AMD Ryzen CPUs are impacted by all of these serious vulnerabilities

[Daniel Sims]

A hot potato: All users with AMD Ryzen processors from the last few years should check and update their motherboard firmware ASAP, especially if they haven't done so since before 2023. AMD has published a detailed chart describing four severe security issues affecting server, desktop, workstation, HEDT, mobile, and embedded Zen CPUs. Recent BIOS updates have addressed most, but not all of the flaws.

All four vulnerabilities AMD has acknowledged are marked as high-severity. The chart below lists the minimum AGESA version needed to mitigate all issues for each processor generation. A more detailed breakdown of which problems and solutions affect each CPU can be found in the company's security bulletin.

One of the vulnerabilities, designated CVE-2023-20576, can allow attackers to initiate denial of service attacks or escalate privileges due to insufficient data authenticity verification in the BIOS.

Two others – CVE-2023-20577 and CVE-2023-20587 – can enable arbitrary code execution by granting access to the SPI flash through System Management Mode. Another, dubbed CVE-2023-20579, can cause loss of integrity and availability through improper access control in AMD's SPI protection feature.

CPU Generation	Minimum Patched BIOS version	Availability Date
1st Gen AMD EPYC	NaplesPI 1.0.0.K	2023-Apr-27
2nd Gen AMD EPYC	RomePI 1.0.0.H	2023-Nov-07
3rd Gen AMD EPYC	MilanPI 1.0.0.C	2023-Dec-18
4th Gen AMD EPYC	GenoaPI 1.0.0.8	2023-Jun-09
Ryzen 3000 Desktop	ComboAM4 1.0.0.B	2024-Mar
Ryzen 5000 Desktop	ComboAM4v2 1.2.0.B	2023-Aug-25
Ryzen 5000 Desktop w/ Radeon	ComboAM4v2PI 1.2.0.C	2024-Feb-07
Ryzen 7000 Desktop	ComboAM5 1.0.8.0	2023-Aug-29
Ryzen 3000 Desktop w/ Radeon	ComboAM4 1.0.0.B	2024-Mar
Ryzen 4000 Desktop w/ Radeon	ComboAM4v2PI 1.2.0.C	2024-Feb-07
Ryzen Threadripper 3000	CastlePeakPI-SP3r3 1.0.0.A	2023-Nov-21
Ryzen Threadripper Pro 3000WX	ChagallWSPI-sWRX8 1.0.0.7	2024-Jan-11
Ryzen Threadripper Pro 5000WX	ChagallWSPI-sWRX8 1.0.0.7	2024-Jan-11
Athlon 3000 Mobile w/ Radeon	PollockPI-FT5 1.0.0.6	2023-Oct-26
Ryzen 3000 Mobile w/ Radeon	PicassoPI-FP5 1.0.1.0	2023-May-31
Ryzen 4000 Mobile w/ Radeon	RenoirPI-FP6 1.0.0.D	2024-Feb
Ryzen 5000 Mobile w/ Radeon	CezannePI-FP6 1.0.1.0	2024-Jan-25
Ryzen 7020 w/ Radeon	MendocinoPI-FT6 1.0.0.6	2024-Jan-03
Ryzen 6000 w/ Radeon	RembrandtPI-FP7 1.0.0.A	2023-Dec-28
Ryzen 7035 w/ Radeon	RembrandtPI-FP7 1.0.0.A	2023-Dec-28
Ryzen 5000 w/ Radeon	CezannePI-FP6 1.0.1.0	2024-Jan-25
Ryzen 3000 w/ Radeon	CezannePI-FP6 1.0.1.0	2024-Jan-25
Ryzen 7040 w/ Radeon	PhoenixPI-FP8-FP7 1.1.0.0	2023-Oct-06
Ryzen 7045 Mobile	DragonRangeFL1PI 1.0.0.3b	2023-Aug-30
Eypc Embedded 3000	Snowyowl PI 1.1.0.B	2023-Dec-15
Epyc Embedded 7002	EmbRomePI-SP3 1.0.0.B	2023-Dec-15
Epyc Embedded 7003	EmbMilanPI-SP3 1.0.0.8	2024-Jan-15
Epyc Embedded 9003	EmbGenoaPI-SP5 1.0.0.3	2023-Sep-15
Ryzen Embedded R1000	EmbeddedPI-FP5 1.2.0.A	2023-Jul-31
Ryzen Embedded R2000	EmbeddedPI-FP5 1.0.0.2	2023-Jul-31
Ryzen Embedded 5000	EmbAM4PI 1.0.0.4	2023-Sep-22
Ryzen Embedded V1000	EmbeddedPI-FP5 1.2.0.A	2023-Jul-31
Ryzen Embedded V2000	EmbeddedPI-FP6 1.0.0.9	2024-Apr
Ryzen Embedded V3000	EmbeddedPI-FP7r2 1.0.0.9	2024-Apr

Those with Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should exercise extra vigilance over the next few months, as the issues affecting those generations have not all been patched. An update planned for later this month will address the vulnerabilities for the 4000 series APUs, while a March 2024 BIOS update will fix the 3000 series CPUs. The affected embedded products will receive patches in April.

All other Zen processors received the relevant fixes in updates between mid-2023 and early this month. For 2nd-gen Epyc processors, the update that mitigated last year's Zenbleed attack also protects against the new vulnerabilities.

There are several ways to check and update your BIOS version. In most modern PCs, both are possible directly from the BIOS itself. After entering the BIOS by pressing the indicated button during the system's initial boot-up, the version number should appear on the main menu. Automatic update functions vary depending on the motherboard manufacturer.

