AMD patches critical Zen 5 microcode bug — partners deliver new BIOS with AGESA 1.2.0.3C

Motherboard vendors have started to deploy BIOS updates based on the AGESA 1.2.0.3C firmware. The new BIOS addresses a critical security vulnerability in AMD's Zen 5 chips found last month. This security flaw impacts Zen-based microprocessors across all product lines. While firmware updates patched Zen 1 to Zen 4, this vulnerability was only recently discovered with Zen 5.

According to AMD's security bulletin, the company relayed the updated firmware to motherboard vendors late last month. Due to the time each partner needs to integrate and validate new firmware for their unique BIOS on each motherboard model, we're only starting to see adoption now. So far, only MSI has the updated BIOS for some of its 800-series motherboards.

The specific vulnerability in question is called EntrySign (ID: AMD-SB-7033), and it allows unsigned and potentially malicious microcode to be executed on the CPU. The flaw stems from AMD's signature verification process, which used a weak hashing algorithm (AES-CMAC). This allowed researchers at Google to craft forged signatures for arbitrary or even malicious microcode. The catch is that said bad actors must have kernel-level (ring 0) privileges, and at that point, this bug should be the least of your concerns, at least in consumer-grade environments.

To be clear, hot-loaded microcodes don't persist across reboots. Every time you power down and reboot your system, the microcode resets to one that was permanently embedded in your CPU from the factory unless changed later in the boot process by the BIOS/OS, which adds another set of guardrails.

In addition to desktops, this vulnerability posed a risk to server-grade processors like AMD's Turin (EPYC 9005) family, potentially compromising their SEV and SEV-SNP protection technologies, which could allow unauthorized access to private data from virtual machines. As it stands, except for Fire Range (Ryzen 9000HX), mitigation is available for all CPUs from the Zen 5 family: Granite Ridge, Turin, Strix Point, Krackan Point, and Strix Halo.

This has several implications for the average user. A typical example can be BYOVD (Bring Your Own Vulnerable Driver) attacks, where hackers abuse vulnerabilities in trusted and signed kernel-level drivers to gain access to ring 0. If successful, this could be a stepping-stone to exploiting CPU vulnerabilities like EntrySign, allowing them to execute malicious microcode on your processor.

An example of this is when hackers discovered holes in Genshin Impact's (kernel-level) anti-cheat and distributed ransomware that targeted this flaw and achieved ring 0 access. In short, the safest approach is to keep an eye out for an upcoming BIOS update from your vendor that has been specified to use the AGESA 1.2.0.3C firmware.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.