The past few months have been a long haul for certain AMD Zen 2 processors in receiving necessary protections from a potential exploit known as Zenbleed. However, protections are finally reaching the last of these CPUs in the form of a new firmware update from motherboard manufacturer MSI.
A New BIOS Update Patches Vulnerabilities
MSI has now started rolling out motherboard firmware updates for AMD Ryzen 4000 series chips, known as Renoir Zen 2 APUs. These updates come with AMD’s AM4 AGESA 1.2.0.Ca against Zenbleed attacks.
Installing this new BIOS update is highly recommended if you’re running one of these Ryzen 4000 APUs in an MSI motherboard with the AM4 chipset. The update is currently rolling out and is available for almost all MSI X570 motherboards. MSI is also pushing it to their B550, 500, and 400 series boards, though it may take longer to reach other chipsets.
The vulnerability patched is rated with “medium” severity and identified as CVE-2023-20593. According to reports, attackers could access sensitive information on impacted systems under specific conditions.
A Long Time Coming for Some CPUs
While protections have been implemented in previous AMD AGESA firmware updates for Ryzen 3000 CPUs and other Zen 2 processors, it’s taken an unusually long time for Ryzen 4000 APU defenses to arrive. This leaves AMD Zen 2 chips fully patched against the potential exploit.
Only a few motherboard manufacturers, like Gigabyte, have yet to issue BIOS updates with the necessary AGESA 1.2.0.Ca firmware for Ryzen 4000 chips. However, they are expected to follow suit soon after AMD has provided the update.
There was no apparent reason for the prolonged delay in addressing this subset of Zen 2 CPUs. But it’s reassuring to see the last remaining Zen 2 products patched up finally.
Understanding the Zenbleed Vulnerability
To understand why it took so long to patch Ryzen 4000 APUs, it helps to examine the technical details behind the vulnerability itself briefly.
The issue stems from the interaction between AMD’s CPU registers and the typical speculative execution system used to optimize performance. When certain 128-bit and 256-bit registers are used together, there is flawed logic in Zen 2 CPUs in how unfinished speculative instructions are handled. This can leave registers in an “undefined” state containing leftover data from other programs.
With the right conditions, malicious code could monitor these undefined register contents to access sensitive data like passwords or encryption keys at high speeds of up to 30kBps per core. While no real-world exploitation has been reported, the risk makes patching AMD’s product line critical.
Assessing the Impact
Theoretically, Zenbleed security flaw enables direct data leaks. But the impact depends on the situation. Only applications using both 128-bit and 256-bit registers simultaneously are affected. Cryptography software and OpenSSL are apparent risks. Retrieving valid data may require running encryption processes or extensive web browsing.
Corporate servers present the most significant concern since virtualization could allow one renter to access others’ data. This likely explains AMD’s initial focus on EPYC CPUs in its early patches. For consumers, attackers may try to steal passwords through malicious web pages. However, successful exploitation also requires optimization.
Overall, while not an immediate risk for most users, patching remains important due diligence for AMD and its partners.
A Promising Outcome Despite Delays
In conclusion, though defenses took an unexpectedly long while to materialize for Ryzen 4000 chips compared to other Zen 2 CPUs, the situation now looks very positive. With AMD’s AGESA 1.2.0.Ca BIOS updates, including support for these APUs, this security flaw appears fully resolved across the board.
Moving forward, hardware vendors can apply what they learned about proactively addressing potential exploits. However, this is a reassuring outcome for AMD and its customers, showing commitment to security updates even for obsolete product families.
Organizations, in particular, can update AMD servers and workstations, knowing the Zen 2 lineup is now safeguarded. While the delays were regrettable, consumers and the industry emerged relatively unharmed.