AMD revealed in the latest January replace that thirty-one new vulnerabilities had been present in its processors, protecting Ryzen and EPYC CPUs.

AMD hit with 31 new vulnerabilities to start out 2023, affecting Ryzen & EPYC CPU traces

The corporate has created quite a few mitigations to alleviate the uncovered processors and has additionally disclosed a report from the corporate in cooperation with groups from three high corporations — Apple, Google, and Oracle. The corporate additionally introduced a number of AGESA variants listed within the replace (AGESA code is discovered when constructing the system’s BIOS and UEFI code).

Because of the vulnerability’s nature, the AGESA modifications have been delivered to OEMs, and any patching will rely on every vendor to launch it as quickly as doable. It will be sensible for shoppers to go to the seller’s official web site to search out out if there’s a new replace ready for obtain relatively than ready for the corporate to roll it out later.

AMD Revealed 31 Vulnerabilities Inside Its Processor Strains, Ryzen & EPYC CPUs Included AMD hit with 31 new vulnerabilities to start 2023, affecting Ryzen & EPYC CPU lines 1

AMD Processors susceptible to this new assault embrace Ryzen fashions for desktops, HEDT, Professional, and cellular CPU collection. There’s a single vulnerability labeled as “excessive severity,” whereas two others are much less excessive however nonetheless essential to patch. All exposures are attacked by means of the BIOS and ASP bootloader (also called the AMD Safe Processor bootloader).

AMD CPU collection which might be susceptible are:

  • Ryzen 2000 (Pinnacle Ridge) collection processors
  • Ryzen 2000 APUs
  • Ryzen 5000 APUs
  • AMD Threadripper 2000 HEDT and Professional server processor collection
  • AMD Threadripper 3000 HEDT and Professional server processor collection
  • Ryzen 2000 collection cellular processors
  • Ryzen 3000 collection cellular processors
  • Ryzen 5000 collection cellular processors
  • Ryzen 6000 collection cellular processors
  • Athlon 3000 collection cellular processors

Twenty-eight AMD vulnerabilities have been found affecting EPYC processors, with 4 fashions labeled with a “excessive severity” by the corporate. The three of excessive severity can have arbitrary code that may be executed by means of assault vectors in quite a few areas. Additionally, one of many three listed has a further exploit that allows writing information to particular sections resulting in information loss. Different analysis groups discovered one other fifteen vulnerabilities with decrease severity and 9 with minor severity.

Due to the massive variety of affected processors exploited, the corporate selected to reveal this current vulnerability listing that might sometimes be printed in Could and November every year and ensure that mitigations had been ready for launch. Different vulnerabilities inside AMD merchandise embrace a variant of Hertzbleed, one other that acts equally to the Meltdown exploit, and one known as “Take A Approach.”

CVE Severity CVE Description
CVE‑2021‑26316 Excessive Failure to validate the communication buffer and communication service within the BIOS might enable an attacker to tamper with the buffer leading to potential SMM (System Administration Mode) arbitrary code execution.
CVE‑2021‑26346 Medium Failure to validate the integer operand in ASP (AMD Safe Processor) bootloader might enable an attacker to introduce an integer overflow within the L2 listing desk in SPI flash leading to a possible denial of service.
CVE‑2021‑46795 Low A TOCTOU (time-of-check to time-of-use) vulnerability exists the place an attacker might use a compromised BIOS to trigger the TEE OS to learn reminiscence out of bounds that might doubtlessly end in a denial of service.

DESKTOP

CVE AMD Ryzen™ 2000 collection Desktop Processors
“Raven Ridge” AM4
AMD Ryzen™ 2000 Sequence Desktop Processors
“Pinnacle Ridge”
AMD Ryzen™ 3000 Sequence Desktop Processors
“Matisse” AM4
AMD Ryzen™ 5000 Sequence Desktop Processors
“Vermeer” AM4
AMD Ryzen™ 5000 Sequence Desktop Processor with Radeon™ Graphics
“Cezanne” AM4
Minimal model to mitigate all listed CVEs Raven-FP5-AM4 1.1.0.D
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
PinnaclePI-AM4 1.0.0.C
PinnaclePI-AM4 1.0.0.C
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
N/A N/A ComboAM4v2 PI 1.2.0.8
CVE‑2021‑26316 Raven-FP5-AM4 1.1.0.D
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
PinnaclePI-AM4 1.0.0.C
PinnaclePI-AM4 1.0.0.C
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
N/A N/A ComboAM4v2 PI 1.2.0.4
CVE‑2021‑26346 N/A N/A N/A N/A ComboAM4v2 PI 1.2.0.8
CVE‑2021‑46795 N/A N/A N/A N/A ComboAM4v2 PI 1.2.0.5

