AMD has disclosed new BIOS-side vulnerabilities across all of its Zen CPU generations, which has particularly impacted the SPI connection, compromising security.
The emergence of vulnerabilities across CPU architectures isn't surprising, but this time, AMD has apparently discovered something much bigger, impacting a more extensive consumer base, and the severity of it is listed as "high" this time as well. Moreover, the discovered vulnerabilities enter from your motherboard's BIOS as well; hence, the matter is indeed sensitive, and according to AMD, the consequences of the mentioned include the "trigger" of arbitrary codes and much more.
Moving into the specifics, AMD mentions that the vulnerability is broken down into four different compromises, and it relies on "messing up" with your SPI interface, which can lead to malicious activities such as denial of service, execution of arbitrary codes, and the bypass of your system's integrity. Team Red has described the vulnerabilities in multiple CVEs, and you can view their findings below to have an idea of how costly it can be:
CVE Severity CVE Description CVE-2023-20576 High Insufficient Verification of Data Authenticity in AGESA may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation. CVE-2023-20577 High A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution. CVE-2023-20579 High Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability. CVE-2023-20587 Read more on wccftech.com