AMD Revealed 31 Vulnerabilities Within Its Processor Lines, Ryzen & EPYC CPUs Included

AMD revealed in the latest January replace that thirty-one new vulnerabilities had been present in its processors, masking Ryzen and EPYC CPUs.

AMD hit with 31 new vulnerabilities to begin 2023, affecting Ryzen & EPYC CPU strains

The firm has created quite a few mitigations to alleviate the uncovered processors and has additionally disclosed a report from the corporate in cooperation with groups from three prime corporations — Apple, Google, and Oracle. The firm additionally introduced a number of AGESA variants listed within the replace (AGESA code is discovered when constructing the system’s BIOS and UEFI code).

Due to the vulnerability’s nature, the AGESA adjustments have been delivered to OEMs, and any patching will rely on every vendor to launch it as quickly as doable. It could be smart for shoppers to go to the seller’s official web site to search out out if there’s a new replace ready for obtain relatively than ready for the corporate to roll it out later.

AMD hit with 31 new vulnerabilities to start 2023, affecting Ryzen & EPYC CPU lines 1

AMD Processors weak to this new assault embrace Ryzen fashions for desktops, HEDT, Pro, and cellular CPU sequence. There is a single vulnerability labeled as “excessive severity,” whereas two others are much less excessive however nonetheless necessary to patch. All exposures are attacked by means of the BIOS and ASP bootloader (also called the AMD Secure Processor bootloader).

AMD CPU sequence which might be weak are:

  • Ryzen 2000 (Pinnacle Ridge) sequence processors
  • Ryzen 2000 APUs
  • Ryzen 5000 APUs
  • AMD Threadripper 2000 HEDT and Pro server processor sequence
  • AMD Threadripper 3000 HEDT and Pro server processor sequence
  • Ryzen 2000 sequence cellular processors
  • Ryzen 3000 sequence cellular processors
  • Ryzen 5000 sequence cellular processors
  • Ryzen 6000 sequence cellular processors
  • Athlon 3000 sequence cellular processors

Twenty-eight AMD vulnerabilities have been found affecting EPYC processors, with 4 fashions labeled with a “excessive severity” by the corporate. The three of excessive severity can have arbitrary code that may be executed by means of assault vectors in quite a few areas. Also, one of many three listed has a further exploit that permits writing information to particular sections resulting in information loss. Other analysis groups discovered one other fifteen vulnerabilities with decrease severity and 9 with minor severity.

Because of the massive variety of affected processors exploited, the corporate selected to reveal this current vulnerability record that might sometimes be revealed in May and November annually and make it possible for mitigations had been ready for launch. Other vulnerabilities inside AMD merchandise embrace a variant of Hertzbleed, one other that acts equally to the Meltdown exploit, and one referred to as “Take A Way.”

(*31*)

DESKTOP

CVE Severity CVE Description
CVE‑2021‑26316 High Failure to validate the communication buffer and communication service within the BIOS could permit an attacker to tamper with the buffer leading to potential SMM (System Management Mode) arbitrary code execution.
CVE‑2021‑26346 Medium Failure to validate the integer operand in ASP (AMD Secure Processor) bootloader could permit an attacker to introduce an integer overflow within the L2 listing desk in SPI flash leading to a possible denial of service.
CVE‑2021‑46795 Low A TOCTOU (time-of-check to time-of-use) vulnerability exists the place an attacker could use a compromised BIOS to trigger the TEE OS to learn reminiscence out of bounds that would doubtlessly end in a denial of service.

(*31*)

HIGH END DESKTOP

CVE AMD Ryzen™ 2000 sequence Desktop Processors
“Raven Ridge” AM4
AMD Ryzen™ 2000 Series Desktop Processors
Pinnacle Ridge
AMD Ryzen™ 3000 Series Desktop Processors
“Matisse” AM4
AMD Ryzen™ 5000 Series Desktop Processors
“Vermeer” AM4
AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
“Cezanne” AM4
Minimum model to mitigate all listed CVEs Raven-FP5-AM4 1.1.0.D
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
PinnaclePI-AM4 1.0.0.C
PinnaclePI-AM4 1.0.0.C
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
N/A N/A ComboAM4v2 PI 1.2.0.8
CVE‑2021‑26316 Raven-FP5-AM4 1.1.0.D
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
PinnaclePI-AM4 1.0.0.C
PinnaclePI-AM4 1.0.0.C
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
N/A N/A ComboAM4v2 PI 1.2.0.4
CVE‑2021‑26346 N/A N/A N/A N/A ComboAM4v2 PI 1.2.0.8
CVE‑2021‑46795 N/A N/A N/A N/A ComboAM4v2 PI 1.2.0.5

