wikiSafety instructions for AMD-SB-3003 server vulnerabilities
On August 13th 2024 , AMD published the Security Bulletin AMD-SB-3003. Security vulnerabilities were discovered in ASP (AMD Secure Processor), SEV (AMD Secure Encrypted Virtualization), SEV-SNP (AMD Secure Encrypted Virtualization – Secure Nested Paging) and in other platform components. [1]
Affected systems
- systems with "Zen 1" AMD EPYC 7001 Naples processors
- systems with "Zen 2" AMD EPYC 7002 Rome processors
- systems with "Zen 3" AMD EPYC 7003 Milan processors
- systems with "Zen 4" AMD EPYC 9004 Genoa and Bergamo processors
Problem solution
Here is a tabular list of the corresponding CVEs and AGESA & firmware updates for the correction, for every EPYC generation, if available.
AMD EPYC 7001 Naples:
| security vulnerability | risk potential: | AGESA version | SEV Firmware |
|---|---|---|---|
| CVE-2023-20578 | high | NaplesPI 1.0.0.K
(2023-06-14) |
N/A |
| security vulnerability | risk potential: | AGESA version | SEV Firmware |
|---|---|---|---|
| CVE-2021-26344 | high | RomePI 1.0.0.C
(2021-07-22) |
N/A |
| CVE-2023-20578 | high | RomePI 1.0.0.G
(2023-05-05) |
N/A |
| CVE-2021-46772 | low | RomePI 1.0.0.E
(2022-06-17) |
N/A |
| security vulnerability | risk potential: | AGESA version | SEV Firmware |
|---|---|---|---|
| CVE-2021-26344 | high | MilanPI 1.0.0.5
(2021-08-05) |
N/A |
| CVE-2023-20578 | high | MilanPI 1.0.0.B
(2023-06-08) |
N/A |
| CVE-2023-20584 | medium | MilanPI 1.0.0.C
(2023-12-18) |
SEV 1.55.9
[hex 1.37.09] |
| CVE-2023-20591 | medium | MilanPI 1.0.0.B
(2023-06-08) |
N/A |
| CVE-2023-31356 | medium | MilanPI 1.0.0.C
(2023-12-18) |
SEV 1.55.17
[hex 01.37.11] |
| CVE-2021-46772 | low | MilanPI 1.0.0.9
(2022-05-21) |
N/A |
AMD EPYC 9004 Genoa and Bergamo:
| security vulnerability | risk potential: | AGESA version | SEV Firmware |
|---|---|---|---|
| CVE-2023-20578 | high | GenoaPI 1.0.0.2
(2022-10-04) |
N/A |
| CVE-2023-20584 | medium | GenoaPI 1.0.0.B
(2023-12-15) |
SEV 1.55.23
[hex 1.37.17] |
| CVE-2023-20591 | medium | Genoa 1.0.0.8
(2023-06-09) |
N/A |
| CVE-2023-31356 | medium | GenoaPI 1.0.0.B
(2023-12-15) |
SEV 1.55.31
[hex 1.37.1F] |
| CVE-2023-20518 | low | GenoaPI 1.0.0.4
(2022-12-22) |
N/A |
Supermicro published a Security Bulletin for the security vulnerabilities. A list with BIOS versions of the corresponding mainboards, with an AGESA version to close the gaps, is also available:[2]
| AMD motherboard generation | BIOS version |
|---|---|
| H11 – Naples (unsigned) | 1.4 |
| H11 – Naples/Rome (signed) | 2.8 |
| H12 – Rome/Milan | 2.8 |
| H13 – Genoa | 1.8 |
| H13 – Siena (H13SVW) | 1.2 |
Updates for products of Thomas-Krenn
Updates for the corresponding system can be found in the download area of Thomas-Krenn. The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.
If you require the latest version for your system and it is not yet available in our download area, you can get it at Asus or Supermicro.
References
- ↑ AMD Server Vulnerabilities – August 2024 (www.amd.com/en/resources/product-security, 13.08.2024)
- ↑ AMD Security Vulnerabilities, August 2024 (www.supermicro.com)
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
