AMD and Intel have released a series of patches that fix some serious security issues affecting their respective hardware offerings.
First, AMD found and fixed four vulnerabilities affecting different versions of its Zen-based CPUs.
The vulnerabilities allow threat actors to, among other things, execute malicious code on targeted devices, but while the company addressed the flaws by releasing patches, the fixes have yet to reach all users.
Fixing Zenbleed
The bugs AMD found affect different CPUs (they don't always overlap). However, all of them compromise the security of the SPI interface, which connects to the flash chip that stores the BIOS. The vulnerabilities are tracked as CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, and all are classified as “high severity.”
In theory, a threat actor could abuse these flaws to mount denial-of-service attacks, escalate privileges, and execute arbitrary code, potentially resulting in a complete takeover of the endpoint. The positive side here is that attackers would need to have local access to the vulnerable system.
The bugs affected both the original Zen chips and the latest Zen 4 processors, and many of the variants in between. The full list of affected chips and patches can be found on AMD's website. advisory posted earlier this week. AMD fixed the bugs by releasing a new version of AGESA, the base code for the motherboard BIOS. The new version for Zen 2-based chips also patches Zenbleed.
To get the new versions of AGESA, a new BIOS needs to be rolled out to users, so even though the new AGESA is technically available, that doesn't mean all motherboards can be updated immediately.
AMD credited Enrique Nissim, Krzysztof Okupski, and Joseph Tartaro of IOActive for discovering and reporting these issues, although it added that “some of the findings were made on PCs with outdated firmware or software.” He urged all customers to apply patches as soon as possible and recommended that they follow security best practices to stay safe.
Intel patches three dozen bugs
At the same time, Intel patched nearly three dozen different vulnerabilities, affecting various programs and firmware.
In total, 32 errors were software and affected different chipset drivers, Wi-Fi and other components. The remaining two bugs were software and firmware glitches that affected Thunderbolt.
The software issue, which affected Thunderbolt controllers, was particularly concerning as it spanned 20 different exploits that could allow threat actors to escalate privileges, conduct denial-of-service attacks, and steal data. Of the 20, three are “high severity.”
Good news is that most of the 20 Thunderbolt controllers require local access to the device. The bad news is that to fix all the flaws, users must update each software and firmware listed by Intel, separately.
Through Tom Hardware