URGENT: AMD Reveals 4 “High-Severity” Vulnerabilities Impacting Zen 1-4 Processors – Upgrade Now

by

According to Gamingdeputy news on February 15, AMD recently released a security bulletin numbered AMD-SB-7009, disclosing 4 vulnerabilities rated as “High”, affecting servers, desktops, workstations, HEDT, mobile and embedded Zen 1-4 processors, and users are recommended to install the patch as soon as possible.

According to AMD's announcement, the four “high-risk” vulnerabilities disclosed this time all exist in the dual serial peripheral interface (SPI). Hackers can use these vulnerabilities to launch denial-of-service attacks or remotely execute arbitrary code.

Advertisement

A brief introduction to these 4 vulnerabilities is as follows:

  • CVE-2023-20576: Insufficient authenticity of AGESA verification data may allow an attacker to update SPI ROM data, which may lead to a denial of service or privilege escalation.

  • CVE-2023-20577: A heap overflow bit in the SMM module could allow an attacker to exploit a second vulnerability, allowing an attacker to write to the SPI flash memory, leading to the execution of arbitrary code.

  • CVE-2023-20579: Improper access control in the AMD SPI protection function allows hackers to exploit users with Ring0 (kernel mode) privileged access to bypass the protection, which may result in loss of integrity and availability.

  • CVE-2023-20587: Improper access control in System Management Mode (SMM) allows an attacker to access the SPI flash memory, leading to the execution of arbitrary code.

Users of Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should be extra vigilant in the coming months, as the issues affecting these generations of products have not all been patched.

Updates planned by AMD later this month will address the vulnerability for 4000 series APUs; a March 2024 BIOS update will fix the vulnerability for 3000 series CPUs; and a fix for embedded products in April.

CPU generationFixed minimum versionOnline date
1st Gen AMD EPYCNaplesPI 1.0.0.K2023-Apr-27
2nd Gen AMD EPYCRomePI 1.0.0.H2023-Nov-07
3rd Gen AMD EPYCMilanPI 1.0.0.C2023-Dec-18
4th Gen AMD EPYCGenoaAPI 1.0.0.82023-Jun-09
Ryzen 3000 DesktopComboAM4 1.0.0.B2024-Mar
Ryzen 5000 DesktopComboAM4v2 1.2.0.B2023-Aug-25
Ryzen 5000 Desktop w/ RadeonComboAM4v2PI 1.2.0.C2024-Feb-07
Ryzen 7000 DesktopComboAM5 1.0.8.02023-Aug-29
Ryzen 3000 Desktop w/ RadeonComboAM4 1.0.0.B2024-Mar
Ryzen 4000 Desktop w/ RadeonComboAM4v2PI 1.2.0.C2024-Feb-07
Ryzen Threadripper 3000CastlePeakPI-SP3r3 1.0.0.A2023-Nov-21
Ryzen Threadripper Pro 3000WXChagallWSPI-sWRX8 1.0.0.72024-Jan-11
Ryzen Threadripper Pro 5000WXChagallWSPI-sWRX8 1.0.0.72024-Jan-11
Athlon 3000 Mobile w/ RadeonPollockPI-FT5 1.0.0.62023-Oct-26
Ryzen 3000 Mobile w/ RadeonPicassoPI-FP5 1.0.1.02023-May-31
Ryzen 4000 Mobile w/ RadeonRenoirPI-FP6 1.0.0.D2024-Feb
Ryzen 5000 Mobile w/ RadeonCezannePI-FP6 1.0.1.02024-Jan-25
Ryzen 7020 w/ RadeonMendocinoPI-FT6 1.0.0.62024-Jan-03
Ryzen 6000 w/ RadeonRembrandtPI-FP7 1.0.0.A2023-Dec-28
Ryzen 7035 w/ RadeonRembrandtPI-FP7 1.0.0.A2023-Dec-28
Ryzen 5000 w/ RadeonCezannePI-FP6 1.0.1.02024-Jan-25
Ryzen 3000 w/ RadeonCezannePI-FP6 1.0.1.02024-Jan-25
Ryzen 7040 w/ RadeonPhoenixPI-FP8-FP7 1.1.0.02023-Oct-06
Ryzen 7045 MobileDragonRangeFL1PI 1.0.0.3b2023-Aug-30
EyPC Embedded 3000Snowyowl PI 1.1.0.B2023-Dec-15
Epyc Embedded 7002EmbRomePI-SP3 1.0.0.B2023-Dec-15
Epyc Embedded 7003EmbMilanPI-SP3 1.0.0.82024-Jan-15
Epyc Embedded 9003EmbGenoaPI-SP5 1.0.0.32023-Sep-15
Ryzen Embedded R1000EmbeddedPI-FP5 1.2.0.A2023-Jul-31
Ryzen Embedded R2000EmbeddedPI-FP5 1.0.0.22023-Jul-31
Ryzen Embedded 5000EmbAM4PI 1.0.0.42023-Sep-22
Ryzen Embedded V1000EmbeddedPI-FP5 1.2.0.A2023-Jul-31
Ryzen Embedded V2000EmbeddedPI-FP6 1.0.0.92024-Apr
Ryzen Embedded V3000EmbeddedPI-FP7r2 1.0.0.92024-Apr

Gamingdeputy attaches AMD officialAnnouncement link addressinterested users can read in depth.

Advertisement

Advertisement