Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
amdAmd.comAMD-SB-4003
HistoryAug 08, 2023 - 12:00 a.m.

SMM Memory Corruption Vulnerability

2023-08-0800:00:00
amd.com
www.amd.com
21
amd
memory corruption
vulnerability
smm
cve-2023-20555
agesa firmware
ryzen
athlon
threadripper
mobile
embedded

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

Bulletin ID: AMD-SB-4003 **Potential Impact:**Arbitrary Code Execution Severity: High

Summary

SMM memory corruption vulnerability in SMM driver on some AMD Processors.

CVE-2023-20555

Insufficient input validation in CpmDisplayFeatureSmm may allow an attacker to corrupt SMM memory by overwriting an arbitrary bit in an attacker-controlled pointer potentially leading to arbitrary code execution in SMM.

CVE Details

CVE Severity CVE Description
CVE-2023-20555 High Insufficient input validation in CpmDisplayFeatureSmm may allow an attacker to corrupt SMM memory by overwriting an arbitrary bit in an attacker-controlled pointer potentially leading to arbitrary code execution in SMM.

Mitigation

The AGESA™ firmware versions listed below have been released to the Original Equipment Manufacturers (OEM) to mitigate these issues. Please refer to your OEM for the BIOS update specific to your product.

Desktop

CVE|AMD Ryzen™ 3000 Series Desktop Processors
“Matisse” AM4|AMD Ryzen™ 5000 Series Desktop Processors
“Vermeer” AM4|AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
“Cezanne” AM4|AMD Ryzen™ 7000 Series Processors
“Raphael”|AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics
“Picasso”|AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics
“Renoir” FP5
—|—|—|—|—|—|—
CVE-2023-20555
| ComboAM4 PI V1 1.0.0.A
(2023-03-17)ComboAM4V2 PI 1.2.0.A
(2023-03-21)| ComboAM4 V2 PI 1.2.0.A
(2023-03-21)| ComboAM4v2 PI
1.2.0.A
(2023-03-21)| ComboAM5
1.0.0.6
(2023-02-24)| ComboAM4PIv1
1.0.0.A
(2023-3-17)ComboAM4V2
1.2.0.A
(2023-03-21)| ComboAM4V2
1.2.0.A
(2023-03-21)

High End Desktop (HEDT)

CVE AMD Ryzen™ Threadripper™ 2000 Series Processors “Colfax” AMD Ryzen™ Threadripper™ 3000 Series Processors “Castle Peak” HEDT
CVE-2023-20555 Not affected Not affected

Workstation

CVE| AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors
“Castle Peak” WS SP3| AMD Ryzen™ Threadripper™ PRO Processors
“Chagall” WS
—|—|—
CVE-2023-20555| Not affected| Not affected

Mobile - AMD Athlon™ Series

CVE| AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
“Dali”/”Dali” FP5| AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
“Pollock”
—|—|—
CVE-2023-20555| PicassoPI-FP5
1.0.0.F
(2023-03-23)| PollockPI-FT5
1.0.0.5
(2023-03-23)

Mobile - AMD Ryzen™ Series

CVE| AMD Ryzen™ 3000 Series Mobile Processors with Radeon™ Graphics
“Picasso”| AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics
“Renoir” FP6| AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Lucienne”| AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Cezanne”
—|—|—|—|—
CVE-2023-20555| PicassoPI-FP5
1.0.0.F
(2023-03-23)ComboAM4PIv1
1.0.0.A
(2023-03-17)ComboAM4V2
1.2.0.A
(2023-03-21)| RenoirPI-FP6
1.0.0.B
(2023-2-10)ComboAM4V2
1.2.0.A
(2023-03-21)| CezannePI-FP6
1.0.0.E
(2023-03-19)| CezannePI-FP6
1.0.0.E
(2023-03-19)

CVE| AMD Ryzen™ 6000 Series Mobile Processors
“Rembrandt”| AMD Ryzen™ 7030 Series Mobile Processors
“Barcelo”| AMD Ryzen™ 7020 Series Mobile Processors
“Mendocino”
—|—|—|—
CVE-2023-20555| RembrandtPI-FP7
1.0.0.8
(2023-03-01)| CezannePI-FP6
1.0.0.E
(2023-03-19)| MendocinoPI-FT6
1.0.0.5
(2023-03-09)

Embedded

CVE AMD Ryzen™ Embedded R1000 AMD Ryzen™ Embedded R2000 AMD Ryzen™ Embedded 5000
CVE-2023-20555 EmbeddedPI-FP5
1.2.0.A
(2023-07-31) EmbeddedPI-FP5
1.0.0.2
(2023-07-31) EmbAM4PI
1.0.0.3
(2023-07-31)
CVE AMD Ryzen™ Embedded R1000 AMD Ryzen™ Embedded R2000 AMD Ryzen™ Embedded 5000
CVE-2023-20555 **All V1000 OPNs
excluding
YE1500C4T4MFH** YE1500C4T4MFH EmbeddedPI-FP6
1.0.0.8
(2023-07-31) EmbeddedPI-FP7r2
1.0.0.5
(2023-07-28)
EmbeddedPI-FP5
1.2.0.B
(2024-01-15)

Related

prion 1
nvd 1
cve 1
redhatcve 1
cvelist 1
hp 1
prion
prion
Input validation
2023-08-08 18:15:00
nvd
nvd
CVE-2023-20555
2023-08-08 18:15:11
cve
cve
CVE-2023-20555
2023-08-08 18:15:11
redhatcve
redhatcve
CVE-2023-20555
2023-09-28 07:24:53
cvelist
cvelist
CVE-2023-20555
2023-08-08 17:07:24
hp
hp
AMD Client UEFI Firmware August 2023 Security Update
2023-08-08 00:00:00

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for AMD-SB-4003
prion1nvd1cve1redhatcve1cvelist1hp1