Here's a concise overview of the four vulnerabilities:
CVE-2023-20576: Insufficient authenticity of AGESA verification data may permit unauthorized updates to SPI ROM data, potentially resulting in denial of service or privilege escalation.
CVE-2023-20577: A heap overflow bit in the SMM module enables an attacker to exploit a secondary vulnerability, allowing unauthorized write access to SPI flash memory, facilitating arbitrary code execution.
CVE-2023-20579: Inadequate access control in the AMD SPI protection function enables exploitation by users with Ring0 privileged access, potentially compromising integrity and availability.
CVE-2023-20587: Inappropriate access control in System Management Mode (SMM) allows unauthorized access to SPI flash memory, facilitating arbitrary code execution.
Users of Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should remain vigilant, as not all issues affecting these product generations have been patched. AMD plans to release updates later this month to address vulnerabilities in 4000 series APUs, followed by a BIOS update in March 2024 for 3000 series CPUs and a fix for embedded products in April.
| CPU generation | Fixed minimum version | Online date |
|---|---|---|
| 1st Gen AMD EPYC | NaplesPI 1.0.0.K | 2023-Apr-27 |
| 2nd Gen AMD EPYC | RomePI 1.0.0.H | 2023-Nov-07 |
| 3rd Gen AMD EPYC | MilanPI 1.0.0.C | 2023-Dec-18 |
| 4th Gen AMD EPYC | GenoaAPI 1.0.0.8 | 2023-Jun-09 |
| Ryzen 3000 Desktop | ComboAM4 1.0.0.B | 2024-Mar |
| Ryzen 5000 Desktop | ComboAM4v2 1.2.0.B | 2023-Aug-25 |
| Ryzen 5000 Desktop w/ Radeon | ComboAM4v2PI 1.2.0.C | 2024-Feb-07 |
| Ryzen 7000 Desktop | ComboAM5 1.0.8.0 | 2023-Aug-29 |
| Ryzen 3000 Desktop w/ Radeon | ComboAM4 1.0.0.B | 2024-Mar |
| Ryzen 4000 Desktop w/ Radeon | ComboAM4v2PI 1.2.0.C | 2024-Feb-07 |
| Ryzen Threadripper 3000 | CastlePeakPI-SP3r3 1.0.0.A | 2023-Nov-21 |
| Ryzen Threadripper Pro 3000WX | ChagallWSPI-sWRX8 1.0.0.7 | 2024-Jan-11 |
| Ryzen Threadripper Pro 5000WX | ChagallWSPI-sWRX8 1.0.0.7 | 2024-Jan-11 |
| Athlon 3000 Mobile w/ Radeon | PollockPI-FT5 1.0.0.6 | 2023-Oct-26 |
| Ryzen 3000 Mobile w/ Radeon | PicassoPI-FP5 1.0.1.0 | 2023-May-31 |
| Ryzen 4000 Mobile w/ Radeon | RenoirPI-FP6 1.0.0.D | 2024-Feb |
| Ryzen 5000 Mobile w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
| Ryzen 7020 w/ Radeon | MendocinoPI-FT6 1.0.0.6 | 2024-Jan-03 |
| Ryzen 6000 w/ Radeon | RembrandtPI-FP7 1.0.0.A | 2023-Dec-28 |
| Ryzen 7035 w/ Radeon | RembrandtPI-FP7 1.0.0.A | 2023-Dec-28 |
| Ryzen 5000 w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
| Ryzen 3000 w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
| Ryzen 7040 w/ Radeon | PhoenixPI-FP8-FP7 1.1.0.0 | 2023-Oct-06 |
| Ryzen 7045 Mobile | DragonRangeFL1PI 1.0.0.3b | 2023-Aug-30 |
| EyPC Embedded 3000 | Snowyowl PI 1.1.0.B | 2023-Dec-15 |
| Epyc Embedded 7002 | EmbRomePI-SP3 1.0.0.B | 2023-Dec-15 |
| Epyc Embedded 7003 | EmbMilanPI-SP3 1.0.0.8 | 2024-Jan-15 |
| Epyc Embedded 9003 | EmbGenoaPI-SP5 1.0.0.3 | 2023-Sep-15 |
| Ryzen Embedded R1000 | EmbeddedPI-FP5 1.2.0.A | 2023-Jul-31 |
| Ryzen Embedded R2000 | EmbeddedPI-FP5 1.0.0.2 | 2023-Jul-31 |
| Ryzen Embedded 5000 | EmbAM4PI 1.0.0.4 | 2023-Sep-22 |
| Ryzen Embedded V1000 | EmbeddedPI-FP5 1.2.0.A | 2023-Jul-31 |
| Ryzen Embedded V2000 | EmbeddedPI-FP6 1.0.0.9 | 2024-Apr |
| Ryzen Embedded V3000 | EmbeddedPI-FP7r2 1.0.0.9 | 2024-Apr |
Here the link address of AMD’s official announcement . Interested users can read it more in depth.
