AMD Client Vulnerabilities – May 2022
Bulletin ID: AMD-SB-1027
Potential Impact: Varies by CVE, see descriptions below
Severity: Varies by CVE, see descriptions below
Summary
During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Secure Processor (ASP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD EPYC™ AGESA™ PI packages.
CVE Details
Refer to Glossary for explanation of terms
CVE |
Severity |
CVE Description |
CVE-2021-26317 |
7.9 (High) |
Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution. |
CVE-2021-26335 |
7.5 (High) |
Improper input and range checking in the AMD Secure Processor (ASP) boot loader image header may allow an attacker to use attacker-controlled values prior to signature validation potentially resulting in arbitrary code execution. |
CVE-2021-39298 |
7.5 (High) |
A potential vulnerability in AMD System Management Mode (SMM) interrupt handler may allow an attacker with high privileges to access the SMM resulting in arbitrary code execution which could be used by malicious actors to bypass security mechanisms provided in the UEFI firmware. |
CVE-2023-20558 |
High |
Insufficient control flow management in AmdCpmOemSmm may allow a privileged attacker to tamper with the SMM handler potentially leading to an escalation of privileges. |
CVE-2023-20559 |
High |
Insufficient control flow management in AmdCpmGpioInitSmm may allow a privileged attacker to tamper with the SMM handler potentially leading to escalation of privileges. |
CVE-2021-26373 |
7.2 (High) |
Insufficient bound checks in System Management Unit (SMU) may result in system voltage malfunction that could result in denial of resources and/or possibly denial of service. |
CVE-2020-12946 |
6.8 (Medium) |
Insufficient input validation in ASP firmware for discrete TPM commands could allow a potential loss of integrity and denial of service. |
CVE-2021-26361 |
6.4 (Medium) |
A malicious or compromised User Application (UApp) or AGESA Boot Loader (ABL) could be used by an attacker to exfiltrate arbitrary memory from the ASP stage 2 bootloader potentially leading to information disclosure. |
CVE-2021-26363 |
6.4 (Medium) |
A malicious or compromised UApp or ABL could potentially change the value that the ASP uses for its reserved DRAM, to one outside of the fenced area, potentially leading to data exposure. |
CVE-2021-26366 |
6.4 (Medium) |
An attacker, who gained elevated privileges via some other vulnerability, may be able to read data from Boot ROM resulting in a loss of system integrity. |
CVE-2021-26369 |
6.4 (Medium) |
A malicious or compromised UApp or ABL may be used by an attacker to send a malformed system call to the bootloader, resulting in out-of-bounds memory accesses. |
CVE-2021-26386 |
6.4 (Medium) |
A malicious or compromised UApp or ABL may be used by an attacker to issue a malformed system call to the Stage 2 Bootloader potentially leading to corrupt memory and code execution. |
CVE-2021-26336 |
6.1 (Medium) |
Insufficient bounds checking in System Management Unit (SMU) may cause invalid memory accesses/updates that could result in SMU hang and subsequent failure to service any further requests from other components. |
CVE-2021-26337 |
6.1 (Medium) |
Insufficient DRAM address validation in System Management Unit (SMU) may result in a DMA read from invalid DRAM address to SRAM resulting in SMU not servicing further requests. |
CVE-2020-12951 |
6.1 (Medium) |
Race condition in ASP firmware could allow less privileged x86 code to perform ASP SMM (System Management Mode) operations. |
CVE-2021-26376 |
6.1 (Medium) |
Insufficient checks in System Management Unit (SMU) FeatureConfig may result in reenabling features potentially resulting in denial of resources and/or denial of service. |
CVE-2021-26352 |
6.1 (Medium) |
Insufficient bound checks in System Management Unit (SMU) PCIe Hot Plug table may result in access/updates from/to invalid address space that could result in denial of service. |
CVE-2021-26375 |
6.1 (Medium) |
Insufficient General Purpose IO (GPIO) bounds check in System Management Unit (SMU) may result in access/updates from/to invalid address space that could result in denial of service. |
CVE-2021-26378 |
6.1 (Medium) |
