Lucene search

K
amdAmd.comAMD-SB-7009
HistoryFeb 13, 2024 - 12:00 a.m.

AMD Processor Vulnerabilities

2024-02-1300:00:00
amd.com
www.amd.com
48
amd
vulnerabilities
processors
cve
high severity
arbitrary code execution
denial of service
mitigation
amd epyc
amd ryzen
data center
desktop

8.6 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

Bulletin ID: AMD-SB-7009 **Potential Impact:**Refer to the CVE Details section Severity: Refer to the CVE Details section

Summary

Researchers disclosed multiple potential vulnerabilities that may impact some AMD processors.

AMD has assessed the researchers’ findings and is publishing CVEs and mitigation recommendations for any issues that were found to impact AMD platforms. AMD believes some of the findings were made on PCs running outdated firmware or software. As always, AMD recommends following security best practices, including keeping operating systems up-to-date and running the latest versions of firmware and software.nds following security best practices, including keeping operating systems up-to-date and running the latest versions of firmware and software.

CVE Details

Refer to Glossary for explanation of terms

CVE Severity CVE Description
CVE-2023-20576 High Insufficient Verification of Data Authenticity in AGESA™ may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation.
CVE-2023-20577 High A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution.
CVE-2023-20579 High Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.
CVE-2023-20587 High Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

Affected Products and Mitigation

DATACENTER

CVE 1st Gen AMD EPYC™ Processors 2nd Gen AMD EPYC™ Processors 3rd Gen AMD EPYC™ Processors 4th Gen AMD EPYC™ Processors
Minimum version to mitigate all listed CVEs NaplesPI
1.0.0.K
(2023-04-27) RomePI
1.0.0.H
(2023-11-07) MilanPI
1.0.0.C
(2023-12-18) GenoaPI
1.0.0.8
(2023-06-09)
CVE-2023-20576 High Not Affected Not affected Not affected
CVE-2023-20577 High Not Affected RomePI
1.0.0.H
(2023-11-07) MilanPI
1.0.0.C
(2023-12-18) GenoaPI
1.0.0.8
(2023-06-09)
CVE-2023-20579 High Not Affected Not affected Not affected
CVE-2023-20587 High NaplesPI
1.0.0.K
(2023-04-27) RomePI
1.0.0.G
(2023-05-05) MilanPI
1.0.0.B
(2023-06-14) GenoaPI
1.0.0.2
(2022-10-04)

DESKTOP

CVE|AMD Ryzen™ 3000 Series Desktop Processors|AMD Ryzen™ 5000 Series Desktop Processors|AMD Ryzen™ 5000 Series Desktop Processors with Radeon™ Graphics
| AMD Ryzen™ 7000 Series Processors|AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics|AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics
—|—|—|—|—|—|—
Minimum version to mitigate all listed CVEs|

ComboAM4v2
1.2.0.B
(2023-08-25)

ComboAM4
1.0.0.B
(Target Mar 2024)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM4v2PI
1.2.0.C
(2024-02-07)| ComboAM5
1.0.8.0
(2023-8-29)****|

ComboAM4v2
1.2.0.B
(2023-08-25)

ComboAM4
1.0.0.B
(Target Mar 2024)| ComboAM4v2PI
1.2.0.C
(2024-02-07)
CVE-2023-20576| High| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM4v2v
1.2.0.B
(2023-08-25)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM5
1.0.0.7b
(2023-07-21)| Not affected| ComboAM4v2
1.2.0.B
(2023-08-25)
CVE-2023-20577| High|

ComboAM4v2
1.2.0.B
(2023-08-25)

ComboAM4
1.0.0.B
(Target Mar 2024)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM5
1.0.0.7b
(2023-07-21)|

ComboAM4v2
1.2.0.B
(2023-08-25)

ComboAM4 1.0.0.B
(Target Mar 2024)| ComboAM4v2
1.2.0.B
(2023-08-25)
CVE-2023-20579| High| Not affected| Not affected| ComboAM4v2PI
1.2.0.C
(2024-02-07)| ComboAM5
1.0.8.0
(2023-8-29)| Not affected| ComboAM4v2PI
1.2.0.C
(2024-02-07)
CVE-2023-20587| High| Not affected| Not affected| Not affected| Not affected| Not affected| Not affected

