AMD has just revealed in the latest January update that a total of 31 new vulnerabilities have been detected in EPYC and Ryzen processors. The company has already taken appropriate actions to fix the bugs, and also released a report prepared in cooperation with teams from Apple, Google and Oracle. New variants of the AGESA software have also been announced. Holders of many Red chips should therefore beware.
As many as 28 of the total 31 discovered vulnerabilities concern AMD EPYC processors. When it comes to consumer Ryzen units, only one of the three vulnerabilities is classified as very serious.
AMD Radeon RX 7900 XTX – the failure rate of the reference version of the card can be up to 11 percent
List of vulnerable AMD processors includes desktop and mobile Ryzen models, as well as multi-core Threadripper and EPYC units. There is only one high severity vulnerability, while two others are less significant but still important.
- Ryzen 2000 (Pinnacle Ridge)
- Ryzen 2000 APUs
- APU Ryzen 5000
- AMD Threadripper 2000 HEDT and Pro
- AMD Threadripper 3000 HEDT and Pro
- Ryzen 2000 mobile processors
- Ryzen 3000 mobile processors
- Ryzen 5000 mobile processors
- Ryzen 6000 mobile processors
- Athlon 3000 mobile processors
It is worth noting that as many as 28 out of all 31 discovered vulnerabilities concern AMD EPYC processors, four of which are very serious. Three high-severity variants allow arbitrary code execution using different attack vectors, and one allows data to be written to specific regions, which can lead to loss of data integrity and availability.
When it comes to consumer Ryzen units, only one of the three vulnerabilities is classified as very serious. These vulnerabilities can be exploited by hacking into the BIOS or attacking the AMD Secure Processor (ASP) loader. All this sounds very serious, but the good news is that the new versions of the AGESA firmware have already been delivered to AMD’s partners and they are now obliged to release them as soon as possible. It is recommended that any user of the aforementioned AMD chip visit the website of the manufacturer of their motherboard and look for the appropriate update, but it may take a while for it to arrive. Usually Reds publish lists of vulnerabilities in May and November each year, but this time a large number of them forced the manufacturer to act in January.
Source: Tom’s Hardware, WCCFTech, AMD