Amd.comAMD-SB-7009AMD Processor Vulnerabilities
Bulletin ID: AMD-SB-7009 **Potential Impact:**Refer to the CVE Details section Severity: Refer to the CVE Details section
Summary
Researchers disclosed multiple potential vulnerabilities that may impact some AMD processors.
AMD has assessed the researchersâ findings and is publishing CVEs and mitigation recommendations for any issues that were found to impact AMD platforms. AMD believes some of the findings were made on PCs running outdated firmware or software. As always, AMD recommends following security best practices, including keeping operating systems up-to-date and running the latest versions of firmware and software.nds following security best practices, including keeping operating systems up-to-date and running the latest versions of firmware and software.
CVE Details
Refer to Glossary for explanation of terms
| CVE | Severity | CVE Description |
|---|---|---|
| CVE-2023-20576 | High | Insufficient Verification of Data Authenticity in AGESA⢠may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation. |
| CVE-2023-20577 | High | A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution. |
| CVE-2023-20579 | High | Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability. |
| CVE-2023-20587 | High | Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution. |
Affected Products and Mitigation
DATACENTER
| CVE | 1st Gen AMD EPYC⢠Processors | 2nd Gen AMD EPYC⢠Processors | 3rd Gen AMD EPYC⢠Processors | 4th Gen AMD EPYC⢠Processors |
|---|---|---|---|---|
| Minimum version to mitigate all listed CVEs | NaplesPI | |||
| 1.0.0.K | ||||
| (2023-04-27) | RomePI | |||
| 1.0.0.H | ||||
| (2023-11-07) | MilanPI | |||
| 1.0.0.C | ||||
| (2023-12-18) | GenoaPI | |||
| 1.0.0.8 | ||||
| (2023-06-09) | ||||
| CVE-2023-20576 | High | Not Affected | Not affected | Not affected |
| CVE-2023-20577 | High | Not Affected | RomePI | |
| 1.0.0.H | ||||
| (2023-11-07) | MilanPI | |||
| 1.0.0.C | ||||
| (2023-12-18) | GenoaPI | |||
| 1.0.0.8 | ||||
| (2023-06-09) | ||||
| CVE-2023-20579 | High | Not Affected | Not affected | Not affected |
| CVE-2023-20587 | High | Not Affected1 | Not Affected1 | Not Affected1 |
1There was an error in the affected status of Server and Embedded processors for CVE-2023-20587. It has been updated to a âNot affectedâ status to correct that error.
DATACENTER GRAPHICS2
| CVE | AMD Instinct⢠MI300A |
|---|---|
| Minimum version to mitigate all listed CVEs | MI300 SR5 PI 1.0.0.1 |
| (2024-02-28) | |
| CVE-2023-20576 | High |
| CVE-2023-20577 | High |
| (2024-02-28) | |
| CVE-2023-20579 | High |
| CVE-2023-20587 | High |
2Only MI300A is affected within the Datacenter GPU product line
DESKTOP
CVE|AMD Ryzen⢠3000 Series Desktop Processors|AMD Ryzen⢠5000 Series Desktop Processors|AMD Ryzen⢠5000 Series Desktop Processors with Radeon⢠Graphics
| AMD Ryzen⢠7000 Series Processors|AMD Athlon⢠3000 Series Desktop Processors with Radeon⢠Graphics|AMD Ryzen⢠4000 Series Desktop Processors with Radeon⢠Graphics
â|â|â|â|â|â|â
Minimum version to mitigate all listed CVEs|
ComboAM4v2
1.2.0.B
(2023-08-25)
ComboAM4
1.0.0.B
(2024-03-20)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM4v2PI
1.2.0.C
(2024-02-07)| ComboAM5
1.0.8.0
(2023-8-29)****|
ComboAM4v2
1.2.0.B
(2023-08-25)
ComboAM4
1.0.0.B
(2024-03-20)| ComboAM4v2PI
1.2.0.C
(2024-02-07)
CVE-2023-20576| High| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM4v2v
1.2.0.B
(2023-08-25)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM5
1.0.0.7b
(2023-07-21)| Not affected| ComboAM4v2
1.2.0.B
(2023-08-25)
CVE-2023-20577| High|
ComboAM4v2
1.2.0.B
(2023-08-25)
ComboAM4
1.0.0.B
(2024-03-20)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM4v2
1.2.0.B
(2023-08-25)| ComboAM5
1.0.0.7b
(2023-07-21)|
ComboAM4v2
1.2.0.B
(2023-08-25)
ComboAM4 1.0.0.B
(2024-03-20)| ComboAM4v2
1.2.0.B
(2023-08-25)
CVE-2023-20579| High| Not affected| Not affected| ComboAM4v2PI
1.2.0.C
(2024-02-07)| ComboAM5
1.0.8.0
(2023-8-29)| Not affected| ComboAM4v2PI
1.2.0.C
(2024-02-07)
CVE-2023-20587| High| Not affected| Not affected| Not affected| Not affected| Not affected| Not affected
HIGH END DESKTOP (HEDT)
| CVE | AMD Ryzen⢠Threadripper⢠3000 Series Processors |
|---|---|
| Minimum version to mitigate all listed CVEs | CastlePeakPI-SP3r3 |
| 1.0.0.A | |
| (2023-11-21) | |
| CVE-2023-20576 | High |
| CVE-2023-20577 | High |
| 1.0.0.A | |
| (2023-11-21) | |
| CVE-2023-20579 | High |
| CVE-2023-20587 | High |
WORKSTATION
| CVE | AMD Ryzen⢠Threadripper⢠PRO 3000WX Series Processors | AMD Ryzen⢠Threadripper⢠PRO 5000WX Processors |
|---|---|---|
| Minimum version to mitigate all listed CVEs |
ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CastlePeakWSPI-sWRX8
1.0.0.C
(2023-11-29)| ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CVE-2023-20576| High| Not affected| ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CVE-2023-20577| High|
ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CastlePeakWSPI-sWRX8
1.0.0.C
(2023-11-29)| ChagallWSPI-sWRX8
1.0.0.7
(2024-01-11)
CVE-2023-20579| High| Not affected| Not affected
CVE-2023-20587| High| Not affected| Not affected
MOBILE - AMD Athlon⢠Series
CVE|AMD Athlon⢠3000 Series Mobile
Processors with Radeon⢠Graphics|**AMD Athlon⢠3000 Series Mobile
Processors with Radeon⢠Graphics
**
â|â|â
Minimum version to mitigate all listed CVEs| PicassoPI-FP5
1.0.1.0
(2023-05-31)| PollockPI-FT5
1.0.0.6
(2023-10-26)
CVE-2023-20576| High| Not affected| Not affected
CVE-2023-20577| High| PicassoPI-FP5
1.0.1.0
(2023-05-31)| PollockPI-FT5
1.0.0.6
(2023-10-26)
CVE-2023-20579| High| Not affected| Not affected
CVE-2023-20587| High| Not affected| Not affected
MOBILE - AMD Ryzen⢠Series
| CVE | AMD Ryzen⢠3000 Series Mobile Processor with Radeon⢠Graphics | AMD Ryzen⢠4000 Series Mobile Processors with Radeon⢠Graphics | AMD Ryzen⢠5000 Series Mobile Processors with Radeon⢠Graphics | AMD Ryzen⢠5000 Series Mobile Processors with Radeon⢠Graphics | AMD Ryzen⢠7020 Series Processors with Radeon⢠Graphics |
|---|---|---|---|---|---|
| Minimum version to mitigate all listed CVEs | PicassoPI-FP5 | ||||
| 1.0.1.0 | |||||
| (2023-05-31) | RenoirPI-FP6 | ||||
| 1.0.0.D | |||||
| (2024-02-29) | CezannePI-FP6 | ||||
| 1.0.1.0 | |||||
| (2024-01-25) | CezannePI-FP6 | ||||
| 1.0.1.0 | |||||
| (2024-01-25) | MendocinoPI-FT6 | ||||
| 1.0.0.6 | |||||
| (2024-01-03) | |||||
| CVE-2023-20576 | High | Not affected | Not affected | Not affected | Not affected |
| 1.0.0.6 | |||||
| (2024-01-03) | |||||
| CVE-2023-20577 | High | PicassoPI-FP5 | |||
| 1.0.1.0 | |||||
| (2023-05-31) | RenoirPI-FP6 | ||||
| 1.0.0.D | |||||
| (2024-02-29) | CezannePI-FP6 | ||||
| 1.0.0.F | |||||
| (2023-6-20) | CezannePI-FP6 | ||||
| 1.0.0.F | |||||
| (2023-6-20) | MendocinoPI-FT6 | ||||
| 1.0.0.6 | |||||
| (2024-01-03) | |||||
| CVE-2023-20579 | High | Not affected | RenoirPI-FP6 | ||
| 1.0.0.D | |||||
| (2024-02-29) | CezannePI-FP6 | ||||
| 1.0.1.0 | |||||
| (2024-01-25) | CezannePI-FP6 | ||||
| 1.0.1.0 | |||||
| (2024-01-25) | MendocinoPI-FT6 | ||||
| 1.0.0.6 | |||||
| (2024-01-03) | |||||
| CVE-2023-20587 | High | Not affected | Not affected | Not affected | Not affected |
| CVE | AMD Ryzen⢠6000 Series Processors with Radeon⢠Graphics | AMD Ryzen⢠7035 Series Processors with Radeon⢠Graphics | AMD Ryzen⢠5000 Series Processors with Radeon⢠Graphics | AMD Ryzen⢠3000 Series Processors with Radeon⢠Graphics | AMD Ryzen⢠7040 Series Processors with Radeon⢠Graphics | AMD Ryzen⢠7045 Series Mobile Processors |
|---|---|---|---|---|---|---|
| Minimum version to mitigate all listed CVEs | RembrandtPI-FP7 | |||||
| 1.0.0.A | ||||||
| (2023-12-28) | RembrandtPI-FP7 | |||||
| 1.0.0.A | ||||||
| (2023-12-28) | CezannePI-FP6 | |||||
| 1.0.1.0 | ||||||
| (2024-01-25) | CezannePI-FP6 | |||||
| 1.0.1.0 | ||||||
| (2024-01-25) | PhoenixPI-FP8-FP7 | |||||
| 1.1.0.0 | ||||||
| (2023-10-06) | DragonRangeFL1PI | |||||
| 1.0.0.3b | ||||||
| (2023-08-30) | ||||||
| CVE-2023-20576 | High | RembrandtPI-FP7 | ||||
| 1.0.0.9b | ||||||
| (2023-09-13) | RembrandtPI-FP7 | |||||
| 1.0.0.9b | ||||||
| (2023-09-13) | Not affected | Not affected | PhoenixPI-FP8-FP7 | |||
| 1.0.0.2 | ||||||
| (2023-08-02) | DragonRangeFL1PI | |||||
| 1.0.0.3a | ||||||
| (2023-05-24) | ||||||
| CVE-2023-20577 | High | RembrandtPI-FP7 | ||||
| 1.0.0.9b | ||||||
| (2023-09-13) | RembrandtPI-FP7 | |||||
| 1.0.0.9b | ||||||
| (2023-09-13) | CezannePI-FP6 | |||||
| 1.0.0.F | ||||||
| (2023-6-20) | CezannePI-FP6 | |||||
| 1.0.0.F | ||||||
| (2023-6-20) | PhoenixPI-FP8-FP7 | |||||
| 1.0.0.2 | ||||||
| (2023-08-02) | DragonRangeFL1PI | |||||
| 1.0.0.3a | ||||||
| (2023-05-24) | ||||||
| CVE-2023-20579 | High | RembrandtPI-FP7 | ||||
| 1.0.0.A | ||||||
| (2023-12-28) | RembrandtPI-FP7 | |||||
| 1.0.0.A | ||||||
| (2023-12-28) | CezannePI-FP6 | |||||
| 1.0.1.0 | ||||||
| (2024-01-25) | CezannePI-FP6 | |||||
| 1.0.1.0 | ||||||
| (2024-01-25) | PhoenixPI-FP8-FP7 | |||||
| 1.1.0.0 | ||||||
| (2023-10-06) | DragonRangeFL1PI 1.0.0.3b | |||||
| (2023-08-30) | ||||||
| CVE-2023-20587 | High | Not affected | Not affected | Not affected | Not affected | Not affected |
EMBEDDED
| CVE | AMD EPYC⢠Embedded 3000 | AMD EPYC⢠Embedded 7002 | AMD EPYC⢠Embedded 7003 | AMD EPYC⢠Embedded 9003 |
|---|---|---|---|---|
| Minimum version to mitigate all listed CVEs | Snowyowl PI | |||
| 1.1.0.B | ||||
| (2023-12-15) | EmbRomePI-SP3 | |||
| 1.0.0.B | ||||
| (2023-12-15) | EmbMilanPI-SP3 | |||
| 1.0.0.8 | ||||
| (2024-01-15) | EmbGenoaPI-SP5 | |||
| 1.0.0.3 | ||||
| (2023-09-15) | ||||
| CVE-2023-20576 | High | Not affected | Not affected | Not affected |
| CVE-2023-20577 | High | Snowyowl PI | ||
| 1.1.0.B | ||||
| (2023-12-15) | EmbRomePI-SP3 | |||
| 1.0.0.B | ||||
| (2023-12-15) | EmbMilanPI-SP3 | |||
| 1.0.0.8 | ||||
| (2024-01-15) | EmbGenoaPI-SP5 | |||
| 1.0.0.3 | ||||
| (2023-09-15) | ||||
| CVE-2023-20579 | High | Not affected | Not affected | Not affected |
| CVE-2023-20587 | High | Not Affected3 | Not Affected3 | Not Affected3 |
3There was an error in the affected status of Server and Embedded processors for CVE-2023-20587. It has been updated to a âNot affectedâ status to correct that error.
| CVE | AMD Ryzen⢠Embedded R1000 | AMD Ryzen⢠Embedded R2000 | AMD Ryzen⢠Embedded 5000 |
|---|---|---|---|
| Minimum version to mitigate all listed CVEs | EmbeddedPI-FP5 | ||
| 1.2.0.A | |||
| (2023-07-31) | EmbeddedPI-FP5 | ||
| 1.0.0.2 | |||
| (2023-07-31) | EmbAM4PI | ||
| 1.0.0.4 | |||
| (2023-09-22) | |||
| CVE-2023-20576 | High | Not affected | Not affected |
| 1.0.0.4 | |||
| (2023-09-22) | |||
| CVE-2023-20577 | High | EmbeddedPI-FP5 | |
| 1.2.0.A | |||
| (2023-07-31) | EmbeddedPI-FP5 | ||
| 1.0.0.2 | |||
| (2023-07-31) | EmbAM4PI | ||
| 1.0.0.4 | |||
| (2023-09-22) | |||
| CVE-2023-20579 | High | Not affected | Not affected |
| CVE-2023-20587 | High | Not affected | Not affected |
| CVE | AMD Ryzen⢠Embedded V1000 | AMD Ryzen⢠Embedded V2000 | AMD Ryzen⢠Embedded V3000 |
|---|---|---|---|
| All V1000 OPNs | |||
| excluding | |||
| YE1500C4T4MFH | YE1500C4T4MFH | ||
| Minimum version to mitigate all listed CVEs | EmbeddedPI-FP5 | ||
| 1.2.0.A | |||
| (2023-07-31) | EmbeddedPI-FP6 | ||
| 1.0.0.9 | |||
| (2024-04-15) | EmbeddedPI-FP7r2 | ||
| 1.0.0.9 | |||
| (2024-04-15) | |||
| CVE-2023-20576 | High | Not affected | Not affected |
| 1.0.0.8 | |||
| (2024-01-15) | |||
| CVE-2023-20577 | High | EmbeddedPI-FP5 | |
| 1.2.0.A | |||
| (2023-07-31) | EmbeddedPI-FP6 | ||
| 1.0.0.9 | |||
| (2024-04-15) | EmbeddedPI-FP7r2 | ||
| 1.0.0.8 | |||
| (2024-01-15) | |||
| CVE-2023-20579 | High | Not affected | EmbeddedPI-FP6 |
| 1.0.0.9 | |||
| (2024-04-15) | EmbeddedPI-FP7r2 | ||
| 1.0.0.9 | |||
| (2024-04-15) | |||
| CVE-2023-20587 | High | Not affected | Not affected |
Related
