AMD Discovers New Vulnerabilities Affecting Zen 1, 2, 3, 4 CPUs, BIOS Mitigations Released

AMD has disclosed new BIOS-side vulnerabilities across all of its Zen CPU generations, which has particularly impacted the SPI connection, compromising security.

AMD's Newly-Discovered Vulnerabilities Could Potentially Lead To High-Level Security Compromises, Affects All Generations of Zen CPUs But BIOS Fixes Released

The emergence of vulnerabilities across CPU architectures isn't surprising, but this time, AMD has apparently discovered something much bigger, impacting a more extensive consumer base, and the severity of it is listed as "high" this time as well. Moreover, the discovered vulnerabilities enter from your motherboard's BIOS as well; hence, the matter is indeed sensitive, and according to AMD, the consequences of the mentioned include the "trigger" of arbitrary codes and much more.

Moving into the specifics, AMD mentions that the vulnerability is broken down into four different compromises, and it relies on "messing up" with your SPI interface, which can lead to malicious activities such as denial of service, execution of arbitrary codes, and the bypass of your system's integrity. Team Red has described the vulnerabilities in multiple CVEs, and you can view their findings below to have an idea of how costly it can be:

CVE	Severity	CVE Description
CVE-2023-20576	High	Insufficient Verification of Data Authenticity in AGESA may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation.
CVE-2023-20577	High	A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution.
CVE-2023-20579	High	Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.
CVE-2023-20587	High	Improper Access Control in System Management Mode (SMM) may allow attackers access to the SPI flash, potentially leading to arbitrary code execution.

However, the good thing is that to stay safe from the vulnerabilities mentioned above, AMD has advised its consumers to update to the latest AGESA versions, which the firm has already pushed out.

The new versions target mitigations for all AMD Ryzen CPU lineups, along with AMD's EPYC, Threadripper, and Embedded series as well, which shows that as long as you have the correct AGESA version loaded into your systems, it won't be much of a huge deal. However, particular SKUs, such as the Ryzen 4000G and 5000G APUs, haven't received mitigation patches in their respective motherboards, which might cause concerns. This is mainly dependent on the motherboard manufacturers. Still, we believe the new AGESA versions will be adopted soon.

CVE (AMD)		Ryzen 3000 Series Desktop Processors	Ryzen 5000 Series Desktop Processors	Ryzen 5000 Series Desktop Processors with Radeon Graphics	Ryzen 7000 Series Processors	Athlon 3000 Series Desktop Processors with Radeon Graphics	Ryzen 4000 Series Desktop Processors with Radeon Graphics
Minimum version to mitigate all listed CVEs		ComboAM4v2 1.2.0.B (2023-08-25)ComboAM4 1.0.0.B (Target Mar 2024)	ComboAM4v2 1.2.0.B (2023-08-25)	ComboAM4v2PI 1.2.0.C (2024-02-07)	ComboAM5 1.0.8.0 (2023-8-29)	ComboAM4v2 1.2.0.B (2023-08-25)ComboAM4 1.0.0.B (Target Mar 2024)	ComboAM4v2PI 1.2.0.C (2024-02-07)
CVE-2023-20576	High	ComboAM4v2 1.2.0.B (2023-08-25)	ComboAM4v2v 1.2.0.B (2023-08-25)	ComboAM4v2 1.2.0.B (2023-08-25)	ComboAM5 1.0.0.7b (2023-07-21)	Not affected	ComboAM4v2 1.2.0.B (2023-08-25)
CVE-2023-20577	High	ComboAM4v2 1.2.0.B (2023-08-25)ComboAM4 1.0.0.B (Target Mar 2024)	ComboAM4v2 1.2.0.B (2023-08-25)	ComboAM4v2 1.2.0.B (2023-08-25)	ComboAM5 1.0.0.7b (2023-07-21)	ComboAM4v2 1.2.0.B (2023-08-25)ComboAM4 1.0.0.B (Target Mar 2024)	ComboAM4v2 1.2.0.B (2023-08-25)
CVE-2023-20579	High	Not affected	Not affected	ComboAM4v2PI 1.2.0.C (2024-02-07)	ComboAM5 1.0.8.0 (2023-8-29)	Not affected	ComboAM4v2PI 1.2.0.C (2024-02-07)
CVE-2023-20587	High	Not affected	Not affected	Not affected	Not affected	Not affected	Not affected

 

CVE (AMD)		Ryzen 6000 Series Processors with Radeon Graphics	Ryzen 7035 Series Processors with Radeon Graphics	Ryzen 5000 Series Processors with Radeon Graphics	Ryzen 3000 Series Processors with Radeon Graphics	Ryzen 7040 Series Processors with Radeon Graphics	Ryzen 7045 Series Mobile Processors
Minimum version to mitigate all listed CVEs		RembrandtPI-FP7 1.0.0.A (2023-12-28)	RembrandtPI-FP7 1.0.0.A (2023-12-28)	CezannePI-FP6 1.0.1.0 (2024-01-25)	CezannePI-FP6 1.0.1.0 (2024-01-25)	PhoenixPI-FP8-FP7 1.1.0.0 (2023-10-06)	DragonRangeFL1PI 1.0.0.3b (2023-08-30)
CVE-2023-20576	High	RembrandtPI-FP7 1.0.0.9b (2023-09-13)	RembrandtPI-FP7 1.0.0.9b (2023-09-13)	Not affected	Not affected	PhoenixPI-FP8-FP7 1.0.0.2 (2023-08-02)	DragonRangeFL1PI 1.0.0.3a (2023-05-24)
CVE-2023-20577	High	RembrandtPI-FP7 1.0.0.9b (2023-09-13)	RembrandtPI-FP7 1.0.0.9b (2023-09-13)	CezannePI-FP6 1.0.0.F (2023-6-20)	CezannePI-FP6 1.0.0.F (2023-6-20)	PhoenixPI-FP8-FP7 1.0.0.2 (2023-08-02)	DragonRangeFL1PI 1.0.0.3a (2023-05-24)
CVE-2023-20579	High	RembrandtPI-FP7 1.0.0.A (2023-12-28)	RembrandtPI-FP7 1.0.0.A (2023-12-28)	CezannePI-FP6 1.0.1.0 (2024-01-25)	CezannePI-FP6 1.0.1.0 (2024-01-25)	PhoenixPI-FP8-FP7 1.1.0.0 (2023-10-06)	DragonRangeFL1PI 1.0.0.3b (2023-08-30)
CVE-2023-20587	High	Not affected	Not affected	Not affected	Not affected	Not affected	Not affected

News Source: AMD

Follow Wccftech on Google to get more of our news coverage in your feeds.