CVE-2023-20521

CVSS 3.3 LOWEPSS 0.3%

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 3.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

14 Nov 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.

CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L

Affected products

AMD · 1st Gen AMD EPYC™ Processors AMD · 2nd Gen AMD EPYC™ Processors AMD · 3rd Gen AMD EPYC™ Processors AMD · AMD EPYC™ Embedded 3000 AMD · AMD EPYC™ Embedded 7002 AMD · AMD EPYC™ Embedded 7003 AMD · AMD Ryzen™ Embedded R1000 AMD · AMD Ryzen™ Embedded R2000 AMD · AMD Ryzen™ Embedded V1000 AMD · Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics “Picasso” AM4 AMD · Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics “Dali”/”Dali” FP5 AMD · Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics “Pollock”AMD · Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics “Picasso” FP5 AMD · Ryzen™ Threadripper™ 2000 Series Processors “Colfax”

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-3002 https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-4002 https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-5001