CVE-2021-26356
📋 TL;DR
This vulnerability is a Time-of-Check Time-of-Use (TOCTOU) race condition in AMD's ASP bootloader that allows an attacker to tamper with SPI ROM data after it's been read to memory. This can lead to S3 sleep state data corruption and potential information disclosure. It affects systems with vulnerable AMD processors and firmware.
💻 Affected Systems
- AMD processors with vulnerable ASP bootloader firmware
📦 What is this software?
Ryzen Threadripper Pro 3945wx Firmware by Amd
View all CVEs affecting Ryzen Threadripper Pro 3945wx Firmware →
Ryzen Threadripper Pro 3955wx Firmware by Amd
View all CVEs affecting Ryzen Threadripper Pro 3955wx Firmware →
Ryzen Threadripper Pro 3975wx Firmware by Amd
View all CVEs affecting Ryzen Threadripper Pro 3975wx Firmware →
Ryzen Threadripper Pro 3995wx Firmware by Amd
View all CVEs affecting Ryzen Threadripper Pro 3995wx Firmware →
Ryzen Threadripper Pro 5945wx Firmware by Amd
View all CVEs affecting Ryzen Threadripper Pro 5945wx Firmware →
Ryzen Threadripper Pro 5955wx Firmware by Amd
View all CVEs affecting Ryzen Threadripper Pro 5955wx Firmware →
Ryzen Threadripper Pro 5965wx Firmware by Amd
View all CVEs affecting Ryzen Threadripper Pro 5965wx Firmware →
⚠️ Risk & Real-World Impact
Worst Case
An attacker could corrupt sensitive data during S3 sleep state transitions, potentially leading to system instability, data loss, or extraction of sensitive information from memory.
Likely Case
Local attackers with physical access or administrative privileges could exploit this to cause system crashes or potentially read sensitive data from memory during sleep state transitions.
If Mitigated
With proper firmware updates and security controls, the risk is significantly reduced to minimal impact on system stability.
🎯 Exploit Status
Exploitation requires local access and knowledge of specific timing conditions. No public exploits have been reported.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates as specified in AMD-SB-3001 and AMD-SB-4001
Vendor Advisory: https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-3001
Restart Required: Yes
Instructions:
1. Check system manufacturer for BIOS/UEFI firmware updates. 2. Download appropriate firmware update from manufacturer. 3. Follow manufacturer's instructions to update firmware. 4. Reboot system to apply changes.
🔧 Temporary Workarounds
Disable S3 Sleep State
allDisable S3 sleep/suspend to RAM functionality to prevent exploitation during sleep state transitions
Powercfg /h off (Windows)
systemctl mask suspend.target (Linux)
🧯 If You Can't Patch
- Restrict physical access to vulnerable systems
- Implement strict privilege management to limit administrative access
🔍 How to Verify
Check if Vulnerable:
Check system BIOS/UEFI firmware version against AMD advisories. Use manufacturer tools to check current firmware version.Check Version:
wmic bios get smbiosbiosversion (Windows) or dmidecode -s bios-version (Linux)Verify Fix Applied:
Verify firmware version has been updated to patched version specified in AMD advisories. Check that firmware update was successful in system logs.📡 Detection & Monitoring
Log Indicators:
- Unexpected system crashes during sleep/wake cycles
- Firmware update logs showing version changes
- Security event logs showing unauthorized physical access
Network Indicators:
- No direct network indicators as this is a local vulnerability
SIEM Query:
EventID=6008 OR EventID=41 (Windows crash events) combined with physical access logs