CVE-2023-20578

Summary

A TOCTOU (Time-Of-Check-Time-Of-Use) in SMM may allow an attacker with ring0 privileges and access to the BIOS menu or UEFI shell to modify the communications buffer potentially resulting in arbitrary code execution.

Affected Software

VendorProductVersion RangeStatus
AMDAMD EPYC™ 7001 ProcessorsNaplesPI 1.0.0.Kunaffected
AMDAMD EPYC™ 7002 ProcessorsRomePI 1.0.0.Gunaffected
AMDAMD EPYC™ 7003 ProcessorsMilanPI 1.0.0.Bunaffected
AMDAMD EPYC™ 9004 ProcessorsGenoaPI 1.0.0.2unaffected
AMDAMD Ryzen™ 7000 Series Desktop ProcessorsComboAM5 1.0.0.1unaffected
AMDAMD Ryzen™ Threadripper™ PRO 5000WX ProcessorsChagallWSPI-sWRX8 1.0.0.7unaffected
AMDAMD Ryzen™ 7020 Series Processors with Radeon™ GraphicsMendocinoPI-FT6 1.0.0.0unaffected
AMDAMD Ryzen™ 6000 Series Processors with Radeon™ GraphicsRembrandtPI-FP7 1.0.0.9bunaffected
AMDAMD Ryzen™ 7035 Series Processors with Radeon™ GraphicsRembrandtPI-FP7 1.0.0.9bunaffected
AMDAMD EPYC™ Embedded 3000SnowyOwl PI 1.1.0.Aunaffected
AMDAMD EPYC™ Embedded 7002EmbRomePI-SP3 1.0.0.Aunaffected
AMDAMD EPYC™ Embedded 7003EmbMilanPI-SP3 1.0.0.7unaffected
AMDAMD EPYC™ Embedded 9003EmbGenoaPI-SP5 1.0.0.0unaffected
AMDAMD Ryzen™ Embedded 7000EmbeddedAM5PI 1.0.0.0unaffected
AMDAMD RyzenTM Embedded V3000EmbeddedPI-FP7r2 1.0.0.8unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References