Insufficient bound checks in System Management Unit (SMU) hot plug PCIe ports may result in access/updates from/to invalid address space that could result in denial of service. |
CVE-2021-26372 |
6.1 (Medium) |
Insufficient bound checks in System Management Unit (SMU) PCIe Hot Plug Config Table may result in an out of bounds access/updates from/to invalid address space that could result in denial of service. |
CVE-2021-26351 |
6.1 (Medium) |
Insufficient DRAM address validation in System Management Unit (SMU) may result in a DMA (Direct Memory Access) read/write from/to invalid DRAM address that could result in denial of service. |
CVE-2021-26390 |
6.0 (Medium) |
A malicious or compromised UApp or ABL may coerce the bootloader into corrupting arbitrary memory potentially leading to loss of integrity of data. |
CVE-2021-26362 |
5.7 (Medium) |
A malicious or compromised UApp or ABL may be used by an attacker to issue a malformed system call which results in mapping sensitive System Management Network (SMN) registers leading to a loss of integrity and availability. |
CVE-2021-26339 |
5.5 (Medium) |
A bug in AMD CPU’s core logic may allow for an attacker, using specific code from an unprivileged VM, to trigger a CPU core hang resulting in a potential denial of service. AMD believes the specific code includes a specific x86 instruction sequence that would not be generated by compilers. |
CVE-2020-12944 |
5.5 (Medium) |
Insufficient validation of BIOS image length by ASP Firmware could lead to arbitrary code execution. |
CVE-2021-26368 |
4.1 (Medium) |
Insufficient check of the process type in Trusted OS (TOS) may allow an attacker with privileges to enable a lesser privileged process to unmap memory owned by a higher privileged process resulting in a denial of service. |
CVE-2021-26388 |
4.1 (Medium) |
Improper validation of the BIOS directory may allow for searches to read beyond the directory table copy in RAM, exposing out of bounds memory contents, resulting in a potential denial of service. |
CVE-2021-26312 |
4.1 (Medium) |
Improper ECC (error correction code) protections implemented in ASP hardware may allow side-channel exposure potentially resulting in information disclosure. |
CVE-2021-26384 |
3.0 (Low) |
A malformedSMI (System Management Interface) command may allow an attacker to establish a corrupted SMI Trigger Info data structure, potentially leading to out-of-bounds memory reads and writes when triggering an SMI resulting in a potential loss of resources. |
CVE-2021-26382 |
1.9 (Low) |
An attacker with root account privileges can load any legitimately signed firmware image into the Audio Co-Processor (ACP,) irrespective of the respective signing key being declared as usable for authenticating an ACP firmware image, potentially resulting in a denial of service. |
Affected Products
See Tables
Mitigation
AMD recommends updating to the AGESA™ PI software version indicated below.
Platform |
Internal Name |
PI Version |
Release Date |
Applicable CVEs |
DESKTOP |
||||
AMD Ryzen™ 2000 Series Desktop Processor |
“Raven Ridge” AM4 |
Raven-FP5-AM4 1.1.0.E |
02/14/2022 |
CVE-2020-12944 |
Raven-FP5-AM4 1.1.0.D |
10/10/2021 |
|||
PinnaclePI-AM4 1.0.0.C |
02/17/2022 |
|||
ComboAM4PI 1.0.0.8 |
02/28/2022 |
|||
ComboAM4v2 PI 1.2.0.6c |
01/6/2022 |
|||
ComboAM4v2 PI 1.2.0.4 |
8/25/2021 |
|||
AMD Ryzen™ 2000 Series Desktop Processor |
“Pinnacle Ridge” |
PinnaclePI-AM4 1.0.0.C |
02/17/2022 |
CVE-2020-12944 |
ComboAM4PI 1.0.0.8 |
02/28/2022 |
|||
ComboAM4 V2 PI 1.2.0.6c |
02/22/2022 |
|||
ComboAM4v2 PI 1.2.0.4 |
08/25/2021 |
|||
AMD Ryzen™ 3000 Series Desktop Processor |
“Matisse” AM4 |
ComboAM4PI 1.0.0.8 |
02/28/2022 |
CVE-2021-26317 |
ComboAM4 V2 PI 1.2.0.6c |
02/22/2022 |
|||
ComboAM4v2 PI 1.2.0.4 |
08/25/2021 |
|||
AMD Ryzen™ 5000 Series Desktop Processor |
“Vermeer” AM4 |
ComboAM4 V2 PI 1.2.0.6c |
02/22/2022 |
CVE-2020-12944 |
ComboAM4v2 PI 1.2.0.4 |
08/25/2021 |
|||
AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics |
“Cezanne” AM4 |
ComboAM4 V2 PI 1.2.0.6c |
02/22/2022 |
CVE-2021-26361 |
| ComboAM4v2 PI 1.2.0.4 | 08/25/2021 | |||
HEDT (High End Desktop) |
||||
2nd Gen AMD Ryzen™ Threadripper™ Processor |
“Colfax” |
SummitPI-SP3r2 1.1.0.5 |
