AMD Processor Vulnerabilities
Bulletin ID: AMD-SB-7009
Potential Impact: Refer to the CVE Details section
Severity: Refer to the CVE Details section
Summary
Researchers disclosed multiple potential vulnerabilities that may impact some AMD processors.
AMD has assessed the researchers’ findings and is publishing CVEs and mitigation recommendations for any issues that were found to impact AMD platforms. AMD believes some of the findings were made on PCs running outdated firmware or software. As always, AMD recommends following security best practices, including keeping operating systems up-to-date and running the latest versions of firmware and software.nds following security best practices, including keeping operating systems up-to-date and running the latest versions of firmware and software.
CVE Details
Refer to Glossary for explanation of terms
| CVE | Severity | CVE Description |
| CVE-2023-20576 | High | Insufficient Verification of Data Authenticity in AGESA™ may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation. |
| CVE-2023-20577 | High | A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution. |
| CVE-2023-20579 | High | Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability. |
| CVE-2023-20587 | High | Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution. |
Affected Products and Mitigation
DATACENTER
| CVE | 1st Gen AMD EPYC™ Processors | 2nd Gen AMD EPYC™ Processors | 3rd Gen AMD EPYC™ Processors | 4th Gen AMD EPYC™ Processors | |
| Minimum version to mitigate all listed CVEs | NaplesPI 1.0.0.K (2023-04-27) |
RomePI 1.0.0.H (2023-11-07) |
MilanPI 1.0.0.C (2023-12-18) |
GenoaPI 1.0.0.8 (2023-06-09) |
|
| CVE-2023-20576 | High | Not Affected | Not affected | Not affected | Not affected |
| CVE-2023-20577 | High | Not Affected | RomePI 1.0.0.H (2023-11-07) |
MilanPI 1.0.0.C (2023-12-18) |
GenoaPI 1.0.0.8 (2023-06-09) |
| CVE-2023-20579 | High | Not Affected | Not affected | Not affected | Not affected |
| CVE-2023-20587 | High | Not Affected1 | Not Affected1 | Not Affected1 | Not Affected1 |
1There was an error in the affected status of Server and Embedded processors for CVE-2023-20587. It has been updated to a “Not affected” status to correct that error.
DATACENTER GRAPHICS2
| CVE | AMD Instinct™ MI300A | |
| Minimum version to mitigate all listed CVEs | MI300 SR5 PI 1.0.0.1 (2024-02-28) |
|
| CVE-2023-20576 | High | Not Affected |
| CVE-2023-20577 | High | MI300 SR5 PI 1.0.0.1 (2024-02-28) |
| CVE-2023-20579 | High | Not Affected |
| CVE-2023-20587 | High | Not Affected |
2Only MI300A is affected within the Datacenter GPU product line
DESKTOP
| CVE | AMD Ryzen™ 3000 Series Desktop Processors | AMD Ryzen™ 5000 Series Desktop Processors | AMD Ryzen™ 5000 Series Desktop Processors with Radeon™ Graphics |
AMD Ryzen™ 7000 Series Processors | AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics | AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics | |
