Thankfully the latest BIOS with the respective security patch for the MSI MEG X570 Unify has already been available since November 1st, 2023 so I'm good. For my old Intel platform I had to contact Gigabyte support back in the day so they could send me a beta BIOS to patch the "Spectre" vulnerability.

Ryzen 5000 Desktop - ComboAM4v2 1.2.0.B - 2023-Aug-25 So my 5950X has been patched then since last year has it? I installed latest BIOS 4702 a while ago.

Strange how it affects 1st gen Epyc, but not first-gen Ryzen or Zen+. In any case, good thing it's just SPI since that means the fix shouldn't have much of a performance impact.

So many vulnerabilities on modern CPUs...:( Good thing i`m a nobody, so i`m kinda of safe... 😳

H83:

So many vulnerabilities on modern CPUs...:(

The vast majority hardly matter. Anything that requires physical access is a moot vulnerability as far as I'm concerned.

Good thing i`m a nobody, so i`m kinda of safe... 😳

Well, you can always mention your IP address, the OS you're running, admin/root password, and forward your RDP or SSH ports. That way, you'll get to feel like an unsafe somebody!:D

So, to address the elephant in the room.... do we see performance impacts of such mitigations?

so basically physical access needed or fake/compromised application to update the firmware needed... ok, when talking about serious shit, like the SSH RSA giant hole? https://eprint.iacr.org/2023/1711.pdf yes, limited to some settings using rsa keys, yes a gazillion of ssh connections stil use rsa keys.

Alessio1989:

so basically physical access needed or fake/compromised application to update the firmware needed...

CVE-2024-LOL-CPU: The "ChipperChuckle" Vulnerability Description: The "ChipperChuckle" vulnerability affects the widest possible range of CPUs (meaning all of them,) allowing malicious actors to execute arbitrary code without proper authorization. This vulnerability stems from the fundamental ability of CPUs to execute instructions, including those intended for malicious purposes, such as malware. Impact: Attackers can exploit this vulnerability to run code on affected systems, potentially leading to data theft, system compromise, and other malicious activities. The ability of CPUs to execute code, while essential for their functionality, poses a significant security risk when exploited by attackers. Solution: Use a pen and some paper instead of a CPU.

Alessio1989:

ok, when talking about serious crap, like the SSH RSA giant hole? https://eprint.iacr.org/2023/1711.pdf yes, limited to some settings using rsa keys, yes a gazillion of ssh connections stil use rsa keys.

I don't think that's such a big issue. Most modern distros no longer use RSA by default, and you're not all that vulnerable if you haven't forwarded port 22. Of those who are stuck using RSA and need to SSH outside of the LAN, either change the port number or use a VPN.

RealNC:

CVE-2024-LOL-CPU: The "ChipperChuckle" Vulnerability Description: The "ChipperChuckle" vulnerability affects the widest possible range of CPUs (meaning all of them,) allowing malicious actors to execute arbitrary code without proper authorization. This vulnerability stems from the fundamental ability of CPUs to execute instructions, including those intended for malicious purposes, such as malware. Impact: Attackers can exploit this vulnerability to run code on affected systems, potentially leading to data theft, system compromise, and other malicious activities. The ability of CPUs to execute code, while essential for their functionality, poses a significant security risk when exploited by attackers. Solution: Use a pen and some paper instead of a CPU.

If all these people with their password on a sticky note that covers your post on their screen could see this...they would be very mad. As long as their free password manager works you are safe!

schmidtbag:

Strange how it affects 1st gen Epyc, but not first-gen Ryzen or Zen+. In any case, good thing it's just SPI since that means the fix shouldn't have much of a performance impact.

I would think that its actually that those products are end of life and werent tested, though its worth mentioning that first gen epyc uses a different stepping than the consumer ryzen chips.

schmidtbag:

The vast majority hardly matter. Anything that requires physical access is a moot vulnerability as far as I'm concerned.

schmidtbag:

I don't think that's such a big issue. Most modern distros no longer use RSA by default, and you're not all that vulnerable if you haven't forwarded port 22. Of those who are stuck using RSA and need to SSH outside of the LAN, either change the port number or use a VPN.

It requires only one infected system in your environment to exploit such vulnerabilities. AMD at least is capable of providing proper security patches, whilst intel cannot since their architecture is a culprit for most of their vulnerabilities. It is mainly Meltdown and Spectre that requires physical access with intel (and a few others), but most vulnerabilities don't (e.g. Zombieload, Downfall, Foreshadow etc.). Yes, they have names. Afaik AMD managed to fix all their known vulnerabilities when you're up to date with mentioned BIOS. There might be new vulnerabilities that got leaked just recently or are not public yet.

geogan:

Ryzen 5000 Desktop - ComboAM4v2 1.2.0.B - 2023-Aug-25 So my 5950X has been patched then since last year has it? I installed latest BIOS 4702 a while ago.

Yes. Usually if a researcher detects a new vulnerability, they report it to the manufacturer giving them time to respond and to fix it, before going public with it. I think in this case AMD was informed beforehand and they managed to provide a fix before the vulnerability was publicly announced.

schmidtbag:

I don't think that's such a big issue. Most modern distros no longer use RSA by default, and you're not all that vulnerable if you haven't forwarded port 22. Of those who are stuck using RSA and need to SSH outside of the LAN, either change the port number or use a VPN.

you perfectly know how many systems are stuck with old software and operating systems

Alessio1989:

you perfectly know how many systems are stuck with old software and operating systems

I do - in fact, the company I work for has a mission-critical server running 1980s software and the Linux 2.6 kernel (we are trying to get rid of this thing). It's so old, many modern distros can't even SSH into it without some sshd config overrides. Like I said though, use an obscure port or use a VPN. In some cases you could probably use a restrictive firewall, but that's more hassle than a VPN.