AMD Ryzen CPUs are impacted by all of these serious vulnerabilities

Daniel Sims

Posts: 1,366   +43
Staff
A hot potato: All users with AMD Ryzen processors from the last few years should check and update their motherboard firmware ASAP, especially if they haven't done so since before 2023. AMD has published a detailed chart describing four severe security issues affecting server, desktop, workstation, HEDT, mobile, and embedded Zen CPUs. Recent BIOS updates have addressed most, but not all of the flaws.

All four vulnerabilities AMD has acknowledged are marked as high-severity. The chart below lists the minimum AGESA version needed to mitigate all issues for each processor generation. A more detailed breakdown of which problems and solutions affect each CPU can be found in the company's security bulletin.

One of the vulnerabilities, designated CVE-2023-20576, can allow attackers to initiate denial of service attacks or escalate privileges due to insufficient data authenticity verification in the BIOS.

Two others – CVE-2023-20577 and CVE-2023-20587 – can enable arbitrary code execution by granting access to the SPI flash through System Management Mode. Another, dubbed CVE-2023-20579, can cause loss of integrity and availability through improper access control in AMD's SPI protection feature.

CPU Generation Minimum Patched BIOS version Availability Date
1st Gen AMD EPYC NaplesPI 1.0.0.K 2023-Apr-27
2nd Gen AMD EPYC RomePI 1.0.0.H 2023-Nov-07
3rd Gen AMD EPYC MilanPI 1.0.0.C 2023-Dec-18
4th Gen AMD EPYC GenoaPI 1.0.0.8 2023-Jun-09
Ryzen 3000 Desktop ComboAM4 1.0.0.B 2024-Mar
Ryzen 5000 Desktop ComboAM4v2 1.2.0.B 2023-Aug-25
Ryzen 5000 Desktop w/ Radeon ComboAM4v2PI 1.2.0.C 2024-Feb-07
Ryzen 7000 Desktop ComboAM5 1.0.8.0 2023-Aug-29
Ryzen 3000 Desktop w/ Radeon ComboAM4 1.0.0.B 2024-Mar
Ryzen 4000 Desktop w/ Radeon ComboAM4v2PI 1.2.0.C 2024-Feb-07
Ryzen Threadripper 3000 CastlePeakPI-SP3r3 1.0.0.A 2023-Nov-21
Ryzen Threadripper Pro 3000WX ChagallWSPI-sWRX8 1.0.0.7 2024-Jan-11
Ryzen Threadripper Pro 5000WX ChagallWSPI-sWRX8 1.0.0.7 2024-Jan-11
Athlon 3000 Mobile w/ Radeon PollockPI-FT5 1.0.0.6 2023-Oct-26
Ryzen 3000 Mobile w/ Radeon PicassoPI-FP5 1.0.1.0 2023-May-31
Ryzen 4000 Mobile w/ Radeon RenoirPI-FP6 1.0.0.D 2024-Feb
Ryzen 5000 Mobile w/ Radeon CezannePI-FP6 1.0.1.0 2024-Jan-25
Ryzen 7020 w/ Radeon MendocinoPI-FT6 1.0.0.6 2024-Jan-03
Ryzen 6000 w/ Radeon RembrandtPI-FP7 1.0.0.A 2023-Dec-28
Ryzen 7035 w/ Radeon RembrandtPI-FP7 1.0.0.A 2023-Dec-28
Ryzen 5000 w/ Radeon CezannePI-FP6 1.0.1.0 2024-Jan-25
Ryzen 3000 w/ Radeon CezannePI-FP6 1.0.1.0 2024-Jan-25
Ryzen 7040 w/ Radeon PhoenixPI-FP8-FP7 1.1.0.0 2023-Oct-06
Ryzen 7045 Mobile DragonRangeFL1PI 1.0.0.3b 2023-Aug-30
Eypc Embedded 3000 Snowyowl PI 1.1.0.B 2023-Dec-15
Epyc Embedded 7002 EmbRomePI-SP3 1.0.0.B 2023-Dec-15
Epyc Embedded 7003 EmbMilanPI-SP3 1.0.0.8 2024-Jan-15
Epyc Embedded 9003 EmbGenoaPI-SP5 1.0.0.3 2023-Sep-15
Ryzen Embedded R1000 EmbeddedPI-FP5 1.2.0.A 2023-Jul-31
Ryzen Embedded R2000 EmbeddedPI-FP5 1.0.0.2 2023-Jul-31
Ryzen Embedded 5000 EmbAM4PI 1.0.0.4 2023-Sep-22
Ryzen Embedded V1000 EmbeddedPI-FP5 1.2.0.A 2023-Jul-31
Ryzen Embedded V2000 EmbeddedPI-FP6 1.0.0.9 2024-Apr
Ryzen Embedded V3000 EmbeddedPI-FP7r2 1.0.0.9 2024-Apr

Those with Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should exercise extra vigilance over the next few months, as the issues affecting those generations have not all been patched. An update planned for later this month will address the vulnerabilities for the 4000 series APUs, while a March 2024 BIOS update will fix the 3000 series CPUs. The affected embedded products will receive patches in April.