HIGH END DESKTOP (HEDT)

CVE AMD Ryzen™ Threadripper™ 3000 Series Processors
Minimum version to mitigate all listed CVEs CastlePeakPI-SP3r3
1.0.0.A
(2023-11-21)
CVE-2023-20576 High
CVE-2023-20577 High
1.0.0.A
(2023-11-21)
CVE-2023-20579 High
CVE-2023-20587 High

WORKSTATION

CVE AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors AMD Ryzen™ Threadripper™ PRO 5000WX Processors
Minimum version to mitigate all listed CVEs

ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)

CastlePeakWSPI-sWRX8
1.0.0.C
(2023-11-29)| ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CVE-2023-20576| High| Not affected| ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CVE-2023-20577| High|

ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)

CastlePeakWSPI-sWRX8
1.0.0.C
(2023-11-29)| ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CVE-2023-20579| High| Not affected| Not affected
CVE-2023-20587| High| Not affected| Not affected

MOBILE - AMD Athlon™ Series

CVE|AMD Athlon™ 3000 Series Mobile
Processors with Radeon™ Graphics
|**AMD Athlon™ 3000 Series Mobile
Processors with Radeon™ Graphics
**
—|—|—
Minimum version to mitigate all listed CVEs| PicassoPI-FP5
1.0.1.0
(2023-05-31)| PollockPI-FT5
1.0.0.6
(2023-10-26)
CVE-2023-20576| High| Not affected| Not affected
CVE-2023-20577| High| PicassoPI-FP5
1.0.1.0
(2023-05-31)| PollockPI-FT5
1.0.0.6
(2023-10-26)
CVE-2023-20579| High| Not affected| Not affected
CVE-2023-20587| High| Not affected| Not affected

MOBILE - AMD Ryzen™ Series

CVE AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics
Minimum version to mitigate all listed CVEs PicassoPI-FP5
1.0.1.0
(2023-05-31) RenoirPI-FP6
1.0.0.D
(Target Feb 2024) CezannePI-FP6
1.0.1.0
(2024-01-25) CezannePI-FP6
1.0.1.0
(2024-01-25) MendocinoPI-FT6
1.0.0.6
(2024-01-03)
CVE-2023-20576 High Not affected Not affected Not affected Not affected
1.0.0.6
(2024-01-03)
CVE-2023-20577 High PicassoPI-FP5
1.0.1.0
(2023-05-31) RenoirPI-FP6
1.0.0.D
(Target Feb 2024) CezannePI-FP6
1.0.0.F
(2023-6-20) CezannePI-FP6
1.0.0.F
(2023-6-20) MendocinoPI-FT6
1.0.0.6
(2024-01-03)
CVE-2023-20579 High Not affected RenoirPI-FP6
1.0.0.D
(Target Feb 2024) CezannePI-FP6
1.0.1.0
(2024-01-25) CezannePI-FP6
1.0.1.0
(2024-01-25) MendocinoPI-FT6
1.0.0.6
(2024-01-03)
CVE-2023-20587 High Not affected Not affected Not affected Not affected
CVE AMD Ryzen™ 6000 Series Processors with Radeon™ Graphics AMD Ryzen™ 7035 Series Processors with Radeon™ Graphics AMD Ryzen™ 5000 Series Processors with Radeon™ Graphics AMD Ryzen™ 3000 Series Processors with Radeon™ Graphics AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics AMD Ryzen™ 7045 Series Mobile Processors
Minimum version to mitigate all listed CVEs RembrandtPI-FP7
1.0.0.A
(2023-12-28) RembrandtPI-FP7
1.0.0.A
(2023-12-28) CezannePI-FP6
1.0.1.0
(2024-01-25) CezannePI-FP6
1.0.1.0
(2024-01-25) PhoenixPI-FP8-FP7
1.1.0.0
(2023-10-06) DragonRangeFL1PI
1.0.0.3b
(2023-08-30)
CVE-2023-20576 High RembrandtPI-FP7
1.0.0.9b
(2023-09-13) RembrandtPI-FP7
1.0.0.9b
(2023-09-13) Not affected Not affected PhoenixPI-FP8-FP7
1.0.0.2
(2023-08-02) DragonRangeFL1PI
1.0.0.3a
(2023-05-24)
CVE-2023-20577 High RembrandtPI-FP7
1.0.0.9b
(2023-09-13) RembrandtPI-FP7
1.0.0.9b
(2023-09-13) CezannePI-FP6
1.0.0.F
(2023-6-20) CezannePI-FP6
1.0.0.F
(2023-6-20) PhoenixPI-FP8-FP7
1.0.0.2
(2023-08-02) DragonRangeFL1PI
1.0.0.3a
(2023-05-24)
CVE-2023-20579 High RembrandtPI-FP7
1.0.0.A
(2023-12-28) RembrandtPI-FP7
1.0.0.A
(2023-12-28) CezannePI-FP6
1.0.1.0
(2024-01-25) CezannePI-FP6
1.0.1.0
(2024-01-25) PhoenixPI-FP8-FP7
1.1.0.0
(2023-10-06) DragonRangeFL1PI 1.0.0.3b
(2023-08-30)
CVE-2023-20587 High Not affected Not affected Not affected Not affected Not affected

EMBEDDED

CVE AMD EPYC™ Embedded 3000 AMD EPYC™ Embedded 7002 AMD EPYC™ Embedded 7003 AMD EPYC™ Embedded 9003
Minimum version to mitigate all listed CVEs Snowyowl PI
1.1.0.B
(2023-12-15) EmbRomePI-SP3
1.0.0.B
(2023-12-15) EmbMilanPI-SP3
1.0.0.8
(2024-01-15) EmbGenoaPI-SP5
1.0.0.3
(2023-09-15)
CVE-2023-20576 High Not affected Not affected Not affected
CVE-2023-20577 High Snowyowl PI
1.1.0.B
(2023-12-15) EmbRomePI-SP3
1.0.0.B
(2023-12-15) EmbMilanPI-SP3
1.0.0.8
(2024-01-15) EmbGenoaPI-SP5
1.0.0.3
(2023-09-15)
CVE-2023-20579 High Not affected Not affected Not affected
CVE-2023-20587 High Snowyowl PI
1.1.0.A
(2023-07-31) EmbRomePI-SP3
1.0.0.A
(2023-07-31) EmbMilanPI-SP3
1.0.0.7
(2023-07-31) EmbGenoaPI-SP5
1.0.0.0
(2023-01-31)
CVE AMD Ryzen™ Embedded R1000 AMD Ryzen™ Embedded R2000 AMD Ryzen™ Embedded 5000
Minimum version to mitigate all listed CVEs EmbeddedPI-FP5
1.2.0.A
(2023-07-31) EmbeddedPI-FP5
1.0.0.2
(2023-07-31) EmbAM4PI
1.0.0.4
(2023-09-22)
CVE-2023-20576 High Not affected Not affected
1.0.0.4
(2023-09-22)
CVE-2023-20577 High EmbeddedPI-FP5
1.2.0.A
(2023-07-31) EmbeddedPI-FP5
1.0.0.2
(2023-07-31) EmbAM4PI
1.0.0.4
(2023-09-22)
CVE-2023-20579 High Not affected Not affected
CVE-2023-20587 High Not affected Not affected
CVE AMD Ryzen™ Embedded V1000 AMD Ryzen™ Embedded V2000 AMD Ryzen™ Embedded V3000
All V1000 OPNs
excluding
YE1500C4T4MFH YE1500C4T4MFH
Minimum version to mitigate all listed CVEs EmbeddedPI-FP5
1.2.0.A
(2023-07-31) EmbeddedPI-FP6
1.0.0.9
(Target Apr 2024) EmbeddedPI-FP7r2
1.0.0.9
(Target April 2024)
CVE-2023-20576 High Not affected Not affected
1.0.0.8
(2024-01-15)
CVE-2023-20577 High EmbeddedPI-FP5
1.2.0.A
(2023-07-31) EmbeddedPI-FP6
1.0.0.9
(Target April 2024) EmbeddedPI-FP7r2
1.0.0.8
(2024-01-15)
CVE-2023-20579 High Not affected EmbeddedPI-FP6
1.0.0.9
(Target April 2024) EmbeddedPI-FP7r2
1.0.0.9
(Target April 2024)
CVE-2023-20587 High Not affected Not affected

8.6 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

Related for AMD-SB-7009