AMD disclosed 31 new CPU vulnerabilities in an update in January, affecting both the Ryzen chips for home users and the EPYC processors for data centers. The vulnerability update also includes a comprehensive list of AGESA versions with workarounds for the affected processors. AMD disclosed the vulnerabilities in a coordinated disclosure with multiple researchers, including teams from Google, Apple and Oracle, giving the company time to develop remedies before they were publicly disclosed. However, AMD did not announce the vulnerabilities in a press release or in any other way, but only published the lists, which is, however, so common.
AMD has listed the various AGESA revisions it has issued to its OEMs to address the vulnerabilities (AGESA code is used to create BIOS/UEFI code). However, the availability of new BIOS patches with the new AGESA code varies depending on the manufacturer. This means checking with your motherboard or system manufacturer to see if they have released new BIOS versions with the correct AGESA code. AMD says that it normally reports vulnerabilities twice a year, in May and November, but has decided to release some of them now in January due to the relatively large number of new vulnerabilities and the timing of the mitigations.
It’s not yet clear if there will be performance degradation like we’ve seen with other remedies like Spectre and Meltdown. As has happened with older systems, some may not be updated. It also appears that there are no remedies yet for some affected models.
The vulnerabilities include three new variants for the Ryzen desktop PCs, HEDT, Pro and Mobile processors for consumers. One of the vulnerabilities is rated as high severity, while the other two are rated as medium or low severity. These vulnerabilities can be exploited either by BIOS hacks or by attacking the AMD Secure Processor (ASP) bootloader. The vulnerabilities affect the Ryzen 2000 series Pinnacle Ridge desktop chips as well as the 2000 and 5000 series APU product lines that feature integrated graphics (Raven Ridge, Cezanne). In addition, AMD’s Threadripper 2000- and 3000-series HEDT and Pro processors are also affected, as well as numerous Ryzen 2000-, 3000-, 5000-, 6000- and Athlon 3000-series mobile processors.
AMD has also listed 28 vulnerabilities for its EPYC processors, four of which are of high severity. Three of the high severity variants allow execution of arbitrary code through various attack vectors, while one allows data to be written to specific regions, which can lead to loss of data integrity and availability. In addition, the researchers discovered 15 other vulnerabilities classified as medium severity and nine vulnerabilities with low severity.
Researchers will be looking more closely at AMD’s architectures in search of potential security vulnerabilities given its recent success in taking market share from Intel, especially in the security-critical data center market. AMD has also uncovered several other new vulnerabilities in the recent past, including a Meltdown-like variant that requires software recoding, as well as Hertzbleed and Take A Way.
Source: AMD (1) and (2) via Tom’s Hardware
11 Antworten
Kommentar
Lade neue Kommentare
Veteran
Urgestein
1
Veteran
Mitglied
Urgestein
Urgestein
Urgestein
Urgestein
Veteran
Mitglied
Alle Kommentare lesen unter igor´sLAB Community →