HIGH END DESKTOP

CVE 2nd Gen AMD Ryzen™ Threadripper™ Processors
“Colfax”
third Gen AMD Ryzen™ Threadripper™ Processors
“Fort Peak” HEDT
Minimal model to mitigate all listed CVEs SummitPI-SP3r2 1.1.0.5 CastlePeakPI-SP3r3 1.0.0.6
CVE‑2021‑26316 SummitPI-SP3r2 1.1.0.5 CastlePeakPI-SP3r3 1.0.0.6
CVE‑2021‑26346 N/A N/A
CVE‑2021‑46795 N/A N/A

WORKSTATION

CVE AMD Ryzen™ Threadripper™ PRO Processors
“Fort Peak” WS
AMD Ryzen™ Threadripper™ PRO Processors
“Chagall” WS
Minimal model to mitigate all listed CVEs CastlePeakWSPI-sWRX8 1.0.0.7
ChagallWSPI-sWRX8 0.0.9.0
N/A
CVE‑2021‑26316 CastlePeakWSPI-sWRX8 1.0.0.7
ChagallWSPI-sWRX8 0.0.9.0
N/A
CVE‑2021‑26346 N/A N/A
CVE‑2021‑46795 N/A N/A

MOBILE – AMD Athlon Sequence

CVE AMD Athlon™ 3000 Sequence Cellular Processors with Radeon™ Graphics
“Dali”/”Dali” ULP
AMD Athlon™ 3000 Sequence Cellular Processors with Radeon™ Graphics
“Pollock”
Minimal model to mitigate all listed CVEs PicassoPI-FP5 1.0.0.D PollockPI-FT5 1.0.0.3
CVE‑2021‑26316 PicassoPI-FP5 1.0.0.D PollockPI-FT5 1.0.0.3
CVE‑2021‑26346 N/A N/A
CVE‑2021‑46795 N/A N/A

MOBILE – AMD Ryzen Sequence

CVE AMD Ryzen™ 2000 Sequence Cellular Processors
“Raven Ridge” FP5
AMD Ryzen™ 3000 Sequence Cellular processor, 2nd Gen AMD Ryzen™ Cellular Processors with Radeon™ Graphics
“Picasso”
AMD Ryzen™ 3000 Sequence Cellular Processors with Radeon™ Graphics
“Renoir” FP6
AMD Ryzen™ 5000 Sequence Cellular Processors with Radeon™ Graphics
“Lucienne”
AMD Ryzen™ 5000 Sequence Cellular Processors with Radeon™ Graphics
“Cezanne”
AMD Ryzen™ 6000 Sequence Cellular Processors
“Rembrandt”
Minimal model to mitigate all listed CVEs N/A PicassoPI-FP5 1.0.0.D ComboAM4PI 1.0.0.8  ComboAM4v2 PI 1.2.0.4 RenoirPI-FP6 1.0.0.9
ComboAM4v2 PI 1.2.0.8
CezannePI-FP6 1.0.0.B CezannePI-FP6 1.0.0.B N/A
CVE‑2021‑26316 N/A PicassoPI-FP5 1.0.0.D ComboAM4PI 1.0.0.8  ComboAM4v2 PI 1.2.0.4 RenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.4 CezannePI-FP6 1.0.0.6 CezannePI-FP6 1.0.0.6 N/A
CVE‑2021‑26346 N/A N/A RenoirPI-FP6 1.0.0.9
ComboAM4v2 PI 1.2.0.8
CezannePI-FP6 1.0.0.B CezannePI-FP6 1.0.0.B N/A
CVE‑2021‑46795 N/A N/A RenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.5 CezannePI-FP6 1.0.0.6 CezannePI-FP6 1.0.0.6 N/A

Information Sources: Tom’s {Hardware}, AMD Shopper Vulnerabilities – January 2023, AMD Server Vulnerabilities – January 2023

Share this story

Fb

Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *