A hot potato: All users with AMD Ryzen processors from the last few years should check and update their motherboard firmware ASAP, especially if they haven’t done so since before 2023. AMD has published a detailed chart describing four severe security issues affecting server, desktop, workstation, HEDT, mobile, and embedded Zen CPUs. Recent BIOS updates have addressed most, but not all of the flaws.

All four vulnerabilities AMD has acknowledged are marked as high-severity. The chart below lists the minimum AGESA version needed to mitigate all issues for each processor generation. A more detailed breakdown of which problems and solutions affect each CPU can be found in the company’s security bulletin.

One of the vulnerabilities, designated CVE-2023-20576, can allow attackers to initiate denial of service attacks or escalate privileges due to insufficient data authenticity verification in the BIOS.

Two others – CVE-2023-20577 and CVE-2023-20587 – can enable arbitrary code execution by granting access to the SPI flash through System Management Mode. Another, dubbed CVE-2023-20579, can cause loss of integrity and availability through improper access control in AMD’s SPI protection feature.

CPU Generation Minimum Patched BIOS version Availability Date
1st Gen AMD EPYC NaplesPI 1.0.0.K 2023-Apr-27
2nd Gen AMD EPYC RomePI 1.0.0.H 2023-Nov-07
3rd Gen AMD EPYC MilanPI 1.0.0.C 2023-Dec-18
4th Gen AMD EPYC GenoaPI 1.0.0.8 2023-Jun-09
Ryzen 3000 Desktop ComboAM4 1.0.0.B 2024-Mar
Ryzen 5000 Desktop ComboAM4v2 1.2.0.B 2023-Aug-25
Ryzen 5000 Desktop w/ Radeon ComboAM4v2PI 1.2.0.C 2024-Feb-07
Ryzen 7000 Desktop ComboAM5 1.0.8.0 2023-Aug-29
Ryzen 3000 Desktop w/ Radeon ComboAM4 1.0.0.B 2024-Mar
Ryzen 4000 Desktop w/ Radeon ComboAM4v2PI 1.2.0.C 2024-Feb-07
Ryzen Threadripper 3000 CastlePeakPI-SP3r3 1.0.0.A 2023-Nov-21
Ryzen Threadripper Pro 3000WX ChagallWSPI-sWRX8 1.0.0.7 2024-Jan-11
Ryzen Threadripper Pro 5000WX ChagallWSPI-sWRX8 1.0.0.7 2024-Jan-11
Athlon 3000 Mobile w/ Radeon PollockPI-FT5 1.0.0.6 2023-Oct-26
Ryzen 3000 Mobile w/ Radeon PicassoPI-FP5 1.0.1.0 2023-May-31
Ryzen 4000 Mobile w/ Radeon RenoirPI-FP6 1.0.0.D 2024-Feb
Ryzen 5000 Mobile w/ Radeon CezannePI-FP6 1.0.1.0 2024-Jan-25
Ryzen 7020 w/ Radeon MendocinoPI-FT6 1.0.0.6 2024-Jan-03
Ryzen 6000 w/ Radeon RembrandtPI-FP7 1.0.0.A 2023-Dec-28
Ryzen 7035 w/ Radeon RembrandtPI-FP7 1.0.0.A 2023-Dec-28
Ryzen 5000 w/ Radeon CezannePI-FP6 1.0.1.0 2024-Jan-25
Ryzen 3000 w/ Radeon CezannePI-FP6 1.0.1.0 2024-Jan-25
Ryzen 7040 w/ Radeon PhoenixPI-FP8-FP7 1.1.0.0 2023-Oct-06
Ryzen 7045 Mobile DragonRangeFL1PI 1.0.0.3b 2023-Aug-30
Eypc Embedded 3000 Snowyowl PI 1.1.0.B 2023-Dec-15
Epyc Embedded 7002 EmbRomePI-SP3 1.0.0.B 2023-Dec-15
Epyc Embedded 7003 EmbMilanPI-SP3 1.0.0.8 2024-Jan-15
Epyc Embedded 9003 EmbGenoaPI-SP5 1.0.0.3 2023-Sep-15
Ryzen Embedded R1000 EmbeddedPI-FP5 1.2.0.A 2023-Jul-31
Ryzen Embedded R2000 EmbeddedPI-FP5 1.0.0.2 2023-Jul-31
Ryzen Embedded 5000 EmbAM4PI 1.0.0.4 2023-Sep-22
Ryzen Embedded V1000 EmbeddedPI-FP5 1.2.0.A 2023-Jul-31
Ryzen Embedded V2000 EmbeddedPI-FP6 1.0.0.9 2024-Apr
Ryzen Embedded V3000 EmbeddedPI-FP7r2 1.0.0.9 2024-Apr

Those with Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should exercise extra vigilance over the next few months, as the issues affecting those generations have not all been patched. An update planned for later this month will address the vulnerabilities for the 4000 series APUs, while a March 2024 BIOS update will fix the 3000 series CPUs. The affected embedded products will receive patches in April.

All other Zen processors received the relevant fixes in updates between mid-2023 and early this month. For 2nd-gen Epyc processors, the update that mitigated last year’s Zenbleed attack also protects against the new vulnerabilities.

There are several ways to check and update your BIOS version. In most modern PCs, both are possible directly from the BIOS itself. After entering the BIOS by pressing the indicated button during the system’s initial boot-up, the version number should appear on the main menu. Automatic update functions vary depending on the motherboard manufacturer.

To check your BIOS version without rebooting Windows, launch the System Information app by typing that into search or “msinfo” into the taskbar’s search. The version and date should appear in the list on the right pane. The latest BIOS version can usually be found on the support section of the motherboard manufacturer’s website. All major motherboard makers also offer automatic updates through optional management software.

Source link