Cfir Cohen

**Name of the Vulnerable Software and Affected Versions** AMD EPYC 7001 Processors (affected versions not specified) **Description** An out of bounds memory write when processing the AMD PSP1 Configuration Block (APCB) could allow an attacker with access to modify the BIOS image and potentially modify the APCB block, resulting in arbitrary code execution. This issue affects the AMD EPYC 7001 Processors. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel(R) Xeon(R) Processors (affected versions not specified) **Description** The issue concerns incorrect default permissions in some memory controller configurations for Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions. This may allow a privileged user to potentially enable escalation of privilege via local access. The vulnerability is related to Intel Microcode and is associated with default permission settings. Exploitation of the vulnerability could allow an attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AMD Secure Processor (ASP) (affected versions not specified) **Description** The issue is related to insufficient input validation in the SYS KEY DERIVE system call, which can be exploited by an attacker to corrupt AMD Secure Processor (ASP) OS memory, potentially leading to arbitrary code execution. This can occur in a compromised user application or ABL. The vulnerability is associated with the implementation of AMD Secure Processor (ASP) microcode in AMD processors. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AMD processors (affected versions not specified) **Description** The issue is related to insufficient input validation in the implementation of the SNP INIT command for the AMD processor firmware loading mode. This could allow a remote attacker to compromise the integrity of protected information. Additionally, failure to verify the CPU execution mode during SNP INIT may lead to potential memory integrity loss for SNP guests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** System Management Unit (SMU) (affected versions not specified) **Description** The issue is related to insufficient DRAM address validation, which may lead to a denial of service due to DMA read/write operations from/to invalid DRAM addresses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The issue is related to the failure to assign a new report ID to an imported guest, which may potentially result in an SEV-SNP guest VM being tricked into trusting a dishonest Migration Agent (MA). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to the failure to flush the Translation Lookaside Buffer (TLB) of the I/O memory management unit (IOMMU), which may allow an IO device to write to memory it should not be able to access. This could result in a potential loss of integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** A bug related to the SEV-ES TMR may cause a potential loss of memory integrity for SNP-active VMs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ASP firmware (affected versions not specified) **Description** The issue is related to insufficient input validation in ASP firmware for discrete TPM commands, which could lead to a potential loss of integrity and denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASP firmware (affected versions not specified) PSP FW (affected versions not specified) **Description** A race condition issue exists that could allow less privileged x86 code to perform SMM (System Management Mode) operations. This issue affects both ASP and PSP firmware, potentially allowing unauthorized access to sensitive operations. **Recommendations** For ASP firmware, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For PSP FW, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The issue is related to insufficient validation of guest context in the SNP Firmware, which could potentially lead to a loss of guest confidentiality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AMD SEV Firmware (affected versions not specified) **Description** The issue is related to insufficient validation of the AMD SEV Signing Key (ASK) in the SEND START command in the SEV Firmware. This may allow a local authenticated attacker to perform a denial of service of the PSP. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SEV Firmware (affected versions not specified) **Description** The issue is related to insufficient ID command validation in the SEV Firmware, which may allow a local authenticated attacker to perform a denial of service of the PSP. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The issue concerns a potential "two time pad attack" due to the persistent platform private key not being protected with a random IV. This could lead to security risks, but specific details about affected devices or real-world incidents are not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to the failure to validate SEV Commands while SNP is active, which may result in a potential impact to memory integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SoftwareX (affected versions not specified) **Description** The issue is related to insufficient input validation in the `SNP GUEST REQUEST` command, which may lead to a potential data abort error and a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The issue is related to a failure to validate VM HSAVE PA during SNP INIT, which may result in a loss of memory integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASP Firmware (affected versions not specified) PSP Firmware (affected versions not specified) **Description** The issue is related to insufficient validation of BIOS image length, which could lead to arbitrary code execution. This affects the firmware's ability to properly verify the length of BIOS images, potentially allowing malicious code to be executed. **Recommendations** For ASP Firmware, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For PSP Firmware, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VMware ESXi versions 7.0 before ESXi 7.0.0-1.20.16321839 VMware ESXi versions 6.7 before ESXi670-202006401-SG VMware ESXi versions 6.5 before ESXi650-202005401-SG VMware Workstation versions 15.x before 15.5.2 VMware Fusion versions 11.x before 11.5.2 **Description** The issue is related to a use-after-free vulnerability in the PVNVRAM component of VMware ESXi, VMware Workstation, and VMware Fusion. This vulnerability may allow a malicious actor with local access to a virtual machine to read privileged information contained in physical memory. **Recommendations** For VMware ESXi versions 7.0 before ESXi 7.0.0-1.20.16321839, update to a version that includes the ESXi 7.0.0-1.20.16321839 patch or later. For VMware ESXi versions 6.7 before ESXi670-202006401-SG, apply the ESXi670-202006401-SG patch or later. For VMware ESXi versions 6.5 before ESXi650-202005401-SG, apply the ESXi650-202005401-SG patch or later. For VMware Workstation versions 15.x before 15.5.2, update to version 15.5.2 or later. For VMware Fusion versions 11.x before 11.5.2, update to version 11.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** VMware ESXi versions 7.0 before ESXi 7.0.0-1.20.16321839 VMware ESXi versions 6.7 before ESXi670-202006401-SG VMware ESXi versions 6.5 before ESXi650-202005401-SG VMware Workstation versions 15.x before 15.5.2 VMware Fusion versions 11.x before 11.5.2 **Description** The issue is related to an information leak in the XHCI USB controller of the affected software. A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. This is due to a lack of protection for service data. **Recommendations** For VMware ESXi versions 7.0 before ESXi 7.0.0-1.20.16321839, update to a version that includes the ESXi 7.0.0-1.20.16321839 patch or later. For VMware ESXi versions 6.7 before ESXi670-202006401-SG, update to a version that includes the ESXi670-202006401-SG patch or later. For VMware ESXi versions 6.5 before ESXi650-202005401-SG, update to a version that includes the ESXi650-202005401-SG patch or later. For VMware Workstation versions 15.x before 15.5.2, update to version 15.5.2 or later. For VMware Fusion versions 11.x before 11.5.2, update to version 11.5.2 or later.