CVE-2021-26370

Q: What is the severity of CVE-2021-26370?

CVE-2021-26370 has a CVSS score of 7.1 (HIGH). This AMD firmware vulnerability allows attackers with local access to overwrite bootloader memory by exploiting improper address validation in SVC_LOAD_FW_IMAGE_BY_INSTANCE and SVC_LOAD_BINARY_BY_ATTRIB functions. This can lead to arbitrary code execution in the bootloader, potentially compromising system integrity and availability. Systems using affected AMD processors with vulnerable firmware versions are impacted.

7.1 HIGH

📋 TL;DR

This AMD firmware vulnerability allows attackers with local access to overwrite bootloader memory by exploiting improper address validation in SVC_LOAD_FW_IMAGE_BY_INSTANCE and SVC_LOAD_BINARY_BY_ATTRIB functions. This can lead to arbitrary code execution in the bootloader, potentially compromising system integrity and availability. Systems using affected AMD processors with vulnerable firmware versions are impacted.

💻 Affected Systems

Products:

AMD Ryzen processors
AMD EPYC processors
AMD Athlon processors with Radeon Graphics

Versions: Firmware versions prior to AGESA version 1.2.0.0

Operating Systems: All operating systems running on affected hardware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires ability to execute malicious UApp or ABL code locally; affects systems with vulnerable AMD firmware.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via bootloader manipulation, allowing persistent malware installation, bricking of hardware, or bypassing of security controls.

🟠

Likely Case

Local privilege escalation allowing attackers to gain higher privileges, install persistent backdoors, or disrupt system boot processes.

🟢

If Mitigated

Limited impact if proper access controls prevent local malicious code execution and firmware is updated.

🌐 Internet-Facing: LOW - Requires local access to exploit; not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal attackers with local access could exploit this for privilege escalation or system disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local code execution capability; exploitation involves manipulating firmware loading functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AGESA version 1.2.0.0 or later

Vendor Advisory: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021

Restart Required: Yes

Instructions:

1. Check motherboard/BIOS manufacturer for firmware updates. 2. Download appropriate firmware update from manufacturer. 3. Follow manufacturer's firmware update procedure. 4. Reboot system after update.

🔧 Temporary Workarounds

Restrict local code execution

all

Implement strict access controls to prevent unauthorized local code execution.

Enable secure boot

all

Ensure secure boot is enabled to verify bootloader integrity.

🧯 If You Can't Patch

Implement strict least privilege access controls to limit local code execution capabilities
Monitor for suspicious firmware/bootloader modification attempts and unauthorized local code execution

🔍 How to Verify

Check if Vulnerable:

Check BIOS/firmware version against manufacturer's documentation; vulnerable if AGESA version is older than 1.2.0.0

Check Version:

System-specific: Check BIOS settings or use manufacturer's diagnostic tools (e.g., dmidecode on Linux, msinfo32 on Windows)

Verify Fix Applied:

Verify BIOS/firmware version shows AGESA 1.2.0.0 or newer after update

📡 Detection & Monitoring

Log Indicators:

Unexpected firmware/bootloader modification attempts
Suspicious local process execution with elevated privileges

Network Indicators:

Not network exploitable; focus on local activity

SIEM Query:

Process execution events with suspicious parent-child relationships or attempts to access firmware interfaces

📊 Metadata

CVE ID: CVE-2021-26370

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-20

Published: May 10, 2022

Last Updated: November 21, 2024

🔗 References

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 Vendor Advisory
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Epyc 7002 Firmware by Amd

Epyc 7232p Firmware by Amd

Epyc 7252 Firmware by Amd

Epyc 7262 Firmware by Amd

Epyc 7272 Firmware by Amd

Epyc 7282 Firmware by Amd

Epyc 72f3 Firmware by Amd

Epyc 7302 Firmware by Amd

Epyc 7302p Firmware by Amd

Epyc 7313 Firmware by Amd

Epyc 7313p Firmware by Amd

Epyc 7343 Firmware by Amd

Epyc 7352 Firmware by Amd

Epyc 7373x Firmware by Amd

Epyc 73f3 Firmware by Amd

Epyc 7402 Firmware by Amd

Epyc 7402p Firmware by Amd

Epyc 7413 Firmware by Amd

Epyc 7443 Firmware by Amd

Epyc 7443p Firmware by Amd

Epyc 7452 Firmware by Amd

Epyc 7453 Firmware by Amd

Epyc 7473x Firmware by Amd

Epyc 74f3 Firmware by Amd

Epyc 7502 Firmware by Amd

Epyc 7502p Firmware by Amd

Epyc 7513 Firmware by Amd

Epyc 7532 Firmware by Amd

Epyc 7542 Firmware by Amd

Epyc 7543 Firmware by Amd

Epyc 7543p Firmware by Amd

Epyc 7552 Firmware by Amd

Epyc 7573x Firmware by Amd

Epyc 75f3 Firmware by Amd

Epyc 7642 Firmware by Amd

Epyc 7643 Firmware by Amd

Epyc 7662 Firmware by Amd

Epyc 7663 Firmware by Amd

Epyc 7702 Firmware by Amd

Epyc 7702p Firmware by Amd

Epyc 7713 Firmware by Amd

Epyc 7713p Firmware by Amd

Epyc 7742 Firmware by Amd

Epyc 7763 Firmware by Amd

Epyc 7773x Firmware by Amd

Epyc 7f32 Firmware by Amd

Epyc 7f52 Firmware by Amd

Epyc 7f72 Firmware by Amd

Epyc 7h12 Firmware by Amd