#VU97945 Improper Initialization in 3rd Gen AMD EPYC Processors and 4th Gen AMD EPYC Processors - CVE-2023-20591


Vulnerability identifier: #VU97945

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-20591

CWE-ID: CWE-665

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
3rd Gen AMD EPYC Processors
Hardware solutions / Firmware
4th Gen AMD EPYC Processors
Hardware solutions / Firmware

Vendor: AMD

Description

The vulnerability allows a malicious guest to compromise the affected system.

The vulnerability exists due to improper initialization of IOMMU during the DRTM event. A malicious guest can read or modify hypervisor memory.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

3rd Gen AMD EPYC Processors: before MilanPI 1.0.0.B

4th Gen AMD EPYC Processors: before GenoaPI 1.0.0.8

External links
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


HPE SimpliVity update for AMD EPYC firmware
Multiple vulnerabilities in HPE ProLiant DL Servers with AMD EPYC processors
Multiple vulnerabilities in AMD EPYC processors