AMD discloses slew of high severity security vulnerabilities that attacks BIOS chips on Zen systems — updates aren't available for all chips, finally a fix Zenbleed

AMD has disclosed four vulnerabilities found in its Zen-based CPUs, ranging from the original Zen chips to the latest Zen 4 processors, and not all impacted chips have a readily available BIOS version to correct the issue. The vulnerabilities, which compromise the security of the SPI interface that connects to the flash chip that stores your BIOS, affect different generations of different Zen CPUs — not all processors are vulnerable to all four bugs. AMD is patching the vulnerabilities through new versions of AGESA, which is the base code for motherboard BIOSes. However, not all motherboard vendors have released new updates with the patched AGESA.

Though distinct, the four vulnerabilities hinge on the SPI interface that connects the CPU to the chip on the motherboard where the system firmware is stored. Exploiting these vulnerabilities could allow hackers to perform denial of service attacks, escalate privileges, and even execute arbitrary code. That last one can be particularly scary, as arbitrary code execution essentially means tricking a computer into running code, and that code could really be anything. However, any attack would require local access to the affected system, meaning that it would take an especially vigilant attacker to exploit the vulnerability. 

Fixing these vulnerabilities involves updating the AGESA, which is an integral part of the BIOS for AMD CPUs. AMD has already released new AGESA versions for nearly all of its processors. For Zen 2-based chips, in particular, many of these new AGESAs also patch Zenbleed, which was disclosed last year. However, while AGESA 1.2.0.B will patch these latest exploits for Ryzen CPUs using the Zen 2 architecture, you'll also need version 1.2.0.C to protect against Zenbleed.

The latest AGESA versions from months ago also protect Epyc CPUs, and Threadripper received its AGESA update in January. Threadripper 7000, however, isn't mentioned in the disclosure, which may mean AMD learned of the vulnerabilities in time to ensure its latest HEDT CPUs never shipped with a buggy AGESA. Only two of AMD's embedded CPUs don't yet have a secure AGESA, which is scheduled to arrive in April.

Of course, new AGESA versions have to be distributed via new BIOS versions, which means even if a new AGESA is technically available, it could be a while before it reaches motherboards. For Epyc, embedded, and mobile CPUs, it's difficult to say how many motherboards offer a BIOS with the latest AGESA version, but for consumer Ryzen and Threadripper boards, this info is far more available and easier to find. We've looked at desktop motherboards from the big four vendors, and here's how they stand when it comes to AGESA versions.

* Not a comprehensive list and may not be true for all motherboards

AM5 motherboards are seemingly completely patched for the four vulnerabilities, which means computers using Ryzen 7000 and Ryzen 8000 chips should be fine. As mentioned previously, AMD didn't make any disclosures for Threadripper 7000, which should mean TRX50 and WRX90 motherboards are also in the clear.

Unfortunately, for users of AMD's last-generation sockets, updates haven't been as rapid as they have been for AM5. As far as we could tell, no AM4 motherboards thus far offer a BIOS using AGESA version 1.2.0.C, which means Ryzen 4000G and 5000G APUs are vulnerable no matter who your motherboard maker is. AGESA version 1.2.0.B is broadly available on every 500 series board from the four big vendors, but the same can't be said for the 300 and 400 series. Asus's and MSI's 300 series boards are still on version 1.2.0.A, as are MSI's 400 series boards.

Meanwhile, TRX40 for the Threadripper 3000 series is mostly safe, except MSI hasn't updated its TRX40 boards since version 1.0.0.4. However, it seems Threadripper Pro 3000WX and 5000WX have gotten the short end of the stick by far, as the WRX80 socket is completely vulnerable no matter what vendor you're with. Hopefully, this is just because the AGESA versions haven't been out for very long.