To check your BIOS version without rebooting Windows, launch the System Information app by typing that into search or "msinfo" into the taskbar's search. The version and date should appear in the list on the right pane. The latest BIOS version can usually be found on the support section of the motherboard manufacturer's website. All major motherboard makers also offer automatic updates through optional management software.

Permalink to story.

https://www.techspot.com/news/101890-amd-ryzen-cpus-impacted-all-serious-vulnerabilities.html

 

[Athlonite]

So Are these remote execution able or does the bad actor need full access to your system

 

[Lionvibez]

I always keep my bios up to date so I'm already on ComboAM4v2 1.2.0.B that was released in august for Ryzen 5000 Desktop so good here.

 

[ruddevil]

So my almost 7-year old B350 board just listed a Beta BIOS which includes the AGESA version with the patch. I'm now pondering whether I should wait for the stable one or jump in and become the beta tester at the risk of bricking my rig.

 

[Burty117]

My X670E Asus board got an updated BIOS just a couple of weeks ago, AGESA 1.1.0.2b.

I’ve been keeping my BIOS up-to-date regardless but good to know I seem to be covered.

 

[user556]

So my almost 7-year old B350 board just listed a Beta BIOS which includes the AGESA version with the patch. I'm now pondering whether I should wait for the stable one or jump in and become the beta tester at the risk of bricking my rig.

Sadly, I don't have that option. Asus seem to have removed, about 1 year ago, all B350 motherboards from their support pages.
Oddly, they still have a couple of A320 boards.

 

[yRaz]

So my almost 7-year old B350 board just listed a Beta BIOS which includes the AGESA version with the patch. I'm now pondering whether I should wait for the stable one or jump in and become the beta tester at the risk of bricking my rig.

If you're runningn a ryzen 5000 series on a b350 then almost universally are new bios' called a beta bios.

 

[takaozo]

Same here 5600x with B550 on AGESA ComboAm4v2PI 1.2.0.B update.

 

[Bobbydpue]

So Are these remote execution able or does the bad actor need full access to your system

Exactly! Articles needs to actually talk about how these vulnerabilities are exploited and how severe they actually are to average users. Most of the slickly named intel exploits only affected encrypted data and the exploit required physical and/or root access making it moot since the bad actor already has access to all of your data.

 

[bandit8623]

Exactly! Articles needs to actually talk about how these vulnerabilities are exploited and how severe they actually are to average users. Most of the slickly named intel exploits only affected encrypted data and the exploit required physical and/or root access making it moot since the bad actor already has access to all of your data.

This. If they are remote probably should update. If local and these patches reduce performance... I wouldn't install. Most of these "patches" reduce performance

 

[arrowflash]

Since Moore's Law is moribund nowadays and upgrade cycles are becoming longer and longer, the industry needs these vulnerabilities with mitigations / patches that reduce performance by 50% to keep afloat. Nevermind that almost all of these vulnerabilities require extremely obscure and cumbersome methods and in some cases local physical access to the machine to actually be exploited.

 

[mountains]

If you're runningn a ryzen 5000 series on a b350 then almost universally are new bios' called a beta bios.

My 7800X3D with a MSI X670E MB has been having every firmware update for a long time labeled beta. I will admit I have been waiting for non-beta. Is this wrong? There are some in the past that were not labeled beta.

 

[redgarl]

So Are these remote execution able or does the bad actor need full access to your system

The later...

 

[redgarl]

All of a sudden, we have this article when the elephant in the room is Intel...

 

[wiyosaya]

All of a sudden, we have this article when the elephant in the room is Intel...

Even more so, it looks like these two https://access.redhat.com/security/cve/CVE-2023-20577 and https://access.redhat.com/security/cve/cve-2023-20576 only come in to play when the user is local. Therefore, there does not appear to be a significant threat for the average home user/gamer. I did not look up the other two, however, but you already answered this question.

 

[Endymio]

All of a sudden, we have this article when the elephant in the room is Intel...

Really? A chart with five-year old data to support that conspiracy theory? According to the same site you pulled that from, AMD has been leading Intel in vulnerabilities since 2022.

 

[ZedRM]

Exactly! Articles needs to actually talk about how these vulnerabilities are exploited and how severe they actually are to average users. Most of the slickly named intel exploits only affected encrypted data and the exploit required physical and/or root access making it moot since the bad actor already has access to all of your data.

None of the listed vulnerabilities are exploitable without very serious and difficult means. This article is doing nothing more than regurgitating info stated elsewhere without proper context. Due diligence was not done here.

 

[Mr Majestyk]

Stuff that. So much scaremongering for home users. All this garbage fw update will do is drastically lower performance until the next set of exploits are discovered and the recipes for the exploits widely published by irresponsible researchers, leading to new fw updates that lower performance again and again ad infinitum.

 

[Bruno M. Villar]

Same here 5600x with B550 on AGESA ComboAm4v2PI 1.2.0.B update.

You'll need to take your setup to the streets, to a sketchy place, where an attacker with the proper knowledge to do it will have access to your machine. C'mon dude...most of these flaws require the attacker to be in front of your machine.

 

[takaozo]

You'll need to take your setup to the streets, to a sketchy place, where an attacker with the proper knowledge to do it will have access to your machine. C'mon dude...most of these flaws require the attacker to be in front of your machine.

Not fot the secure part I did the update, the microcode fixed some stupid RE-BAR issue I had with the GPU. Also PBO works better now.
And in the future if I try to put a X3D cpu it will work for sure.