TOCTOU Vulnerability in ASP Bootloader of AMD Products
CVE-2023-20521

3.3LOW

Key Information:

Vendor: Amd
Status: Athlon™ 3000 Series Desktop Processors With Radeon™ Graphics “picasso” Am4; Ryzen™ Threadripper™ 2000 Series Processors “colfax”; Athlon™ 3000 Series Mobile Processors With Radeon™ Graphics “dali”/”dali” Fp5; Athlon™ 3000 Series Mobile Processors With Radeon™ Graphics “pollock”
Vendor: CVE Published:; 14 November 2023

What is CVE-2023-20521?

A time-of-check to time-of-use (TOCTOU) vulnerability exists within the ASP Bootloader utilized in certain AMD products. This security flaw allows an attacker with physical access to exploit the race condition during memory content verification. By tampering with SPI ROM records after the integrity check, the attacker could compromise confidentiality or potentially initiate a denial of service, undermining the reliability of the affected devices.

Affected Version(s)

1st Gen AMD EPYC™ Processors x86 various

2nd Gen AMD EPYC™ Processors x86 various

3rd Gen AMD EPYC™ Processors x86 various

References

https://www.amd.com/en/corporate/product-security/bulleti...

vendor-advisory

https://www.amd.com/en/corporate/product-security/bulleti...

vendor-advisory

https://www.amd.com/en/corporate/product-security/bulleti...

vendor-advisory

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Oct 27, 2022

Amd

What is CVE-2023-20521?

Affected Version(s)

References

CVSS V3.1

Timeline