01/12/2022 |
CVE-2020-12944 |
3rd Gen AMD Ryzen™ Threadripper™ Processors |
“Castle Peak” HEDT |
CastlePeakPI-SP3r3 1.0.0.7 |
01/28/2022 |
CVE-2020-12944 |
| CastlePeakPI-SP3r3 1.0.0.6 | 09/08/2021 | |||
WORKSTATION |
||||
AMD Ryzen™ Threadripper™ PRO Processor |
“Castle Peak” WS |
ChagallWSPI-sWRX8 1.0.0.2 |
01/7/2022 |
CVE-2020-12944 |
CastlePeakWSPI-sWRX8 1.0.0.9 |
01/20/2022 |
|||
| CastlePeakWSPI-sWRX8 1.0.0.7 | 09/08/2021 | |||
“Chagall” WS |
ChagallWSPI-sWRX8 1.0.0.2 |
01/7/2022 |
CVE-2020-12944 |
|
MOBILE |
||||
AMD Ryzen™ 2000 Series Mobile Processor |
“Raven Ridge” FP5 |
Raven-FP5-AM4 1.1.0.E |
02/14/2022 |
CVE-2020-12944 |
Raven-FP5-AM4 1.1.0.D |
10/10/2021 |
|||
PinnaclePI-AM4 1.0.0.C |
02/17/2022 |
|||
ComboAM4PI 1.0.0.8 |
02/28/2022 |
|||
ComboAM4v2 PI 1.2.0.6c |
02/22/2022 |
|||
AMD Ryzen™ 3000 Series Mobile Processor, 2nd Gen AMD RyzenTM Mobile Processor with RadeonTM Graphics |
“Picasso” |
PicassoPI-FP5 1.0.0.D |
02/28/2022 |
CVE-2020-12944 |
ComboAM4PI 1.0.0.8 |
02/28/2022 |
|||
ComboAM4v2 PI 1.2.0.6c |
02/22/2022 |
|||
ComboAM4v2 PI 1.2.0.4 |
08/25/2021 |
|||
AMD AthlonTM 3000 Series Mobile Processors with Radeon™ Graphics |
“Dali”/”Dali” ULP |
PicassoPI-FP5 1.0.0.D |
02/28/2022 |
CVE-2020-12944 |
AMD AthlonTM 3000 Series Mobile Processors with Radeon™ Graphics |
“Pollock” |
PollockPI-FT5 1.0.0.3 |
02/28/2022 |
CVE-2020-12944 |
AMD Ryzen™ 4000 Series Mobile Processor with Radeon™ Graphics |
“Renoir” FP6 |
RenoirPI-FP6 1.0.0.7 |
11/03/2021 |
CVE-2020-12944 |
| ComboAM4v2 PI 1.2.0.4 | 08/25/2021 | |||
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics |
“Lucienne” |
CezannePI-FP6 1.0.0. 9a |
02/28/2022 |
CVE-2020-12944 |
| CezannePI-FP6 1.0.0.5 | 08/18/2021 | |||
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics |
“Cezanne” |
CezannePI-FP6 1.0.0.9 |
02/28/2022 |
CVE-2020-12944 |
| CezannePI-FP6 1.0.0.5 | 08/18/2021 | |||
Acknowledgement
AMD thanks the following for reporting these issues and engaging in coordinated vulnerability disclosure.
- Reported by Shawn Hoffman (Microsoft Offensive Security Research):, CVE-2021-26335, CVE-2021-26336, CVE-2021-26337, CVE-2021-26347, CVE-2021-26350, CVE-2021-26351, CVE-2021-26352, CVE-2021-26372, CVE-2021-26373, CVE-2021-26375, CVE-2021-26376, CVE-2021-26378
- Reported by Cfir Cohen, Jann Horn, Mark Brand of Google: CVE-2020-12944, CVE-2020-12946, CVE-2020-12951, CVE-2021-26312, CVE-2021-26348, CVE-2021-26349
- Found by “Silifuzz (Google)”: CVE-2021-26339
- BINARLY efiXplorer team: CVE-2023-20558, CVE-2023-20559, CVE-2021-39298
- Reported by Jiawei Yin(@yngweijw): CVE-2021-26317
- Internally reported: CVE-2021-26353, CVE-2021-26361, CVE-2021-26362, CVE-2021-26363, CVE-2021-26366, CVE-2021-26368, CVE-2021-26369, CVE-2021-26370, CVE-2021-26382, CVE-2021-26384, CVE-2021-26386, CVE-2021-26388, CVE-2021-26390, CVE-2021-46771
Revisions
Revision Date |
Description |
03/24/2023 |
Added CVE-2023-20558 and CVE-2023-20559 and associated PI versions |
05/10/2022 |
Initial publication |
DISCLAIMER
The information contained herein is for informational purposes only and is subject to change without notice. While every precaution has been taken in the preparation of this document, it may contain technical inaccuracies, omissions, and typographical errors, and AMD is under no obligation to update or otherwise correct this information. Advanced Micro Devices, Inc. makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and assumes no liability of any kind, including the implied warranties of non-infringement, merchantability, or fitness for particular purposes, with respect to the operation or use of AMD hardware, software or other products described herein. Any computer system has risks of security vulnerabilities that cannot be completely prevented or mitigated. No license, including implied or arising by estoppel, to any intellectual property rights is granted by this document. Terms and limitations applicable to the purchase or use of AMD’s products are as set forth in a signed agreement between the parties or in AMD's Standard Terms and Conditions of Sale.
AMD, the AMD Arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.
© 2022 Advanced Micro Devices, Inc. All rights reserved.