AMD has released security updates addressing multiple vulnerabilities in its EPYC server processors, including flaws that could allow privileged attackers to execute arbitrary code or access sensitive data. The security bulletin highlights six vulnerabilities, ranging in severity from low to high, with the most critical issues receiving a CVSS score of 7.5.
The affected components include the AMD Secure Processor (ASP), Secure Encrypted Virtualization (SEV), and Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). The most severe flaws—CVE-2023-31342, CVE-2023-31343, and CVE-2023-31345—share a CVSS score of 7.5 (High) and stem from improper input validation in the System Management Mode (SMM) handler. According to AMD, these flaws “may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.”
Another notable issue, CVE-2023-31352 (CVSS 6.0, Medium), affects the SEV firmware and “may allow an attacker with privileges to read unencrypted memory, potentially resulting in loss of guest private data.” This poses a serious risk in virtualized environments where confidential information is expected to remain isolated.
Lesser in severity but still noteworthy is CVE-2023-20582 (CVSS 5.3, Medium), which involves improper handling of invalid nested page table entries in the IOMMU. AMD warns that this could enable “a privileged attacker to induce page table entry (PTE) faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of guest memory integrity.”
AMD has confirmed that these vulnerabilities impact both 3rd and 4th Gen EPYC processors, formerly codenamed “Milan,” “Milan-X,” “Genoa,” “Genoa-X,” “Bergamo,” and “Siena.” The company has released firmware updates to mitigate these security risks, advising customers to update their Platform Initialization (PI) firmware to the latest available version.
For 3rd Gen EPYC processors, AMD recommends updating to MilanPI 1.0.0.C (2023-12-18), while 4th Gen EPYC processors require GenoaPI 1.0.0.C (2024-04-04) and SEV FW1.55.36 (2024-04-23).
Organizations relying on AMD EPYC processors should immediately coordinate with their OEM vendors to apply the necessary BIOS and firmware updates. AMD stresses the importance of patching, noting that “mitigations have been provided in AMD EPYC™ Platform Initialization (PI) firmware packages” and should be deployed as soon as possible.
As exploitation of these vulnerabilities requires privileged access, AMD notes that systems implementing strong security controls—including least privilege access and secure firmware update practices—can further reduce their risk exposure.
For further details and update instructions, organizations should refer to AMD’s official security bulletin.
Related Posts:
- AMD: CPU security patch for Ryzen and EPYC processors come on this week
- AMD discloses over 50 vulnerabilities that affect EPYC processor and Radeon graphics driver
- AMD EPYC Processors Exposed: High-Severity Vulnerability
- AMD push security update to patch 13 security vulnerabilities
- Code Execution Flaw in AMD EPYC and Ryzen processors
