagement with the security community have improved in recent years, but the complexity of the firmware supply chain remains a challenge.