CVE-2022-23829 - Vulnerability Details

- hw: amd: SPI protection feature may result in a potential arbitrary code execution.

Description

A potential weakness in AMD SPI protection features may allow a malicious attacker with Ring0 (kernel mode) access to bypass the native System Management Mode (SMM) ROM protections.

Published: 2024-06-18

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AMD

AMD Ryzen™ Threadripper™ PRO Processors 5900 WX-Series

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 6000 Series Mobile Processors and Workstations

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 7000 Series Desktop Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 5000 Series Mobile Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 5000 Series Desktop Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 3000 Series Desktop Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 4000 Series Mobile Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ 3000 Series Mobile Processor / 2nd Gen AMD Ryzen™ Mobile Processor with Radeon™ Graphics

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD Ryzen™ Threadripper™ PRO Processor

affected

Version	Status	Constraints
`various`	affected	—

AMD

1st Gen AMD EPYC™ Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

2nd Gen AMD EPYC™ Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

3rd Gen AMD EPYC™ Processors

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD EPYC™ Embedded 3000

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD EPYC (TM) Embedded 7002

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD EPYC™ Embedded 7003

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD RyzenTM Embedded R1000

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD RyzenTM Embedded R2000

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD RyzenTM Embedded 5000

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD RyzenTM Embedded V1000

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD RyzenTM Embedded V2000

affected

Version	Status	Constraints
`various`	affected	—

AMD

AMD RyzenTM Embedded V3000

affected

Version	Status	Constraints
`various`	affected	—

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-28758	A potential weakness in AMD SPI protection features may allow a malicious attacker with Ring0 (kernel mode) access to bypass the native System Management Mode (SMM) ROM protections.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2022-23829
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1041
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1041.html
https://www.cve.org/CVERecord?id=CVE-2022-23829

History

Thu, 29 Aug 2024 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: AMD

Published: 2024-06-18T19:01:24.315Z

Updated: 2024-08-29T20:40:26.171Z

Reserved: 2022-01-21T17:20:55.781Z

Link: CVE-2022-23829

Vulnrichment

Updated: 2024-08-03T03:51:46.075Z

NVD

Status : Deferred

Published: 2024-06-18T19:15:56.957

Modified: 2026-04-15T00:35:42.020

Link: CVE-2022-23829

Redhat

Severity : Important

Publid Date: 2024-06-11T06:30:00Z

Links: CVE-2022-23829 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-284

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object