AMD reveals an EPYC 50 flaws – 23 of them are classified as High severity. Intel also has 25 problems • The Register
Microsoft may have given us just 55 CVEs to fear during Patch Tuesday in November, but AMD and Intel have exceeded that number with fixes for their products.
AMD alone dropped 50 new CVEs on Thursday, 23 of them rated “high,” meaning they are rated between 7.0 and 8.9 on the Common Vulnerability Rating System.
Let’s start with the 27 AMD graphics driver flaws for Windows 10 – of which 18 are rated High – because at least they’re in the software and patching cadence from Microsoft and Adobe means readers might be in the mood to fix. the code.
Detailed here, vulnerabilities allow elevation of privilege, denial of service, the ability for an unprivileged user to delete malicious DLL files, unauthorized code execution, memory corruption, information disclosure
In its thanks to those who found the bugs, AMD gives a tip of the hat to a guy named “Lucas Bouillot, from Apple Media Products RedTeam”. So now we know Apple has this team.
AMD’s EPYC processors – all three generations of them – have 22 defects, four of which are rated High. These faults, and their descriptions by AMD, are:
- CVE-2020-12954 – A side effect of an integrated chipset option can be used by an attacker to bypass SPI ROM protections, allowing unauthorized modification of the SPI ROM.
- CVE-2020-12961 – A potential vulnerability exists in AMD Platform Security Processor (PSP) which can allow an attacker to zero any privileged registers on the system management network, which can lead to bypassing ROM protections SPI.
- CVE-2021-26331 – AMD System Management Unit (SMU) contains a potential issue where a malicious user may be able to manipulate mailbox entries resulting in the execution of arbitrary code.
- CVE-2021-26335 – Incorrect entry and range check in the Platform Security Processor (PSP) bootloader image header could allow an attacker to use values controlled by the attack before the signature is validated, which can lead to the execution of an arbitrary code.
AMD’s μProf tool has only one flaw, the High-rated CVE-2021-26334 which “may allow less privileged users to access MSRs in the kernel, which may lead to elevated privileges and execution of ring-0 code by the less privileged user “.
Intel also revealed new issues – 25 of them. Chipzilla issues its own identifiers for vulnerabilities and groups several CVEs below.
Those who received a high rating include:
- INTEL-SA-00509 – Which includes 10 Intel WiFi CVE I products, allowing elevation of privilege, denial of service and information disclosure
- INTEL-SA-00535 – A single CVE (CVE-2021-0148) which impacts multiple Intel SSDs. “Insertion of information into the firmware log file … can allow a privileged user to potentially enable information disclosure through local access,” says Intel advisory
- INTEL-SA-00528- Privilege escalation loophole in Pentium, Celeron and Atom silicon
- INTEL-SA-00562 – Bad BIOS can allow elevation of privilege in 10 types of Intel processors ranging from this year’s Xeons to 2016 Core processors, and even some 2013 Celerons
The register suggest to pay attention to intel bug list because its warnings relate to many popular products such as Bluetooth, Ethernet drivers, and Thunderbolt. ®