In its January update, AMD revealed 31 new CPU vulnerabilities across its consumer Ryzen chips and EPYC datacenter processors. The vulnerability update also includes a list of AGESA versions and mitigations for affected processors. AMD revealed the vulnerability in a coordinated disclosure with multiple researchers, including teams from Google, Apple, and Oracle.
AMD has listed various AGESA revisions it has issued to OEMs to patch the vulnerability (AGESA code is used to build BIOS/UEFI code). However, the availability of new BIOS patches containing new AGESA code is vendor dependent. This means that you should contact your motherboard or system vendor to see if they have posted a newer BIOS revision with the correct AGESA code.
Some are not updated, as is sometimes seen on older systems. It also looks like there are still no mitigations for some of the affected models, but we’re following up with AMD and will update as soon as we know more.
Vulnerabilities include: Three New Variants for Consumer Ryzen Desktop PCs, HEDT, Pro and Mobile ProcessorsOne of the vulnerabilities is rated high severity and the other two are rated medium or low severity. These vulnerabilities can be exploited by BIOS hacking or by attacking the AMD Secure Processor (ASP) bootloader.
The vulnerability spans the Ryzen 2000 series Pinnacle Ridge desktop chips and the 2000 and 5000 series APU product lines with integrated graphics (Raven Ridge, Cezanne). Additionally, AMD’s Threadripper 2000 and 3000 series HEDT and Pro processors are also affected along with numerous Ryzen 2000, 3000, 5000, 6000 and Athlon 3000 series mobile processors.
AMD also listed 28 vulnerabilities in EPYC processors, 4 of which are of high severity. Three of the high-severity variants allow execution of arbitrary code through various attack vectors, while one allows writing data to specific regions, jeopardizing data integrity and availability. It can lead to loss. The researcher also found 15 other vulnerabilities ranked medium severity and he also found 9 low severity vulnerabilities.
Vulnerability disclosures are typically published twice a year, in May and November, according to AMD, but due to the relatively large number of new vulnerabilities and the timing of mitigations, some are published in January. I decided to.
AMD’s chips are known to have fewer known vulnerabilities than Intel’s models. However, was the initial limited discovery of AMD processors due to a security-first approach to hardened processor design, or did researchers and attackers shun Intel’s processors because of their overwhelming market share? It’s hard to tell if you just focused on . Attackers almost always have the widest possible cross-section.
As such, AMD’s recent success in stealing market share from Intel, especially in the security-conscious data center market, will make researchers look to AMD’s architecture for potential security gaps. AMD also recently disclosed several new vulnerabilities, including Meltdown-like variants, Hertzbleed and Take A Way, which require software recoding.
We are following up with AMD on some of the lists as some processors do not appear to be patched yet.
