Introduction
Attackers can bypass critical firmware protections in AMD-powered systems during resume from standby, potentially modifying UEFI or other sensitive firmware components. This flaw affects AMD ROM Armor, a hardware-based security technology used in a wide range of consumer and enterprise devices, and could enable persistent compromise at the firmware level.
About AMD and ROM Armor: AMD is a major x86 processor vendor with a global footprint across consumer, enterprise, and data center markets. Its ROM Armor technology is deployed in multiple product lines and is designed to prevent unauthorized modifications to SPI flash memory, which stores UEFI firmware and security-critical configuration data. This mechanism is foundational to the security posture of AMD-based platforms.
Technical Information
CVE-2024-36326 is a missing authorization vulnerability in AMD ROM Armor, specifically triggered during system resume from standby. ROM Armor operates before the operating system initializes, enforcing write restrictions to the SPI flash memory so that only OEM or ODM-controlled System Management Mode (SMM) handlers can modify firmware regions. This is intended to protect the integrity of UEFI and other firmware components.
The vulnerability arises because, during the resume process from a low-power standby state, ROM Armor fails to enforce its usual authorization checks. This creates a timing window where an attacker with local access can bypass ROM Armor protections and write to protected firmware regions. The flaw is classified under CWE-862 (Missing Authorization). Exploitation requires precise timing and local access to the system during the resume phase. No public code snippets or proof of concept are available.
Affected Systems and Versions
- AMD platforms implementing ROM Armor technology are affected. This includes systems using recent AMD processors in both consumer and enterprise segments.
- The vulnerability is present during system resume from standby (low-power) states.
- Specific affected product families and firmware versions are not detailed in the available advisories. Users should consult OEM or system vendor advisories for model-specific information.
Vendor Security History
AMD has previously disclosed vulnerabilities in trusted computing and firmware protection mechanisms, including issues with SPI protection and SMM handler controls. The company publishes coordinated security bulletins (such as AMD-SB-4012) and works with OEMs for remediation. Firmware update distribution can be complex due to the need for vendor-specific builds and testing.