CVE-2024-36354

Summary

Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to bypass SMM isolation potentially resulting in arbitrary code execution at the SMM level.

Affected Software

VendorProductVersion RangeStatus
AMDAMD Ryzen™ Threadripper™ 3000 ProcessorsCastlePeakPI-SP3r3 1.0.0.Dunaffected
AMDAMD Ryzen™ Threadripper™ PRO 5000 WX-Series ProcessorsChagallWSPI-sWRX8-1.0.0.Aunaffected
AMDAMD Ryzen™ 5000 Series Mobile Processors with Radeon™ GraphicsCezannePI-FP6_1.0.1.1aunaffected
AMDAMD Ryzen™ Threadripper™ PRO 3000 WX-Series ProcessorsCastlePeakWSPI-sWRX8 1.0.0.Funaffected
AMDAMD Ryzen™ Threadripper™ PRO 3000 WX-Series ProcessorsChagallWSPI-sWRX8-1.0.0.Aunaffected
AMDAMD Ryzen™ 3000 Series Mobile Processors with Radeon™ GraphicsPicassoPI-FP5_1.0.1.2aunaffected
AMDAMD Ryzen™ 8040 Series Mobile Processors with Radeon™ GraphicsPhoenixPI-FP8-FP7_1.1.8.0unaffected
AMDAMD Athlon™ 3000 Series Mobile Processors with Radeon™ GraphicsPicassoPI-FP5_1.0.1.2aunaffected
AMDAMD Ryzen™ 8000 Series Desktop ProcessorsComboAM5PI_1.2.0.2aunaffected
AMDAMD Ryzen™ 7040 Series Mobile Processors with Radeon™ GraphicsPhoenixPI-FP8-FP7_1.1.8.0unaffected
AMDAMD Ryzen™ 4000 Series Mobile Processors with Radeon™ GraphicsRenoirPI-FP6 1.0.0.Eaunaffected
AMDAMD Ryzen™ 6000 Series Processors with Radeon™ GraphicsRembrandtPI-FP7_1.0.0.Baunaffected
AMDAMD Ryzen™ 7045 Series Mobile Processors with Radeon™ GraphicsDragonRangeFL1_1.0.0.3funaffected
AMDAMD Ryzen™ 7035 Series Processors with Radeon™ GraphicsRembrandtPI-FP7_1.0.0.Baunaffected
AMDAMD Ryzen™ 7000 Series Desktop ProcessorsComboAM5PI_1.2.0.2aunaffected
AMDAMD Ryzen™ 7030 Series Mobile Processors with Radeon™ GraphicsCezannePI-FP6_1.0.1.1aunaffected
AMDAMD Ryzen™ 9000 Series Desktop ProcessorsComboAM5PI_1.2.0.2aunaffected
AMDAMD Ryzen™ 3000 Series Desktop ProcessorsComboAM4PI_1.0.0.Cunaffected
AMDAMD Ryzen™ 3000 Series Desktop ProcessorsComboAM4v2PI_1.2.0.Dunaffected
AMDAMD Athlon™ 3000 Series Desktop Processors with Radeon™ GraphicsComboAM4PI_1.0.0.Cunaffected
AMDAMD Ryzen™ 5000 Series Desktop Processors with Radeon™ GraphicsComboAM4v2PI_1.2.0.Dunaffected
AMDAMD Ryzen™ 4000 Series Desktop ProcessorsComboAM4v2PI_1.2.0.Dunaffected
AMDAMD Ryzen™ 5000 Series Desktop ProcessorsComboAM4v2PI_1.2.0.Dunaffected
AMDAMD EPYC™ Embedded 3000 Series ProcessorsSnowyOwl PI 1.1.0.Funaffected
AMDAMD EPYC™ Embedded 7002 Series ProcessorsEmbRomePI-SP3_1.0.0.Eunaffected
AMDAMD EPYC™ Embedded 7003 Series ProcessorsEmbMilanPI-SP3 1.0.0.Aunaffected
AMDAMD EPYC™ Embedded 9004 Series ProcessorsEmbGenoaPI-SP5 1.0.0.8unaffected
AMDAMD Ryzen™ Embedded 5000 Series ProcessorsEmbAM4PI 1.0.0.7unaffected
AMDAMD Ryzen™ Embedded V2000 Series ProcessorsEmbeddedPI-FP6_1.0.0.Bunaffected
AMDAMD Ryzen™ Embedded V3000 Series ProcessorsEmbedded-PI_FP7r2 100Aunaffected
AMDAMD EPYC™ Embedded 97X4 Series ProcessorsEmbGenoaPI-SP5 1.0.0.8unaffected
AMDAMD Ryzen™ Embedded 7000 Series ProcessorsEmbeddedAM5PI 1.0.0.3unaffected
AMDAMD EPYC™ 9004 Series ProcessorsGenoaPI 1.0.0.Dunaffected
AMDAMD EPYC™ 7003 Series ProcessorsMilanPI 1.0.0.Dunaffected
AMDAMD EPYC™ 7002 Series ProcessorsRome PI 1.0.0.Munaffected
AMDAMD EPYC™ 7001 Series ProcessorsNaples 1.0.0.Qunaffected
AMDAMD EPYC™ 9004 Series ProcessorsGenoaPI 1.0.0.Dunaffected
AMDAMD EPYC™ 4004 Series ProcessorsComboAM5PI_1.2.0.2aunaffected
AMDAMD EPYC™ 8004 Series ProcessorsGenoaPI 1.0.0.Dunaffected

Weaknesses

  • CWE-1231: CWE-1231 - Improper Prevention of Lock Bit Modification

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References