AMD issues firmware fixes for Epyc, Ryzen processors

Earlier this month AMD quietly disclosed 31 new CPU vulnerabilities affecting both its Ryzen desktop chips and EPYC data center processors. AMD disclosed the flaws in coordination  with several researchers, including teams from Google, Apple, and Oracle.

AMD typically releases vulnerability findings twice a year, in May and November, but decided to release the fixes early due to the relatively large number of new vulnerabilities and the timing of the mitigations.

Despite the severity and number of flaws, AMD posted the lists to its security page. The flaws include BIOS/UEFI revisions that AMD has distributed to its OEMs. Since every OEM has a different BIOS/UEFI, it’s best to check with your motherboard maker or system vendor to see if you need the updates.

The list of  server issues include four vulnerabilities rated High, 15 rated Medium, and nine rated Low priority. Three of the high-severity variants allow arbitrary code execution via various attack vectors, while another allows writing data to specific regions, which can result in data integrity and availability loss.

One particularly widespread vulnerability is CVE-2021-26316, which affects both desktop and server processors. It is a “failure of validation in the communication buffer and communication service in BIOS that may allow an attacker to tamper with the buffer resulting in potential System Management Mode arbitrary code execution.”

The vulnerabilities affect all three generations of Epyc processors but only four of the  vulnerabilities affect the first generation “Naples” products. The rest affect the second/third generation “Rome” and “Naples” products.