TOCTOU Vulnerability in ASP Bootloader of AMD Products
CVE-2023-20521
3.3LOW
Key Information:
- Vendor
Amd
- Status
- Athlon™ 3000 Series Desktop Processors With Radeon™ Graphics “picasso” Am4
- Ryzen™ Threadripper™ 2000 Series Processors “colfax”
- Athlon™ 3000 Series Mobile Processors With Radeon™ Graphics “dali”/”dali” Fp5
- Athlon™ 3000 Series Mobile Processors With Radeon™ Graphics “pollock”
- Vendor
- CVE Published:
- 14 November 2023
What is CVE-2023-20521?
A time-of-check to time-of-use (TOCTOU) vulnerability exists within the ASP Bootloader utilized in certain AMD products. This security flaw allows an attacker with physical access to exploit the race condition during memory content verification. By tampering with SPI ROM records after the integrity check, the attacker could compromise confidentiality or potentially initiate a denial of service, undermining the reliability of the affected devices.
Affected Version(s)
1st Gen AMD EPYC™ Processors x86 various
2nd Gen AMD EPYC™ Processors x86 various
3rd Gen AMD EPYC™ Processors x86 various