News AMD Discloses 31 New CPU Vulnerabilities, Issues Patch Guidance

DavidLejdar

Prominent
Sep 11, 2022
240
140
760
No BIOS update available here yet.

I'm not patching if there's a performance hit. If someone wants to hack my PC and steal all my memes, let them.
Yeah, sometimes it seems best to wait out an update for a bit, when it all works fine as is. But then again, in regard to malicious code, that can impact performance. I.e., if someone is stealing that perhaps even 1 TB of memes, that would take up quite some of the performance of your storage device and of your internet connection.
 
  • Like
Reactions: greenreaper
D

Deleted member 14196

Guest
Those type of people should be is console players
 

Sleepy_Hollowed

Distinguished
Jan 1, 2017
501
195
19,070
Outside the ones that don’t have much info, a chunk are resolved with the .7 firmware, then others with .8 but I think that’s new, not widely available.

good on them to release it instead of leaving it to users to hunt individually, and Toms for listing this.
 
Jan 14, 2023
1
0
10
Minimum version to mitigate all listed CVEs:
Raven-FP5-AM4 1.1.0.D
ComboAM4PI 1.0.0.8
ComboAM4v2 PI 1.2.0.4
PinnaclePI-AM4 1.0.0.C

My B350 chipset BIOS, dated May 2022, is reporting AM4 AGESA Combo V2 PI 1.2.0.7. It seems this vulnerability is at least a year old and has been patched since before May last year.
 
Jan 15, 2023
10
3
15
My B350 chipset BIOS, dated May 2022, is reporting AM4 AGESA Combo V2 PI 1.2.0.7. It seems this vulnerability is at least a year old and has been patched since before May last year.

Asus lists BIOS with 1.2.0.5 for my X570 board as released 2021/12/15, 13 months ago.

edit:
Interestingly, Tom's reported that performance issues seemed to appear with that AGESA release:
https://www.tomshardware.com/news/agesa-1205-bugs-amd-ryzen

But non of the divulged vulnerabilities mentioned in this new release seem performance related, nor even related to anything but 1000- and 2000-series Ryzen. Has there been any intermediary vulnerability notices affecting performance, was it maybe unrelated, or is there maybe some undivulged performance-related vulnerability that has been patched?
 
Last edited:

YouFilthyHippo

Prominent
Oct 15, 2022
166
83
660
Or if someone wants to use your system to burn bitcoin, or host illegal content, or be part of a botnet.

All is good, right?

I'm one of a billion people with an AMD chip. If they hit me, they will hit everyone. The chances of a single random person getting hit are negligible. They won't be after people like me. They will be after corporations, data centers, that sort of stuff. Also, if they hit me, Ill just disconnect from the internet, clean the infection, change ip and move on. I have a better chance of getting struck by lightning and winning the lottery on the same day than I do of getting hit with this stuff. If its a miniscule performance hit, Ill take it. But Im not taking a 10%+ hit like intel did on 9th gen chips
 
Jan 15, 2023
10
3
15
They won't be after people like me. They will be after corporations, data centers, that sort of stuff. Also, if they hit me, Ill just disconnect from the internet, clean the infection, change ip and move on.


If you notice :D Someone doing a mass-infection with a vulnerability like this would probably be smart enough to just grab a few percent of available capacity to avoid getting cleaned up. Network connection getting shaky from being a node in a botnet might be the most obvious, and quite hard to pinpoint the reason for. And, since they can achieve permanence via UEFI it won't help if you format and reinstall your OS.
 

YouFilthyHippo

Prominent
Oct 15, 2022
166
83
660
If you notice :D Someone doing a mass-infection with a vulnerability like this would probably be smart enough to just grab a few percent of available capacity to avoid getting cleaned up. Network connection getting shaky from being a node in a botnet might be the most obvious, and quite hard to pinpoint the reason for. And, since they can achieve permanence via UEFI it won't help if you format and reinstall your OS.

