News AMD discloses slew of high severity security vulnerabilities for Zen CPUs that attack BIOS chips — updates aim to patch bugs, finally fix Zenbleed

[Admin]

Zen-based CPUs are vulnerable to four newly disclosed bugs, according to AMD, and you'll need to update your BIOS to become secure.

AMD discloses slew of high severity security vulnerabilities for Zen CPUs that attack BIOS chips — updates aim to patch bugs, finally fix Zenbleed : Read more

 

[HopefulToad]

Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

If not, could someone more knowledgeable on this type of thing give an example scenario of how an unsuspecting user could fall victim to one of these vulnerabilities?

 

[FunSurfer]

^ Yes, how exactly the hacker access the SPI interface that connects the CPU to the chip on the motherboard?

 

[Order 66]

Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

If not, could someone more knowledgeable on this type of thing give an example scenario of how an unsuspecting user could fall victim to one of these vulnerabilities?

Good luck getting physical access to a system if it is at a user's house. I don't understand why these vulnerabilities even matter for most people with desktop PCs at work or home.

 

[AgentBirdnest]

Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

If not, could someone more knowledgeable on this type of thing give an example scenario of how an unsuspecting user could fall victim to one of these vulnerabilities?

Wondering the same thing. I generally don't like to update my BIOS if I don't need to, so I'd like to know if I really should or not.
Because if the hacker has to physically be sitting at my PC, here in my bedroom, then I've got much bigger problems to worry about than being hacked.

 

[Order 66]

Wondering the same thing. I generally don't like to update my BIOS if I don't need to, so I'd like to know if I really should or not.
Because if the hacker has to physically be sitting at my PC, here in my bedroom, then I've got much bigger problems to worry about than being hacked.

exactly my point. I don't really think about updating my bios very often, even though I probably should, now that you mention it.

 

[Makaveli]

Still waiting for AGESA version 1.2.0.C for my asus board which I thought they said was going to be released end of 2023 I guess not!

^ Yes, how exactly the hacker access the SPI interface that connects the CPU to the chip on the motherboard?

Physical access?

 

[Notton]

I didn't see ryzen 4000 mobile on the list.
Is the list incomplete, or is 4000 mobile somehow not affected?

 

[USAFRet]

Good luck getting physical access to a system if it is at a user's house. I don't understand why these vulnerabilities even matter for most people with desktop PCs at work or home.

Amazingly, there are LOTS of systems that exist in places other than your bedroom.

Aircraft manufacturer offices, nighttime cleaning crew...

 

[Order 66]

Amazingly, there are LOTS of systems that exist in places other than your bedroom.

Aircraft manufacturer offices, nighttime cleaning crew...

Which is why I said for most users with desktop PCs at home or work. I understand that there are systems that are vulnerable to this type of attack, but I was trying to make the point that for the vast majority of people who have their PCs at home, this is not a concern. You could make the argument that desktop PCs at the workplace are more vulnerable, I guess.

 

[USAFRet]

Which is why I said for most users with desktop PCs at home or work. I understand that there are systems that are vulnerable to this type of attack, but I was trying to make the point that for the vast majority of people who have their PCs at home, this is not a concern. You could make the argument that desktop PCs at the workplace are more vulnerable, I guess.

Right.
For your system and my system at home, not really a concern.

For other people, it IS a concern.

Not everything revolves around you or the typical home user.

 

[Order 66]

Not everything revolves around you or the typical home user.

I realize that, but I'm struggling to wrap my brain around how many people need to actually be concerned about it. I mean, how often would someone have the physical access to a system that is required for this type of attack.

 

[USAFRet]

I realize that, but I'm struggling to wrap my brain around how many people need to actually be concerned about it. I mean, how often would someone have the physical access to a system that is required for this type of attack.

Not often.

But it is a vulnerability that has been discovered, and needs to be patched.

 

[The Historical Fidelity]

Wondering the same thing. I generally don't like to update my BIOS if I don't need to, so I'd like to know if I really should or not.
Because if the hacker has to physically be sitting at my PC, here in my bedroom, then I've got much bigger problems to worry about than being hacked.

Breaking News: Hackers can physically access your computer locally if you invite them into your home and give them your password willingly.

Computer manufacturers have issued a mitigation requiring users to answer a Captcha correctly after password entry.

