Chipmaker Patch Tuesday: Many Vulnerabilities Addressed by Intel, AMD, Nvidia

Dozens of security advisories were published on Tuesday by Intel, AMD and Nvidia to inform customers about vulnerabilities found recently in their products.

Intel has published 34 new advisories this Patch Tuesday. High-severity vulnerabilities have been addressed by the company in Xeon processors, Ethernet drivers for Linux, chipset firmware, processor stream cache, 800 Series Ethernet, PROSet/Wireless, and Connectivity Performance Suite products.

Most of them allow privilege escalation, while some can be exploited for denial of service (DoS) and information disclosure.

Intel has addressed medium-severity issues in AI Playground, Driver & Support Assistant (DSA), Distribution for Python, PCIe Switch, AI for Enterprise Retrieval-augmented Generation, Device Plugins for Kubernetes, and TinyCBOR.

Medium-severity flaws have also been resolved in RealSense Dynamic Calibrator, Edge Orchestrator for Tiber, Clock Jitter Tool, QuickAssist Technology, UEFI, Graphics, Rapid Storage Technology, oneAPI Toolkit, Trace Analyzer and Collector, E810 Ethernet, and TDX.

Exploitation of the vulnerabilities found in these products can lead to privilege escalation, DoS, and information disclosure.

AMD published ten new advisories in the days leading up to and on Patch Tuesday.

Some of the advisories published by AMD address recently published research papers. One paper comes from ETH Zurich researchers, who showed that a CPU optimization known as the stack engine can be abused for attacks that lead to information leakage. In response, AMD advised developers to follow existing best practices to mitigate the potential vulnerability.

Another paper written by ETH Zurich researchers describes Heracles, a method that enables a malicious hypervisor to execute a side-channel attack against a running SEV-SNP guest. A similar technique was reported to AMD by researchers from the University of Toronto. The company has recommended some mitigations.

Several advisories describe multiple vulnerabilities found during internal and external audits in client processor platforms, server processors, embedded processors, and graphics and datacenter accelerator products.

The company also addressed a couple of physical attacks, including a Secure Boot bypass and voltage fault injection on SEV-protected virtual machines. AMD noted that physical attacks fall outside the scope of its threat model.

AMD also informed customers about a code execution bug in EDK2 SMM, and an outdated Chromium browser version in Adrenalin driver software.

Nvidia published half a dozen advisories on Patch Tuesday. In the NeMo framework, which is designed for developing custom generative AI, the company fixed two high-severity issues that could lead to remote code execution and data tampering.

Two high-severity flaws that can be exploited for code execution, privilege escalation, data tampering, and information disclosure have been resolved in the Megatron-LM framework for AI training.

In the Merlin open source library for GPU-accelerated recommender systems, specifically the Transformers4Rec library, Nvidia patched a security hole that can lead to code execution, information disclosure, privilege escalation, and data tampering.

Vulnerabilities with similar potential impact have also been fixed by Nvidia in the Isaac GR00T robot development platform, and in Apex and WebDataset deep learning software — one vulnerability has been addressed in each product.

This article was originally published by Security Week. Please check their website for the original content.