Multiple vulnerabilities in AMD EPYC processors



Published: 2024-10-02
Risk Medium
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2023-20578
CVE-2021-26344
CVE-2023-20591
CVE-2023-20584
CVE-2023-31356
CVE-2021-46772
CVE-2023-20518
CWE-ID CWE-367
CWE-787
CWE-665
CWE-20
CWE-459
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
3rd Gen AMD EPYC Processors
Hardware solutions / Firmware

4th Gen AMD EPYC Processors
Hardware solutions / Firmware

1st Gen AMD EPYC Processors
Hardware solutions / Firmware

2nd Gen AMD EPYC Processors
Hardware solutions / Firmware

Vendor AMD

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Time-of-check Time-of-use (TOCTOU) Race Condition

EUVDB-ID: #VU97943

Risk: Low

CVSSv3.1: 3.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20578

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper handling of certain special address ranges with invalid device table entries (DTEs). A local user can induce DTE faults to bypass RMP checks in SEV-SNP.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

3rd Gen AMD EPYC Processors: before MilanPI 1.0.0.C

4th Gen AMD EPYC Processors: before GenoaPI 1.0.0.B

CPE2.3
External links

http://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

EUVDB-ID: #VU97944

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26344

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing the AMD PSP1 Configuration Block (APCB). A local user can trigger an out-of-bounds write, modify the APCB block and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

1st Gen AMD EPYC Processors: All versions

2nd Gen AMD EPYC Processors: before RomePI 1.0.0.C

3rd Gen AMD EPYC Processors: before MilanPI 1.0.0.5

CPE2.3 External links

http://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Initialization

EUVDB-ID: #VU97945

Risk: Medium

CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20591

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a malicious guest to compromise the affected system.

The vulnerability exists due to improper initialization of IOMMU during the DRTM event. A malicious guest can read or modify hypervisor memory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

3rd Gen AMD EPYC Processors: before MilanPI 1.0.0.B

4th Gen AMD EPYC Processors: before GenoaPI 1.0.0.8

CPE2.3
External links

http://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU97948

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20584

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of special address ranges with invalid device table entries (DTEs) in IOMMU. A local user can induce DTE faults to bypass RMP checks in SEV-SNP.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

3rd Gen AMD EPYC Processors: before MilanPI 1.0.0.C

4th Gen AMD EPYC Processors: before GenoaPI 1.0.0.B

CPE2.3
External links

http://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Incomplete cleanup

EUVDB-ID: #VU97951

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-31356

CWE-ID: CWE-459 - Incomplete cleanup

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incomplete system memory cleanup in SEV firmware. A local privileged user can corrupt guest private memory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

3rd Gen AMD EPYC Processors: before MilanPI 1.0.0.C

4th Gen AMD EPYC Processors: before GenoaPI 1.0.0.B

CPE2.3
External links

http://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Out-of-bounds write

EUVDB-ID: #VU97953

Risk: Low

CVSSv3.1: 3.4 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-46772

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation in the ABL. A local privileged user with access to the BIOS menu or UEFI shell can tamper with the structure headers in SPI ROM and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

2nd Gen AMD EPYC Processors: before RomePI 1.0.0.E

3rd Gen AMD EPYC Processors: before GenoaPI 1.0.0.9

CPE2.3
External links

http://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Incomplete cleanup

EUVDB-ID: #VU97954

Risk: Low

CVSSv3.1: 1.7 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20518

CWE-ID: CWE-459 - Incomplete cleanup

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incomplete cleanup in the ASP. A local privileged user with access to the BIOS menu or UEFI shell can obtain the Master Encryption Key (MEK).


Mitigation

Install updates from vendor's website.

Vulnerable software versions

4th Gen AMD EPYC Processors: before GenoaPI 1.0.0.4

CPE2.3
External links

http://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###