More breaking news: Captcha has determined computer owners to be hackers after widespread failure to identify the tiles in a picture of the ocean surface that contain submerged submarines.

 

[TJ Hooker]

You can update the BIOS from within Windows, on at least some systems. E.g. Asus EZ Update https://www.asus.com/support/faq/1012152/

Which would mean it is possible to get at least indirect access to SPI interface/BIOS from within the OS. So do you actually need physical access, or are root privileges sufficient? This article claims the former, but it's not clear where they got that from. The source AMD bulletin doesn't describe the level of access required to exploit these vulnerabilities.

 

[HopefulToad]

Right.
For your system and my system at home, not really a concern.

This being the case, the subheading of the article probably shouldn't be "Update your BIOS ASAP" (I know you didn't write the article). It conveys a sense of urgency that likely does not apply to the majority of readers. And updating your BIOS carries a risk of bricking your motherboard, even if the risk is minor.

 

[USAFRet]

This being the case, the subheading of the article probably shouldn't be "Update your BIOS ASAP" (I know you didn't write the article). It conveys a sense of urgency that likely does not apply to the majority of readers. And updating your BIOS carries a risk of bricking your motherboard, even if the risk is minor.

And if you reflexively do a BIOS update after every single article that comes out, your admin privileges should be taken away.

 

[twotwotwo]

Now that hardware down to CPUs need security updates, it would sure be nice if getting them promptly didn't depend on someone between the CPU maker and you. I know it's possible in some cases--I think Linux will load microcode updates without BIOS help--but not all of them I assume.

Similar situation to phone makers or carriers delaying Android updates. I know Google has done a little about that, making more components updateable out-of-band, but really all these disclosures should be "go get your updates now," as they are with bugs in, say, Windows or a Linux distribution.

 

[Viking2121]

Running an older bios on my board, I refuse to update it for other reasons, if they need physical access to my PC or even remotely, not even going to bother to update.

 

[d0x360]

Local access means no ty to the update especially if there is no word on potential performance implications.

Nobody is getting access to my system and advising everyone to update now is a bad idea and a hardware site should know that and know why

 

[d0x360]

Now that hardware down to CPUs need security updates, it would sure be nice if getting them promptly didn't depend on someone between the CPU maker and you. I know it's possible in some cases--I think Linux will load microcode updates without BIOS help--but not all of them I assume.

Similar situation to phone makers or carriers delaying Android updates. I know Google has done a little about that, making more components updateable out-of-band, but really all these disclosures should be "go get your updates now," as they are with bugs in, say, Windows or a Linux distribution.

CPUs and hardware have always needed security updates. Clearly someone hasn't read release notes in drivers or firmware in the last 20 years

 

[Vertigo_1]

I imagine that a hacker that has remote access to your pc won't have any additional control from this, but it would allow them just that much more hiding spots for their means.

 

[waltc3]

Already have the bios version installed, patched.

 

[tamalero]

Good luck getting physical access to a system if it is at a user's house. I don't understand why these vulnerabilities even matter for most people with desktop PCs at work or home.

my guess is.. Company espionage.

aka someone infiltrates or delivers a device that can do the hacking via a proxy. Like a keyboard with a chip on it?

 

[snemarch]

Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

This article states "However, any attack would require local access to the affected system", but one of the four (CVE-2023-20579) on AMDs bulletin page states:

Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.

That sounds pretty bad – that's not local/physical access, that's the ability to run code on a system (could be through a remote code execution exploit) with administrator privileges (privilige exploit after RCE) to be able to run kernel-mode code...

Need more digging to determine what exactly these flaws can be used for, but it sounds like it *might* be usable for persistent infection of UEFI flash memory. That's advanced stuff you're unlike to be hit by as a normal consumer, but if my understanding that it doesn't require physical hardware access is correct, is still pretty serious.

Unfortunately AGESA firmware stuff requires motherboard vendor to release a new UEFI/BIOS per board – which is a bit funny, since CPU microcode patches can be included in Linux/Windows updates even though it's lower-level than the AGESA firmware... but I guess the motherboard-specific firmware has to be validated combined with the AMD-supplied AGESA, and gosh our systems are complicated these days – DDR training, voltage regulation, and who knows what happens with SMM code these days 🥳