amds processor lineup includes ryzen and epyc processors contain 31 vulnerabilities
amds processor lineup includes ryzen and epyc processors contain 31 vulnerabilities

Thirty-one security flaws, including ones affecting Ryzen and EPYC CPUs, were discovered in AMD’s processors, the company stated in its most significant recent January update.

AMD hit with 31 new vulnerabilities to start 2023, affecting Ryzen & EPYC CPU lines

The company has developed various mitigations to protect visible processors. It has also made public a report it collaborated on with team members from three leading corporations: Apple, Google, and Oracle. The business also disclosed several AGESA variants included in the update (AGESA code is present in the system’s BIOS and UEFI code).

Due to the vulnerability’s nature, the AGESA variations have been sent to OEMs. Therefore, any trying to patch will rely heavily on each seller making it available as soon as possible. Instead of waiting for the business to slide out the report soon, users should check the seller’s official website to see whether there is the latest update that can be downloaded.

amds processor lineup includes ryzen and epyc processors contain 31 vulnerabilities list

AMD’s Ryzen desktop processor models, HEDT, Pro, and mobile CPU series are all susceptible to this new attack. One security flaw is classified as having “high severity,” whereas two others would be less serious but still need to be patched. Every security flaw is attacked via the BIOS and ASP bootloader, known as the AMD Secure Processor bootloader.

The following AMD CPU series are weak points:

  • Processors from the Ryzen 2000 (Pinnacle Ridge) series
  • Ryzen 2k CPUs
  • 5000 Ryzen APUs
  • Server processor series AMD Threadripper 2000 HEDT and Pro
  • series of AMD Threadripper 3000 server processors, HEDT and Pro
  • mobile Ryzen 2000 series processors
  • mobile Ryzen 3000 series processors
  • mobile Ryzen 5000 series processors
  • mobile Ryzen 6000 series processors
  • mobile Athlon 3000 series processors

28 AMD security breaches affect EPYC processors, four of which the company has rated as having “high severity.” The three considered high severity might contain arbitrary code that may be run via various attack vectors. Additionally, one of the three mentioned has a further exploit that enables writing data to particular sections, resulting in data loss. Other research teams discovered nine security flaws with lower risk and another fifteen with moderate severity.

The company decided to reveal this latest security risk list, typically released in May and November per year, to ensure that mitigation techniques were ready to be removed due to the significant number of vulnerable processors exploited. Other flaws in AMD software include a Hertzbleed variant, another that functions similarly to the Meltdown exploit, and a spot dubbed “Take A Way.”

CVESeverityCVE Description
CVE‑2021‑26316HighFailure to validate the communication buffer and communication service in the BIOS may allow an attacker to tamper with the buffer resulting in potential SMM (System Management Mode) arbitrary code execution.
CVE‑2021‑26346MediumFailure to validate the integer operand in ASP (AMD Secure Processor) bootloader may allow an attacker to introduce an integer overflow in the L2 directory table in SPI flash resulting in a potential denial of service.
CVE‑2021‑46795LowA TOCTOU (time-of-check to time-of-use) vulnerability exists where an attacker may use a compromised BIOS to cause the TEE OS to read memory out of bounds that could potentially result in a denial of service.

DESKTOP

CVEAMD Ryzen™ 2000 series Desktop Processors
“Raven Ridge” AM4
AMD Ryzen™ 2000 Series Desktop Processors
“Pinnacle Ridge”
AMD Ryzen™ 3000 Series Desktop Processors
“Matisse” AM4
AMD Ryzen™ 5000 Series Desktop Processors
“Vermeer” AM4
AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
“Cezanne” AM4
Minimum version to mitigate all listed CVEsRaven-FP5-AM4 1.1.0.D
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
PinnaclePI-AM4 1.0.0.C
PinnaclePI-AM4 1.0.0.C
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
N/AN/AComboAM4v2 PI 1.2.0.8
CVE‑2021‑26316Raven-FP5-AM4 1.1.0.D
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
PinnaclePI-AM4 1.0.0.C
PinnaclePI-AM4 1.0.0.C
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
N/AN/AComboAM4v2 PI 1.2.0.4
CVE‑2021‑26346N/AN/AN/AN/AComboAM4v2 PI 1.2.0.8
CVE‑2021‑46795N/AN/AN/AN/AComboAM4v2 PI 1.2.0.5

HIGH END DESKTOP

CVE2nd Gen AMD Ryzen™ Threadripper™ Processors
“Colfax”
3rd Gen AMD Ryzen™ Threadripper™ Processors
“Castle Peak” HEDT
Minimum version to mitigate all listed CVEsSummitPI-SP3r2 1.1.0.5CastlePeakPI-SP3r3 1.0.0.6
CVE‑2021‑26316SummitPI-SP3r2 1.1.0.5CastlePeakPI-SP3r3 1.0.0.6
CVE‑2021‑26346N/AN/A
CVE‑2021‑46795N/AN/A

WORKSTATION

CVEAMD Ryzen™ Threadripper™ PRO Processors
“Castle Peak” WS
AMD Ryzen™ Threadripper™ PRO Processors
“Chagall” WS
Minimum version to mitigate all listed CVEsCastlePeakWSPI-sWRX8 1.0.0.7
ChagallWSPI-sWRX8 0.0.9.0
N/A
CVE‑2021‑26316CastlePeakWSPI-sWRX8 1.0.0.7
ChagallWSPI-sWRX8 0.0.9.0
N/A
CVE‑2021‑26346N/AN/A
CVE‑2021‑46795N/AN/A

MOBILE – AMD Athlon Series

CVEAMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
“Dali”/”Dali” ULP
AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
“Pollock”
Minimum version to mitigate all listed CVEsPicassoPI-FP5 1.0.0.DPollockPI-FT5 1.0.0.3
CVE‑2021‑26316PicassoPI-FP5 1.0.0.DPollockPI-FT5 1.0.0.3
CVE‑2021‑26346N/AN/A
CVE‑2021‑46795N/AN/A

MOBILE – AMD Ryzen Series

CVEAMD Ryzen™ 2000 Series Mobile Processors
“Raven Ridge” FP5
AMD Ryzen™ 3000 Series Mobile processor, 2nd Gen AMD Ryzen™ Mobile Processors with Radeon™ Graphics
“Picasso”
AMD Ryzen™ 3000 Series Mobile Processors with Radeon™ Graphics
“Renoir” FP6
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Lucienne”
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Cezanne”
AMD Ryzen™ 6000 Series Mobile Processors
“Rembrandt”
Minimum version to mitigate all listed CVEsN/APicassoPI-FP5 1.0.0.D ComboAM4PI 1.0.0.8  ComboAM4v2 PI 1.2.0.4RenoirPI-FP6 1.0.0.9
ComboAM4v2 PI 1.2.0.8
CezannePI-FP6 1.0.0.BCezannePI-FP6 1.0.0.BN/A
CVE‑2021‑26316N/APicassoPI-FP5 1.0.0.D ComboAM4PI 1.0.0.8  ComboAM4v2 PI 1.2.0.4RenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.4CezannePI-FP6 1.0.0.6CezannePI-FP6 1.0.0.6N/A
CVE‑2021‑26346N/AN/ARenoirPI-FP6 1.0.0.9
ComboAM4v2 PI 1.2.0.8
CezannePI-FP6 1.0.0.BCezannePI-FP6 1.0.0.BN/A
CVE‑2021‑46795N/AN/ARenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.5CezannePI-FP6 1.0.0.6CezannePI-FP6 1.0.0.6N/A

News Source: wccftech.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here