AMD Zen 1-4 Processors Have 4 ‘High Security’ Vulnerabilities

AMD disclosed four “high security” vulnerabilities affecting its Zen 1–4 processors, including the popular Ryzen 3000 desktop and 4000 mobile series CPUs. These vulnerabilities can drastically affect performance and security across an array of AMD-based systems, including servers, gaming desktop PCs, and workstation PCs utilizing AMD processors.

AMD’s latest processors are the Ryzen 5 8600G and Ryzen 7 8700G, which both offer CPU functions and integrated graphics on a single chip often referred to as an APU. APUs are a great budget-friendly option for those wanting to build their first PC and buy a graphics card at a later date, since a dedicated GPU is not required. In addition, PC builders may look at older generation AMD Ryzen CPUs, including the popular Ryzen 5 3600, as an alternative for budget builds.

Reported by Guru3D, AMD’s latest security bulletin announcement reveals that four vulnerabilities are currently affecting Ryzen 3000, 4000 mobile, Embedded V2000, and Embedded V3000 processors. These vulnerabilities are classified as high risk, since malicious users can bypass certain dual serial peripheral interface processes and remotely execute code. As a result, AMD advises users to be careful and take security precautions until new BIOS updates are released. Ryzen 4000 series APUs will receive BIOS updates before the end of February 2024, followed by Ryzen 3000 series CPUs in March 2024 and embedded processors in April 2024. Those wanting to build a new PC may want to consider newer budget AMD gaming CPUs to avoid these vulnerabilities entirely.

AMD Zen1-4 Vulnerabilities and Affected Processors

• Ryzen 3000, 4000, and Embedded V2000 and V3000 processors
  • CVE-2023-20576 – Insufficient Verification of Data Authenticity in AGESA may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation.
  • CVE-2023-20577 – A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution.
  • CVE-2023-20579 – Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.
  • CVE-2023-20587 – Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

All four vulnerabilities were discovered by AMD security researchers, who normally test current and outdated hardware and software for BIOS revisions. Fortunately, the vulnerabilities have already been patched on AMD’s latest gaming processors, including Ryzen 7000 and 8000 processors. Users may want to double-check their current BIOS version to ensure it’s up-to-date with the latest version, however. If a new BIOS version is available, users may use a USB drive to initiate a BIOS flash after downloading the files for the latest version.

Updating Windows 11 to the latest version is also recommended by AMD, since security updates can help protect a user’s PC and data. AMD’s latest desktop components and laptops support many features that are currently present on Windows 11, including DirectStorage and USB 4.0.