A hot potato: All users with AMD Ryzen processors from the last few years should check and update their motherboard firmware ASAP, especially if they haven’t done so since before 2023. AMD has published a detailed chart describing four severe security issues affecting server, desktop, workstation, HEDT, mobile, and embedded Zen CPUs. Recent BIOS updates have addressed most, but not all of the flaws.
All four vulnerabilities AMD has acknowledged are marked as high-severity. The chart below lists the minimum AGESA version needed to mitigate all issues for each processor generation. A more detailed breakdown of which problems and solutions affect each CPU can be found in the company’s security bulletin.
One of the vulnerabilities, designated CVE-2023-20576, can allow attackers to initiate denial of service attacks or escalate privileges due to insufficient data authenticity verification in the BIOS.
Two others – CVE-2023-20577 and CVE-2023-20587 – can enable arbitrary code execution by granting access to the SPI flash through System Management Mode. Another, dubbed CVE-2023-20579, can cause loss of integrity and availability through improper access control in AMD’s SPI protection feature.
CPU Generation Minimum Patched BIOS version Availability Date 1st Gen AMD EPYC NaplesPI 1.0.0.K 2023-Apr-27 2nd Gen AMD EPYC RomePI 1.0.0.H 2023-Nov-07 3rd Gen AMD EPYC MilanPI 1.0.0.C 2023- Dec-18 4th Gen AMD EPYC GenoaPI 1.0.0.8 2023-Jun-09 Ryzen 3000 Desktop ComboAM4 1.0.0.B
2024-Mar
Ryzen 5000 Desktop ComboAM4v2 1.2.0.B 2023-Aug-25 Ryzen 5000 Desktop w/ Radeon ComboAM4v2PI 1.2.0.C 2024-Feb-07 Ryzen 7000 Desktop ComboAM5 1.0.8.0 2023-Aug-29 Ryzen 3000 Desktop w/ Radeon ComboAM4 1.0.0.B
2024-Mar
Ryzen 4000 Desktop w/ Radeon
ComboAM4v2PI 1.2.0.C
2024-Feb-07
Ryzen Threadripper 3000
CastlePeakPI-SP3r3 1.0.0.A
2023-Nov-21
Ryzen Threadripper Pro 3000WX
ChagallWSPI-sWRX8 1.0.0.7
2024-Jan-11
Ryzen Threadripper Pro 5000WX
ChagallWSPI-sWRX8 1.0.0.7
2024-Jan-11
Athlon 3000 Mobile w/ Radeon
PollockPI-FT5 1.0.0.6
2023-Oct-26
Ryzen 3000 Mobile w/ Radeon
PicassoPI-FP5 1.0.1.0
2023-May-31
Ryzen 4000 Mobile w/ Radeon
RenoirPI-FP6 1.0.0.D
2024-Feb
Ryzen 5000 Mobile w/ Radeon
CezannePI-FP6 1.0.1.0
2024-Jan-25
Ryzen 7020 w/ Radeon
MendocinoPI-FT6 1.0.0.6
2024-Jan-03
Ryzen 6000 w/ Radeon
RembrandtPI-FP7 1.0.0.A
2023-Dec-28
Ryzen 7035 w/ Radeon
RembrandtPI-FP7 1.0.0.A
2023-Dec-28
Ryzen 5000 w/ Radeon
CezannePI-FP6 1.0.1.0
2024-Jan-25
Ryzen 3000 w/ Radeon
CezannePI-FP6 1.0.1.0
2024-Jan-25
Ryzen 7040 w/ Radeon
PhoenixPI-FP8-FP7 1.1.0.0
2023-Oct-06
Ryzen 7045 Mobile
DragonRangeFL1PI 1.0.0.3b
2023-Aug-30
Eypc Embedded 3000
Snowyowl PI 1.1.0.B
2023-Dec-15
Epyc Embedded 7002
EmbRomePI-SP3 1.0.0.B
2023-Dec-15
Epyc Embedded 7003
EmbMilanPI-SP3 1.0.0.8
2024-Jan-15
Epyc Embedded 9003
EmbGenoaPI-SP5 1.0.0.3
2023-Sep-15
Ryzen Embedded R1000
EmbeddedPI-FP5 1.2.0.A
2023-Jul-31
Ryzen Embedded R2000
EmbeddedPI-FP5 1.0.0.2
2023-Jul-31
Ryzen Embedded 5000
EmbAM4PI 1.0.0.4
2023-Sep-22
Ryzen Embedded V1000
EmbeddedPI-FP5 1.2.0.A
2023-Jul-31
Ryzen Embedded V2000
EmbeddedPI-FP6 1.0.0.9
2024-Apr
Ryzen Embedded V3000
EmbeddedPI-FP7r2 1.0.0.9
2024-Apr
Those with Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should exercise extra vigilance over the next few months, as the issues affecting those generations have not all been patched. An update planned for later this month will address the vulnerabilities for the 4000 series APUs, while a March 2024 BIOS update will fix the 3000 series CPUs. The affected embedded products will receive patches in April.
All other Zen processors received the relevant fixes in updates between mid-2023 and early this month. For 2nd-gen Epyc processors, the update that mitigated last year’s Zenbleed attack also protects against the new vulnerabilities.
There are several ways to check and update your BIOS version. In most modern PCs, both are possible directly from the BIOS itself. After entering the BIOS by pressing the indicated button during the system’s initial boot-up, the version number should appear on the main menu. Automatic update functions vary depending on the motherboard manufacturer.
To check your BIOS version without rebooting Windows, launch the System Information app by typing that into search or “msinfo” into the taskbar’s search. The version and date should appear in the list on the right pane. The latest BIOS version can usually be found on the support section of the motherboard manufacturer’s website. All major motherboard makers also offer automatic updates through optional management software.