Ya, I'll cross that bridge when I come to it. I'm a little bit more concerned about winning the lottery and getting struck by lightning on the same day. Again, I'll patch if the performance hit is near zero. But I'm not giving up even a 2% performance hit just in case I win the lottery and get struck by lightning at the same time
 

jp7189

Distinguished
Feb 21, 2012
323
187
18,860
I'm one of a billion people with an AMD chip. If they hit me, they will hit everyone. The chances of a single random person getting hit are negligible. They won't be after people like me. They will be after corporations, data centers, that sort of stuff. Also, if they hit me, Ill just disconnect from the internet, clean the infection, change ip and move on. I have a better chance of getting struck by lightning and winning the lottery on the same day than I do of getting hit with this stuff. If its a miniscule performance hit, Ill take it. But Im not taking a 10%+ hit like intel did on 9th gen chips
The big hacking corps don't care who you are. They just run continous scans and when they find a target, it gets put on a list for some schmoe working a 9-5 cubicle job to try to push something malicious to. Thats how they get billions of bots - not from being choosey with who they attack. If you are a bot, you probably wont know except for the 5-10% performance hit which is more than this patch likely causes.
 

YouFilthyHippo

Prominent
Oct 15, 2022
166
83
660
The big hacking corps don't care who you are. They just run continous scans and when they find a target, it gets put on a list for some schmoe working a 9-5 cubicle job to try to push something malicious to. Thats how they get billions of bots - not from being choosey with who they attack. If you are a bot, you probably wont know except for the 5-10% performance hit which is more than this patch likely causes.
`
The big hacking corps don't care who you are. They just run continous scans and when they find a target, it gets put on a list for some schmoe working a 9-5 cubicle job to try to push something malicious to. Thats how they get billions of bots - not from being choosey with who they attack. If you are a bot, you probably wont know except for the 5-10% performance hit which is more than this patch likely causes.

And when that 5-10% performance hit comes, Ill just clean the infection, change IP and move on
 

wbfox

Distinguished
Jul 27, 2013
76
37
18,570
Really sick of being dependent upon mobo makers to patch AMDs screw ups. What? That ancient thing from 2 years ago? Buy a new one.
 

wbfox

Distinguished
Jul 27, 2013
76
37
18,570
Asus lists BIOS with 1.2.0.5 for my X570 board as released 2021/12/15, 13 months ago.

edit:
Interestingly, Tom's reported that performance issues seemed to appear with that AGESA release:
https://www.tomshardware.com/news/agesa-1205-bugs-amd-ryzen

But non of the divulged vulnerabilities mentioned in this new release seem performance related, nor even related to anything but 1000- and 2000-series Ryzen. Has there been any intermediary vulnerability notices affecting performance, was it maybe unrelated, or is there maybe some undivulged performance-related vulnerability that has been patched?
So look into Hertzbleed Retbleed (brain go brrr). It had massive slowdown effects, but all mitigation is done through the OS not any AGESA updates. There were other CVEs all through last year, just didn't hit a lull in the news cycle for sites to write about. Everything is on AMDs site under Product Security.
 

Nikolay Mihaylov

Prominent
Jun 30, 2022
45
46
560
In all fairness, the CVEs look like software bugs (like validation checks) in the secure processor firmware and UEFI. The fixes, then, should not introduce major slowdowns. And most fixes seem to have been arround for some time already. They are only being desclosed now. People running the latest firmware should be fine provided the MB manufacturer has don its job well.
 

domih

Reputable
Jan 31, 2020
187
170
4,760
Or if someone wants to use your system to burn bitcoin, or host illegal content, or be part of a botnet.

All is good, right?

It is interesting to see the back and forth in this thread between the users who don't care (?) and the users explaining how the hacking business works.
  1. Yes, the illegal hacking business does NOT care about who you are. They only care about the potential compute resources of your PC.
  2. The underground hacking business is organized like normal companies with managers, HR and so on (especially in Russia.) The hackers penetrating a PC are not usually the ones who then exploit it for free, they resell the credentials to other companies specialized in particular activities.
  3. The underground hacking business hackers are "lazy" like any other IT person, they prioritize low hanging fruits. So if a user does not care(?), hacking his or her computer has a higher probability of happening.
  4. Once illegally inside a PC, a big part of the underground hacking business is to do processing at low level on a user's PC, e.g. coin mining, spam, botnet. The additional tragedy is that the victim user pays for the electricity, not the hacker.
IMHO the "users who don't care (?)" are probably not aware of the volume and sophistication of the illegal hacking business industry. So far this industry is flourishing and... winning.

The "users who don't care (?)" might want to for instance add https://www.bleepingcomputer.com/ to their daily online reading habit.

Example: if you think your cherished passwords are protected in an unbreakable vault, make sure to follow news like:


Up to you to care or not, but it is not about you, it is about your PC resources and the electricity bill at the end of the month stolen by someone elsewhere on the planet.

Think about it with this analogy: without your knowledge, someone uses your car when you are not using it, and you pay for the gas. Would you care or not?
 
Last edited: