AMD has updated information on vulnerabilities in its processors. The list has been expanded to include data on 31 vulnerabilities affecting consumer Ryzen processors and server EPYCs, among others. The developers also published a list of versions of the AGESA library that implemented fixes to close the identified vulnerabilities.
The AMD Generic Encapsulated Software Architecture instruction library is used by motherboard manufacturers to create BIOS firmware. Although AMD has granted OEMs access to new versions of AGESA, the timing of the availability of BIOS firmware with fixes for the identified vulnerabilities depends on the board manufacturers. This means that users affected by this issue should check themselves for the latest BIOS versions, which are usually published on motherboard manufacturers’ websites.
According to published data, three vulnerabilities affect desktop and mobile versions of Ryzen consumer processors. They can be exploited by hacking the BIOS or attacking the AMD Secure Processor (ASP) bootloader. Vulnerabilities affect desktop versions of AMD Ryzen 2000 processors, as well as Ryzen 2000G and 5000G hybrid chips with integrated graphics (Raven Ridge and Cezanne). AMD Threadripper 2000 and 3000 processors are also affected, as well as numerous Ryzen 2000, 3000, 5000, 6000 and Athlon 3000 mobile processors.
The remaining 28 vulnerabilities, four of which are of high severity, affect EPYC server processors. Vulnerabilities can be exploited by attackers to perform various types of attacks, including remote code execution and data theft.