AMD and Intel have both released a host of patches that address a number of serious security issues affecting their respective hardware offerings.
First, AMD found and fixed four vulnerabilities that affected various versions of its Zen-based CPUs.
The vulnerabilities allow threat actors to, among other things, execute malicious code on the targeted devices. But while the company has addressed the shortcomings by releasing patches, the fixes have yet to reach all users.
Repair Zenbleed
The flaws AMD found affect different CPUs (they don’t always overlap). However, they all compromise the security of the SPI interface, which connects to the flash chip that stores the BIOS. The vulnerabilities are tracked as CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, and are all rated as “very severe.”
In theory, a threat actor could exploit these flaws to conduct denial-of-service attacks, escalate privileges, and execute arbitrary code, which could result in a complete takeover of the endpoint. The silver lining here is that the attackers must have local access to the vulnerable system.
The flaws affected both the original Zen chips and the latest Zen 4 processors, and many of the variants in between. The full list of affected chips and the patches can be found on AMD’s advisory published earlier this week. AMD addressed the shortcomings by releasing a new version of AGESA, the base code for the motherboard BIOS. The new version for Zen 2-based chips also patches Zenbleed.
To get the new AGESA versions, a new BIOS needs to be deployed to the users, so even though the new AGESA is technically available, it doesn’t mean that all motherboards can be updated right away.
AMD credited IOActive’s Enrique Nissim, Krzysztof Okupski and Joseph Tartaro with discovering and reporting these issues, although it added that “some findings were made on PCs running outdated firmware or software.” It urged all customers to apply the patches as soon as possible and advised them to follow security best practices to stay safe.
Intel fixes three dozen bugs
At the same time, Intel patched nearly three dozen different vulnerabilities affecting various software and firmware.
In total, there were 32 bugs in the software, affecting various chipset drivers, Wi-Fi and other components. The remaining two bugs were software and firmware errors that affected Thunderbolt.
The software issue, which affected Thunderbolt drivers, was particularly concerning because it included 20 different exploits that allowed threat actors to escalate privileges, conduct denial-of-service attacks, and steal data. Of the twenty, three are “very serious”.
One bit of good news is that the majority of the twenty Thunderbolt drivers require local access to the device. The bad news is that to address all the shortcomings, users will have to update all Intel-listed software and firmware separately.
Through Tom’s hardware