AMD Secure Encrypted Virtualization (SEV) Vulnerabilities - Lenovo Support NL

**Lenovo Security Advisory:**LEN-60063

**Potential Impact:**Arbitrary code execution

**Severity:**Medium

**Scope of Impact:**Industry-wide

**CVE Identifier:**CVE-2020-12967, CVE-2021-26311

Summary Description:

AMD has reported vulnerabilities in AMD Secure Encrypted Virtualization (SEV)/Secure Encrypted Virtualization-Encrypted State (SEV-ES), a technology designed to isolate virtual machines (VMs) from the hypervisor in virtualized environments, which could potentially lead to arbitrary code execution within guest virtual machines.

Mitigation Strategy for Customers (what you should do to protect yourself):

AMD is not releasing updated firmware to address these vulnerabilities. AMD has provided mitigation in the SEV-SNP feature which is available for enablement in 3rd Gen AMD EPYC (“Milan”) processors.

The mitigation requires the use of SEV-SNP, which is only supported on 3rd Gen AMD EPYC (“Milan”).

Prior generations of AMD EPYC (1st Gen “Naples” and 2nd Gen “Rome”) do not support SEV-SNP. For earlier AMD EPYC products , AMD recommends following security best practices.

For additional information on SEV-SNP and SEV/SEV-ES please refer to AMD"s white paper here.

To determine the AMD EPYC processor generation of affected systems, please refer to the Processor options section of the Product Guides listed in the Product Impact Section below.

References:

<https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1004&gt;

<https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf&gt;

<https://lenovopress.com/lp1383-thinkagile-hx3375-appliance-and-thinkagile-hx3376-certified-node&gt;

<https://lenovopress.com/lp1160-thinksystem-sr635-server&gt;

<https://lenovopress.com/lp1280-thinksystem-sr645-server&gt;

Revision History:

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.