Il BIOS it is software integrated on the computer’s motherboard. It is located on an EEPROM chip (Electrically Erasable Programmable Read-Only Memory) or on a flash ROM and has the task of providing the basic instructions necessary to start the machine. These instructions include the initial hardware check, testing, and initializing essential components such as the CPU, RAM, and input/output peripherals.
AMD just confirmed the existence of four vulnerability in processors based on the Zen architecture, from the first models up to the most recent Zen 4. The security flaws in question are relevant because they affect theSPI interface (Serial Peripheral Interface), which connects the CPU to the chip on the motherboard where the BIOS is stored.
Why SPI bus level vulnerabilities are important in the case of AMD Zen processors
As stated in the press release signed by AMD, security gaps can allow malicious users to carry out DoS attacks (Denial of Service), gain higher privileges, and even execute arbitrary code. This last threat is particularly important even if, for theexecution of malicious codethe physical availability of the victim’s system is necessary for the attacker.
Not all AMD chips involved can count on versions of the BIOS updated to correct the problem and avoid risks of attack.
Remediation of vulnerabilities involves updating theAGESA (AMD Generic Encapsulated Software Architecture), an integral part of the BIOS. The company led by Lisa Su has already released new versions of AGESA for almost all of its processors. However, not all motherboard manufacturers have yet distributed new updates with the correct AGESA.
What processors and motherboards are involved
AMD’s note explicitly reports the AGESA versions patchate for different processor series, along with availability for i motherboard manufacturers. For example, for Ryzen 5000 processors, AGESA 1.2.0.B is available as early as August 25, 2023.
Examining the tables shared by the Sunnyvale manufacturer, however, it appears clear that to protect your systems from the Zenbleed flaw, which we talked about in July 2023, the AGESA version 1.2.0.C. And it is not a problem to be underestimated because vulnerabilities that put personal data and user credentials at risk can also be extracted remotely using codice JavaScriptwithout using elevated privileges.
AMD also provides AGESA version information for processors EPYC, Threadripper and Ryzen Embedded, as well as evidently for most mainstream Ryzen.
The US company points out that it may take some time before new versions of AGESA actually reach end-user motherboards. For EPYC, Embedded and Mobile processors, in particular, it is difficult to determine which motherboards offer the latest BIOS version.
In the case of Ryzen and Threadripper processors consumerHowever, it is easier to obtain information on available AGESA versions by checking the content of the websites of major motherboard manufacturers, such as ASUS, ASRock, Gigabyte and MSI.
The opening image is taken from the AMD website.