According to Gamingdeputy news on February 15, AMD recently released a security bulletin numbered AMD-SB-7009, disclosing 4 vulnerabilities rated as “High”, affecting servers, desktops, workstations, HEDT, mobile and embedded Zen 1-4 processors, and users are recommended to install the patch as soon as possible.
According to AMD's announcement, the four “high-risk” vulnerabilities disclosed this time all exist in the dual serial peripheral interface (SPI). Hackers can use these vulnerabilities to launch denial-of-service attacks or remotely execute arbitrary code.
Advertisement
A brief introduction to these 4 vulnerabilities is as follows:
CVE-2023-20576: Insufficient authenticity of AGESA verification data may allow an attacker to update SPI ROM data, which may lead to a denial of service or privilege escalation.
CVE-2023-20577: A heap overflow bit in the SMM module could allow an attacker to exploit a second vulnerability, allowing an attacker to write to the SPI flash memory, leading to the execution of arbitrary code.
CVE-2023-20579: Improper access control in the AMD SPI protection function allows hackers to exploit users with Ring0 (kernel mode) privileged access to bypass the protection, which may result in loss of integrity and availability.
CVE-2023-20587: Improper access control in System Management Mode (SMM) allows an attacker to access the SPI flash memory, leading to the execution of arbitrary code.
Users of Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should be extra vigilant in the coming months, as the issues affecting these generations of products have not all been patched.
Updates planned by AMD later this month will address the vulnerability for 4000 series APUs; a March 2024 BIOS update will fix the vulnerability for 3000 series CPUs; and a fix for embedded products in April.
CPU generation | Fixed minimum version | Online date |
---|---|---|
1st Gen AMD EPYC | NaplesPI 1.0.0.K | 2023-Apr-27 |
2nd Gen AMD EPYC | RomePI 1.0.0.H | 2023-Nov-07 |
3rd Gen AMD EPYC | MilanPI 1.0.0.C | 2023-Dec-18 |
4th Gen AMD EPYC | GenoaAPI 1.0.0.8 | 2023-Jun-09 |
Ryzen 3000 Desktop | ComboAM4 1.0.0.B | 2024-Mar |
Ryzen 5000 Desktop | ComboAM4v2 1.2.0.B | 2023-Aug-25 |
Ryzen 5000 Desktop w/ Radeon | ComboAM4v2PI 1.2.0.C | 2024-Feb-07 |
Ryzen 7000 Desktop | ComboAM5 1.0.8.0 | 2023-Aug-29 |
Ryzen 3000 Desktop w/ Radeon | ComboAM4 1.0.0.B | 2024-Mar |
Ryzen 4000 Desktop w/ Radeon | ComboAM4v2PI 1.2.0.C | 2024-Feb-07 |
Ryzen Threadripper 3000 | CastlePeakPI-SP3r3 1.0.0.A | 2023-Nov-21 |
Ryzen Threadripper Pro 3000WX | ChagallWSPI-sWRX8 1.0.0.7 | 2024-Jan-11 |
Ryzen Threadripper Pro 5000WX | ChagallWSPI-sWRX8 1.0.0.7 | 2024-Jan-11 |
Athlon 3000 Mobile w/ Radeon | PollockPI-FT5 1.0.0.6 | 2023-Oct-26 |
Ryzen 3000 Mobile w/ Radeon | PicassoPI-FP5 1.0.1.0 | 2023-May-31 |
Ryzen 4000 Mobile w/ Radeon | RenoirPI-FP6 1.0.0.D | 2024-Feb |
Ryzen 5000 Mobile w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
Ryzen 7020 w/ Radeon | MendocinoPI-FT6 1.0.0.6 | 2024-Jan-03 |
Ryzen 6000 w/ Radeon | RembrandtPI-FP7 1.0.0.A | 2023-Dec-28 |
Ryzen 7035 w/ Radeon | RembrandtPI-FP7 1.0.0.A | 2023-Dec-28 |
Ryzen 5000 w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
Ryzen 3000 w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
Ryzen 7040 w/ Radeon | PhoenixPI-FP8-FP7 1.1.0.0 | 2023-Oct-06 |
Ryzen 7045 Mobile | DragonRangeFL1PI 1.0.0.3b | 2023-Aug-30 |
EyPC Embedded 3000 | Snowyowl PI 1.1.0.B | 2023-Dec-15 |
Epyc Embedded 7002 | EmbRomePI-SP3 1.0.0.B | 2023-Dec-15 |
Epyc Embedded 7003 | EmbMilanPI-SP3 1.0.0.8 | 2024-Jan-15 |
Epyc Embedded 9003 | EmbGenoaPI-SP5 1.0.0.3 | 2023-Sep-15 |
Ryzen Embedded R1000 | EmbeddedPI-FP5 1.2.0.A | 2023-Jul-31 |
Ryzen Embedded R2000 | EmbeddedPI-FP5 1.0.0.2 | 2023-Jul-31 |
Ryzen Embedded 5000 | EmbAM4PI 1.0.0.4 | 2023-Sep-22 |
Ryzen Embedded V1000 | EmbeddedPI-FP5 1.2.0.A | 2023-Jul-31 |
Ryzen Embedded V2000 | EmbeddedPI-FP6 1.0.0.9 | 2024-Apr |
Ryzen Embedded V3000 | EmbeddedPI-FP7r2 1.0.0.9 | 2024-Apr |
Gamingdeputy attaches AMD officialAnnouncement link addressinterested users can read in depth.
Advertisement