(*31*)

WORKSTATION

CVE 2nd Gen AMD Ryzen™ Threadripper™ Processors
Colfax
third Gen AMD Ryzen™ Threadripper™ Processors
“Castle Peak” HEDT
Minimum model to mitigate all listed CVEs SummitPI-SP3r2 1.1.0.5 CastlePeakPI-SP3r3 1.0.0.6
CVE‑2021‑26316 SummitPI-SP3r2 1.1.0.5 CastlePeakPI-SP3r3 1.0.0.6
CVE‑2021‑26346 N/A N/A
CVE‑2021‑46795 N/A N/A

(*31*)

MOBILE – AMD Athlon Series

CVE AMD Ryzen™ Threadripper™ PRO Processors
“Castle Peak” WS
AMD Ryzen™ Threadripper™ PRO Processors
“Chagall” WS
Minimum model to mitigate all listed CVEs CastlePeakWSPI-sWRX8 1.0.0.7
ChagallWSPI-sWRX8 0.0.9.0
N/A
CVE‑2021‑26316 CastlePeakWSPI-sWRX8 1.0.0.7
ChagallWSPI-sWRX8 0.0.9.0
N/A
CVE‑2021‑26346 N/A N/A
CVE‑2021‑46795 N/A N/A

(*31*)

MOBILE – AMD Ryzen Series

CVE AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
“Dali”/”Dali” ULP
AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
Pollock
Minimum model to mitigate all listed CVEs PicassoPI-FP5 1.0.0.D PollockPI-FT5 1.0.0.3
CVE‑2021‑26316 PicassoPI-FP5 1.0.0.D PollockPI-FT5 1.0.0.3
CVE‑2021‑26346 N/A N/A
CVE‑2021‑46795 N/A N/A

(*31*)

News Sources: Tom’s Hardware, AMD Client Vulnerabilities – January 2023, AMD Server Vulnerabilities – January 2023

Share this story

Facebook

Twitter

Leave a Comment

CVE AMD Ryzen™ 2000 Series Mobile Processors
Raven Ridge FP5
AMD Ryzen™ 3000 Series Mobile processor, 2nd Gen AMD Ryzen™ Mobile Processors with Radeon™ Graphics
“Picasso”
AMD Ryzen™ 3000 Series Mobile Processors with Radeon™ Graphics
“Renoir” FP6
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Lucienne”
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Cézanne”
AMD Ryzen™ 6000 Series Mobile Processors
“Rembrandt”
Minimum model to mitigate all listed CVEs N/A PicassoPI-FP5 1.0.0.D ComboAM4PI 1.0.0.8 ComboAM4v2 PI 1.2.0.4 RenoirPI-FP6 1.0.0.9
ComboAM4v2 PI 1.2.0.8
CezannePI-FP6 1.0.0.B CezannePI-FP6 1.0.0.B N/A
CVE‑2021‑26316 N/A PicassoPI-FP5 1.0.0.D ComboAM4PI 1.0.0.8 ComboAM4v2 PI 1.2.0.4 RenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.4 CezannePI-FP6 1.0.0.6 CezannePI-FP6 1.0.0.6 N/A
CVE‑2021‑26346 N/A N/A RenoirPI-FP6 1.0.0.9
ComboAM4v2 PI 1.2.0.8
CezannePI-FP6 1.0.0.B CezannePI-FP6 1.0.0.B N/A
CVE‑2021‑46795 N/A N/A RenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.5 CezannePI-FP6 1.0.0.6 CezannePI-FP6 1.0.0.6 N/A
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Performance
Analytics
Advertisement
Others