AMD EPYC Processors Exposed: High-Severity Vulnerability CVE-2023-31315

by do son · August 13, 2024

AMD EPYC processors vulnerability - CVE-2023-31315

AMD has released a security advisory following the discovery of a high-severity vulnerability affecting several of its EPYC processors. The vulnerability, identified as CVE-2023-31315, was reported by researchers from IOActive and poses a significant risk to systems running affected AMD processors, particularly in data centers and high-performance computing environments.

CVE-2023-31315 has been assigned a CVSS score of 7.5, indicating a high severity level. The vulnerability stems from improper validation in a model-specific register (MSR), which could be exploited by malicious programs with ring 0 access to alter SMM configuration while SMI lock is in effect. The consequences of such an attack could be dire, potentially leading to arbitrary code execution.

SMM is a highly privileged mode used by system firmware for power management, system hardware control, and other critical functions. The ability to modify SMM configuration while SMM Lock is enabled undermines a crucial security mechanism designed to protect the integrity of SMM.

The vulnerability impacts multiple generations of AMD EPYC processors, including:

1st Gen EPYC Processors (“Naples”)
2nd Gen EPYC Processors (“Rome”)
3rd Gen EPYC Processors (“Milan” and “Milan-X”)
4th Gen EPYC Processors (“Genoa”, “Genoa-X”, “Bergamo”, and “Siena”)

Additionally, certain AMD Ryzen and Ryzen Threadripper processors, as well as embedded processors from the EPYC and Ryzen lines, are also affected.

AMD has released or plans to release updates to its Platform Initialization (PI) firmware to mitigate this vulnerability. These updates are being distributed to Original Equipment Manufacturers (OEMs), who will provide the necessary BIOS updates to their customers.

For customers unable to immediately apply the PI firmware updates, AMD has provided alternative mitigation options, including hot-loadable microcode patches. Organizations must prioritize these updates to protect their systems from potential exploitation.

Organizations using affected AMD processors are strongly encouraged to contact their OEMs to obtain the latest BIOS updates and apply the necessary security patches.