High Alert: AMD Processors Hit by Multiple Security Flaws

CVE-2023-20576

In a recent disclosure, a series of potential vulnerabilities have come to light, affecting a range of AMD processors. AMD has taken these findings seriously, issuing CVEs alongside mitigation recommendations to safeguard users against these security gaps.

The vulnerabilities, identified as CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, carry a ‘High‘ severity rating. They expose users to risks such as denial of service, privilege escalation, and arbitrary code execution. These vulnerabilities stem from insufficient verification of data authenticity, heap overflow issues, and improper access control within AMD’s architecture.

CVE Severity CVE Description
CVE-2023-20576 High Insufficient Verification of Data Authenticity in AGESA™ may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation.
CVE-2023-20577 High A heap overflow in the SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution.
CVE-2023-20579 High Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.
CVE-2023-20587 High Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

AMD’s investigation into these findings suggests that the vulnerabilities primarily affect systems running outdated firmware or software, highlighting the critical importance of regular updates. In response, AMD has released updated firmware versions for its EPYC, Ryzen, Athlon, and Threadripper series processors, ensuring users can secure their devices against these vulnerabilities.

The security bulletin details the affected products, spanning from datacenter and desktop processors to mobile and embedded systems. AMD provides a comprehensive list of minimum firmware versions required to mitigate the identified vulnerabilities across its product lineup, emphasizing the company’s commitment to user security.

Users are urged to update their systems to the latest firmware and software versions available, adhering to best security practices.