All other Zen processors received the relevant fixes in updates between mid-2023 and early this month. For 2nd-gen Epyc processors, the update that mitigated last year's Zenbleed attack also protects against the new vulnerabilities.

There are several ways to check and update your BIOS version. In most modern PCs, both are possible directly from the BIOS itself. After entering the BIOS by pressing the indicated button during the system's initial boot-up, the version number should appear on the main menu. Automatic update functions vary depending on the motherboard manufacturer.

To check your BIOS version without rebooting Windows, launch the System Information app by typing that into search or "msinfo" into the taskbar's search. The version and date should appear in the list on the right pane. The latest BIOS version can usually be found on the support section of the motherboard manufacturer's website. All major motherboard makers also offer automatic updates through optional management software.

Permalink to story.

 
So my almost 7-year old B350 board just listed a Beta BIOS which includes the AGESA version with the patch. I'm now pondering whether I should wait for the stable one or jump in and become the beta tester at the risk of bricking my rig.
 
My X670E Asus board got an updated BIOS just a couple of weeks ago, AGESA 1.1.0.2b.

I’ve been keeping my BIOS up-to-date regardless but good to know I seem to be covered.
 
So my almost 7-year old B350 board just listed a Beta BIOS which includes the AGESA version with the patch. I'm now pondering whether I should wait for the stable one or jump in and become the beta tester at the risk of bricking my rig.
Sadly, I don't have that option. Asus seem to have removed, about 1 year ago, all B350 motherboards from their support pages. :(
Oddly, they still have a couple of A320 boards.
 
So my almost 7-year old B350 board just listed a Beta BIOS which includes the AGESA version with the patch. I'm now pondering whether I should wait for the stable one or jump in and become the beta tester at the risk of bricking my rig.
If you're runningn a ryzen 5000 series on a b350 then almost universally are new bios' called a beta bios.
 
So Are these remote execution able or does the bad actor need full access to your system
Exactly! Articles needs to actually talk about how these vulnerabilities are exploited and how severe they actually are to average users. Most of the slickly named intel exploits only affected encrypted data and the exploit required physical and/or root access making it moot since the bad actor already has access to all of your data.
 
Exactly! Articles needs to actually talk about how these vulnerabilities are exploited and how severe they actually are to average users. Most of the slickly named intel exploits only affected encrypted data and the exploit required physical and/or root access making it moot since the bad actor already has access to all of your data.
This. If they are remote probably should update. If local and these patches reduce performance... I wouldn't install. Most of these "patches" reduce performance
 
Since Moore's Law is moribund nowadays and upgrade cycles are becoming longer and longer, the industry needs these vulnerabilities with mitigations / patches that reduce performance by 50% to keep afloat. Nevermind that almost all of these vulnerabilities require extremely obscure and cumbersome methods and in some cases local physical access to the machine to actually be exploited.
 
If you're runningn a ryzen 5000 series on a b350 then almost universally are new bios' called a beta bios.

My 7800X3D with a MSI X670E MB has been having every firmware update for a long time labeled beta. I will admit I have been waiting for non-beta. Is this wrong? There are some in the past that were not labeled beta.
 
All of a sudden, we have this article when the elephant in the room is Intel...

nvdmgl6mev841.png
 
Last edited:
All of a sudden, we have this article when the elephant in the room is Intel...
Really? A chart with five-year old data to support that conspiracy theory? According to the same site you pulled that from, AMD has been leading Intel in vulnerabilities since 2022.
 
Exactly! Articles needs to actually talk about how these vulnerabilities are exploited and how severe they actually are to average users. Most of the slickly named intel exploits only affected encrypted data and the exploit required physical and/or root access making it moot since the bad actor already has access to all of your data.
None of the listed vulnerabilities are exploitable without very serious and difficult means. This article is doing nothing more than regurgitating info stated elsewhere without proper context. Due diligence was not done here.
 
Stuff that. So much scaremongering for home users. All this garbage fw update will do is drastically lower performance until the next set of exploits are discovered and the recipes for the exploits widely published by irresponsible researchers, leading to new fw updates that lower performance again and again ad infinitum.
 
Same here 5600x with B550 on AGESA ComboAm4v2PI 1.2.0.B update.
You'll need to take your setup to the streets, to a sketchy place, where an attacker with the proper knowledge to do it will have access to your machine. C'mon dude...most of these flaws require the attacker to be in front of your machine.
 
You'll need to take your setup to the streets, to a sketchy place, where an attacker with the proper knowledge to do it will have access to your machine. C'mon dude...most of these flaws require the attacker to be in front of your machine.
Not fot the secure part I did the update, the microcode fixed some stupid RE-BAR issue I had with the GPU. Also PBO works better now.
And in the future if I try to put a X3D cpu it will work for sure.
 
Back