| Minimum version to mitigate all listed CVEs | ComboAM4v2 ComboAM4 |
ComboAM4v2 1.2.0.B (2023-08-25) |
ComboAM4v2PI 1.2.0.C (2024-02-07) |
ComboAM5 1.0.8.0 (2023-8-29) |
ComboAM4v2 ComboAM4 |
ComboAM4v2PI 1.2.0.C (2024-02-07) |
|
| CVE-2023-20576 | High | ComboAM4v2 1.2.0.B (2023-08-25) |
ComboAM4v2v 1.2.0.B (2023-08-25) |
ComboAM4v2 1.2.0.B (2023-08-25) |
ComboAM5 1.0.0.7b (2023-07-21) |
Not affected | ComboAM4v2 1.2.0.B (2023-08-25) |
| CVE-2023-20577 | High | ComboAM4v2 ComboAM4 |
ComboAM4v2 1.2.0.B (2023-08-25) |
ComboAM4v2 1.2.0.B (2023-08-25) |
ComboAM5 1.0.0.7b (2023-07-21) |
ComboAM4v2 ComboAM4 1.0.0.B |
ComboAM4v2 1.2.0.B (2023-08-25) |
| CVE-2023-20579 | High | Not affected | Not affected | ComboAM4v2PI 1.2.0.C (2024-02-07) |
ComboAM5 1.0.8.0 (2023-8-29) |
Not affected | ComboAM4v2PI 1.2.0.C (2024-02-07) |
| CVE-2023-20587 | High | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected |
HIGH END DESKTOP (HEDT)
| CVE | AMD Ryzen™ Threadripper™ 3000 Series Processors | |
| Minimum version to mitigate all listed CVEs | CastlePeakPI-SP3r3 1.0.0.A (2023-11-21) |
|
| CVE-2023-20576 | High | Not affected |
| CVE-2023-20577 | High | CastlePeakPI-SP3r3 1.0.0.A (2023-11-21) |
| CVE-2023-20579 | High | Not affected |
| CVE-2023-20587 | High | Not affected |
WORKSTATION
| CVE | AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors | AMD Ryzen™ Threadripper™ PRO 5000WX Processors | |
| Minimum version to mitigate all listed CVEs | ChagallWSPI-sWRX8 CastlePeakWSPI-sWRX8 |
ChagallWSPI-sWRX8 1.0.0.7 (2024-01-11) |
|
| CVE-2023-20576 | High | Not affected | ChagallWSPI-sWRX8 1.0.0.7 (2024-01-11) |
| CVE-2023-20577 | High | ChagallWSPI-sWRX8 CastlePeakWSPI-sWRX8 |
ChagallWSPI-sWRX8 1.0.0.7 (2024-01-11) |
| CVE-2023-20579 | High | Not affected | Not affected |
| CVE-2023-20587 | High | Not affected | Not affected |
MOBILE - AMD Athlon™ Series
| CVE | AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics |
AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics |
|
| Minimum version to mitigate all listed CVEs | PicassoPI-FP5 1.0.1.0 (2023-05-31) |
PollockPI-FT5 1.0.0.6 (2023-10-26) |
|
| CVE-2023-20576 | High | Not affected | Not affected |
| CVE-2023-20577 | High | PicassoPI-FP5 1.0.1.0 (2023-05-31) |
PollockPI-FT5 1.0.0.6 (2023-10-26) |
| CVE-2023-20579 | High | Not affected | Not affected |
| CVE-2023-20587 | High | Not affected | Not affected |
MOBILE - AMD Ryzen™ Series
| CVE | AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics | AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics | AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics | AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics | AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics | |
| Minimum version to mitigate all listed CVEs | PicassoPI-FP5 1.0.1.0 (2023-05-31) |
RenoirPI-FP6 1.0.0.D (2024-02-29) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
MendocinoPI-FT6 1.0.0.6 (2024-01-03) |
|
