Image Credit: AMD
AMD has released security updates addressing multiple vulnerabilities in its EPYC and Ryzen Embedded processors, some of which could allow arbitrary code execution, memory corruption, or privilege escalation. The most severe vulnerabilities carry a CVSS score of 7.5 (High) and impact various System Management Mode (SMM), Secure Encrypted Virtualization (SEV), and firmware components.
The security bulletin lists ten vulnerabilities affecting AMD’s embedded processor lineup. Among them, the most severe issues—CVE-2023-31342, CVE-2023-31343, and CVE-2023-31345—each carry a CVSS score of 7.5 (High) and stem from improper input validation in the SMM handler. According to AMD, these vulnerabilities “may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.”
Another high-risk vulnerability, CVE-2023-31352 (CVSS 6.0, Medium), affects SEV firmware, which AMD warns “may allow an attacker with privileges to read unencrypted memory, potentially resulting in loss of guest private data.”
Other notable vulnerabilities include:
- CVE-2023-20515 (CVSS 5.7, Medium): Improper access control in the fTPM driver could let a privileged attacker corrupt system memory, compromising data integrity.
- CVE-2023-20582 (CVSS 5.3, Medium): Flaws in the IOMMU could allow attackers to bypass RMP checks in SEV-SNP, impacting guest memory security.
- CVE-2023-31356 (CVSS 4.4, Medium): Incomplete system memory cleanup in SEV firmware could corrupt guest private memory, affecting data integrity.
AMD has confirmed that these vulnerabilities impact EPYC Embedded 3000, 7002, 7003, 9004 series, as well as Ryzen Embedded R1000, R2000, 5000, 7000, V1000, V2000, and V3000 series.
To address these security risks, AMD recommends updating Platform Initialization (PI) firmware. Some of the key firmware updates include:
- EmbMilanPI-SP3 1.0.0.8 (2024-01-15) for EPYC Embedded 7003
- EmbGenoaPI-SP5 1.0.0.7 (2024-07-15) for EPYC Embedded 9004
- EmbeddedPI-FP5 1.2.0.C (2024-06-14) for Ryzen Embedded R1000
- EmbeddedAM5PI 1.0.0.1 (2024-07-31) for Ryzen Embedded 7000
AMD advises all customers and vendors using affected embedded processors to:
- Apply the latest firmware updates as soon as possible to mitigate potential exploitation.
- Work with OEM vendors to ensure BIOS and firmware patches are properly deployed.
- Enforce strict access control policies to prevent unauthorized firmware modifications.
Related Posts:
- AMD: CPU security patch for Ryzen and EPYC processors come on this week
- AMD discloses over 50 vulnerabilities that affect EPYC processor and Radeon graphics driver
- AMD Extends Security Patch for RYZEN 3000, Addressing Critical SMM Vulnerability
- AMD push security update to patch 13 security vulnerabilities
