zenbleed AMD and Intel have revealed a host of major security errors — make sure you patch immediately, as it includes a fix for Zenbleed at last

TechRadar · February 15

AMD and Intel have both released a host of patches fixing some serious security issues affecting their respective hardware offerings.

First up, AMD has found and fixed four vulnerabilities that were plaguing different versions of its Zen-based CPUs.

The vulnerabilities allow threat actors to, among other things, run malicious code on the targeted devices - but while the company did address the flaws by releasing patches, the fixes are yet to reach all users.

Fixing Zenbleed

The flaws AMD found affect different CPUs (they don’t always overlap). However, they all compromise the security of the SPI interface, which connects to the flash chip that stores the BIOS. The vulnerabilities are tracked as CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, and are all rated as “high severity”.

In theory, a threat actor would be able to abuse these flaws to mount denial of service attacks, to escalate privileges, and execute arbitrary code, which could result in complete endpoint takeover. The silver lining here is that the attackers would need to have local access to the vulnerable system.

The flaws affected both original Zen chips and the latest Zen 4 processors, and many of the variants in between. The full list of affected chips, and the patches, can be found on AMD’s advisory published earlier this week. AMD patched the flaws by issuing a new version of AGESA, the base code for motherboard BIOS. The new version for Zen 2-based chips also patch Zenbleed.

To get the new AGESA versions, new BIOS needs to be deployed to the users, so even though new AGESA is technically available, it doesn’t mean all motherboards can be updated straight away.

AMD credited Enrique Nissim, Krzysztof Okupski, and Joseph Tartaro of IOActive for the discovery and reporting of these issues, although it added that “some of the findings were made on PCs running outdated firmware or software”. It urged all customers to apply the patches as soon as possible and recommended they follow security best practices to remain secure.

Intel patches three dozen flaws

At the same time, Intel patched almost three dozen different vulnerabilities, affecting various software and firmware.

In total, 32 bugs were for software, impacting different chipset drivers, Wi-Fi, and other components. The remaining two bugs were software and firmware flaws affecting Thunderbolt.

The software issue, affecting Thunderbolt drivers, was particularly worrying as it encompassed 20 different exploits that could allow threat actors to escalate privileges, perform denial of service attacks, and steal data. Of the 20, three are “high severity”.

A sliver of good news is that the majority of the 20 Thunderbolt drivers require local access to the device. The bad news is that in order to address all of the flaws, users need to update every software and firmware listed by Intel, separately.

Via Tom’s Hardware