| CVE-2023-20576 | High | Not affected | Not affected | Not affected | Not affected | MendocinoPI-FT6 1.0.0.6 (2024-01-03) |
| CVE-2023-20577 | High | PicassoPI-FP5 1.0.1.0 (2023-05-31) |
RenoirPI-FP6 1.0.0.D (2024-02-29) |
CezannePI-FP6 1.0.0.F (2023-6-20) |
CezannePI-FP6 1.0.0.F (2023-6-20) |
MendocinoPI-FT6 1.0.0.6 (2024-01-03) |
| CVE-2023-20579 | High | Not affected | RenoirPI-FP6 1.0.0.D (2024-02-29) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
MendocinoPI-FT6 1.0.0.6 (2024-01-03) |
| CVE-2023-20587 | High | Not affected | Not affected | Not affected | Not affected | Not affected |
| CVE | AMD Ryzen™ 6000 Series Processors with Radeon™ Graphics | AMD Ryzen™ 7035 Series Processors with Radeon™ Graphics | AMD Ryzen™ 5000 Series Processors with Radeon™ Graphics | AMD Ryzen™ 3000 Series Processors with Radeon™ Graphics | AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics | AMD Ryzen™ 7045 Series Mobile Processors | |
| Minimum version to mitigate all listed CVEs | RembrandtPI-FP7 1.0.0.A (2023-12-28) |
RembrandtPI-FP7 1.0.0.A (2023-12-28) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
PhoenixPI-FP8-FP7 1.1.0.0 (2023-10-06) |
DragonRangeFL1PI 1.0.0.3b (2023-08-30) |
|
| CVE-2023-20576 | High | RembrandtPI-FP7 1.0.0.9b (2023-09-13) |
RembrandtPI-FP7 1.0.0.9b (2023-09-13) |
Not affected | Not affected | PhoenixPI-FP8-FP7 1.0.0.2 (2023-08-02) |
DragonRangeFL1PI 1.0.0.3a (2023-05-24) |
| CVE-2023-20577 | High | RembrandtPI-FP7 1.0.0.9b (2023-09-13) |
RembrandtPI-FP7 1.0.0.9b (2023-09-13) |
CezannePI-FP6 1.0.0.F (2023-6-20) |
CezannePI-FP6 1.0.0.F (2023-6-20) |
PhoenixPI-FP8-FP7 1.0.0.2 (2023-08-02) |
DragonRangeFL1PI 1.0.0.3a (2023-05-24) |
| CVE-2023-20579 | High | RembrandtPI-FP7 1.0.0.A (2023-12-28) |
RembrandtPI-FP7 1.0.0.A (2023-12-28) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
CezannePI-FP6 1.0.1.0 (2024-01-25) |
PhoenixPI-FP8-FP7 1.1.0.0 (2023-10-06) |
DragonRangeFL1PI 1.0.0.3b (2023-08-30) |
| CVE-2023-20587 | High | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected |
EMBEDDED
| CVE | AMD EPYC™ Embedded 3000 | AMD EPYC™ Embedded 7002 | AMD EPYC™ Embedded 7003 | AMD EPYC™ Embedded 9003 | |
| Minimum version to mitigate all listed CVEs | Snowyowl PI 1.1.0.B (2023-12-15) |
EmbRomePI-SP3 1.0.0.B (2023-12-15) |
EmbMilanPI-SP3 1.0.0.8 (2024-01-15) |
EmbGenoaPI-SP5 1.0.0.3 (2023-09-15) |
|
| CVE-2023-20576 | High | Not affected | Not affected | Not affected | Not affected |
| CVE-2023-20577 | High | Snowyowl PI 1.1.0.B (2023-12-15) |
EmbRomePI-SP3 1.0.0.B (2023-12-15) |
EmbMilanPI-SP3 1.0.0.8 (2024-01-15) |
EmbGenoaPI-SP5 1.0.0.3 (2023-09-15) |
| CVE-2023-20579 | High | Not affected | Not affected | Not affected | Not affected |
| CVE-2023-20587 | High | Not Affected3 | Not Affected3 | Not Affected3 | Not Affected3 |
3There was an error in the affected status of Server and Embedded processors for CVE-2023-20587. It has been updated to a “Not affected” status to correct that error.
