Permissions, Privileges, and Access Controls in AMD Generic Encapsulated Software Architecture - CVE-2020-12890

 

Permissions, Privileges, and Access Controls in AMD Generic Encapsulated Software Architecture - CVE-2020-12890

Published: June 23, 2020


Vulnerability identifier: #VU29206
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-12890
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: AMD
Affected software:
AMD Generic Encapsulated Software Architecture

Detailed vulnerability description

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to improper security restrictions in AMD’s client and embedded processors that came out between 2016 and 2019. An authenticated attacker with physical access can manipulate the AMD Generic Encapsulated Software Architecture (AGESA) and execute arbitrary code on the target system.


How to mitigate CVE-2020-12890

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources