Potential Loss of Confidentiality Due to Incomplete BIOS Menu or UEFI Shell Cleanup
CVE-2023-20518

1.9LOW

Key Information:

Vendor: Amd
Status: Amd Epyc™ 9004 Series Processors; Amd Ryzen™ 3000 Series Desktop Processors; Amd Ryzen™ 5000 Series Desktop Processors; Amd Ryzen™ 5000 Series Desktop Processor With Radeon™ Graphics
Vendor: CVE Published:; 13 August 2024

Summary

A vulnerability exists in AMD's Advanced Security Platform due to incomplete cleanup processes. This flaw allows a privileged attacker, who has access to the BIOS menu or UEFI shell, to potentially expose the Master Encryption Key (MEK). The risk of memory exfiltration associated with this vulnerability may lead to a significant loss of confidentiality, allowing unauthorized access to sensitive information. Organizations using affected AMD products are urged to review their security measures and apply any available patches to mitigate the risks.

Affected Version(s)

AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics ComboAM4V2 1.2.0.A

AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics PicassoPI-FP5 1.0.0.F

AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics PollockPI-FT5 1.0.0.5

References

https://www.amd.com/en/resources/product-security/bulleti...

vendor-advisory

https://www.amd.com/en/resources/product-security/bulleti...

CVSS V3.1

Score:

1.9

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 13, 2024
Vulnerability Reserved
Oct 27, 2022

Collectors

NVD DatabaseMitre Database