| CVE | AMD Ryzen™ Embedded R1000 | AMD Ryzen™ Embedded R2000 | AMD Ryzen™ Embedded 5000 | |
| Minimum version to mitigate all listed CVEs | EmbeddedPI-FP5 1.2.0.A (2023-07-31) |
EmbeddedPI-FP5 1.0.0.2 (2023-07-31) |
EmbAM4PI 1.0.0.4 (2023-09-22) |
|
| CVE-2023-20576 | High | Not affected | Not affected | EmbAM4PI 1.0.0.4 (2023-09-22) |
| CVE-2023-20577 | High | EmbeddedPI-FP5 1.2.0.A (2023-07-31) |
EmbeddedPI-FP5 1.0.0.2 (2023-07-31) |
EmbAM4PI 1.0.0.4 (2023-09-22) |
| CVE-2023-20579 | High | Not affected | Not affected | Not affected |
| CVE-2023-20587 | High | Not affected | Not affected | Not affected |
| CVE | AMD Ryzen™ Embedded V1000 | AMD Ryzen™ Embedded V2000 | AMD Ryzen™ Embedded V3000 | ||
| All V1000 OPNs excluding YE1500C4T4MFH |
YE1500C4T4MFH | ||||
| Minimum version to mitigate all listed CVEs | EmbeddedPI-FP5 1.2.0.A (2023-07-31) |
EmbeddedPI-FP6 1.0.0.9 (2024-04-15) |
EmbeddedPI-FP7r2 1.0.0.9 (2024-04-15) |
||
| CVE-2023-20576 | High | Not affected | Not affected | EmbeddedPI-FP7r2 1.0.0.8 (2024-01-15) |
|
| CVE-2023-20577 | High | EmbeddedPI-FP5 1.2.0.A (2023-07-31) |
EmbeddedPI-FP6 1.0.0.9 (2024-04-15) |
EmbeddedPI-FP7r2 1.0.0.8 (2024-01-15) |
|
| CVE-2023-20579 | High | Not affected | EmbeddedPI-FP6 1.0.0.9 (2024-04-15) |
EmbeddedPI-FP7r2 1.0.0.9 (2024-04-15) |
|
| CVE-2023-20587 | High | Not affected | Not affected | Not affected | |
Acknowledgement
AMD thanks Enrique Nissim, Krzysztof Okupski, and Joseph Tartaro of IOActive for reporting these issues.
Revisions
Revision Date |
Description |
| 2024-06-13 | There was an error in the affected status of Server and Embedded processors for CVE-2023-20587. It has been updated to a “Not affected” status to correct that error. |
2024-04-30 |
Updated mitigation date for AMD Ryzen™ Embedded V2000 and AMD Ryzen™ Embedded V3000 |
2024-04-03 |
Added Datacenter Graphics and updated PI delivery dates for: AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics AMD Ryzen™ 3000 Series Desktop Processors AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics |
2024-02-13 |
Initial publication |
DISCLAIMER
The information contained herein is for informational purposes only and is subject to change without notice. While every precaution has been taken in the preparation of this document, it may contain technical inaccuracies, omissions and typographical errors, and AMD is under no obligation to update or otherwise correct this information. Advanced Micro Devices, Inc. makes no representations or warranties with respect to the accuracy or completeness of the contents of this document, and assumes no liability of any kind, including the implied warranties of noninfringement, merchantability or fitness for particular purposes, with respect to the operation or use of AMD hardware, software or other products described herein. Any computer system has risks of security vulnerabilities that cannot be completely prevented or mitigated. No license, including implied or arising by estoppel, to any intellectual property rights is granted by this document. Terms and limitations applicable to the purchase or use of AMD’s products are as set forth in a signed agreement between the parties or in AMD's Standard Terms and Conditions of Sale.
AMD, the AMD Arrow logo, AGESA, EPYC, Radeon, Ryzen, Threadripper and combinations thereof are trademarks of Advanced Micro Devices, Inc. CVE and the CVE logo are registered trademarks of The MITRE Corporation. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.
Third party content may be licensed to you directly by the third party that owns the content and is not licensed to you by AMD. ALL LINKED THIRD-PARTY CONTENT IS PROVIDED ‘AS IS’ WITHOUT A WARRANTY OF ANY KIND. USE OF SUCH THIRD-PARTY CONTENT IS DONE AT YOUR SOLE DISCRETION AND UNDER NO CIRCUMSTANCES WILL AMD BE LIABLE TO YOU FOR ANY THIRD-PARTY CONTENT. YOU ASSUME ALL RISK AND ARE SOLELY RESPONSIBILITY FOR ANY DAMAGES THAT MAY ARISE FROM YOUR USE OF THIRD-PARTY CONTENT.
© 2024 Advanced Micro Devices, Inc. All rights reserved.