CVE-2023-20578 - OpenCVE

A TOCTOU (Time-Of-Check-Time-Of-Use) in SMM may allow an attacker with ring0 privileges and access to the BIOS menu or UEFI shell to modify the communications buffer potentially resulting in arbitrary code execution.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Amd	Epyc 7001 Epyc 7002 Epyc 9004 Epyc Embedded 3000 Epyc Embedded 7002 Epyc Embedded 7003 Epyc Embedded 9003 Ryzen Embedded 7000 Ryzen Embedded V3000

No data.

References

Link	Providers
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html

History

Thu, 15 Aug 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amd epyc Embedded 3000 Amd epyc Embedded 7002 Amd epyc Embedded 7003 Amd epyc Embedded 9003 Amd ryzen Embedded 7000 Amd ryzen Embedded V3000
CPEs	cpe:2.3:h:amd:ryzen:-:::::::*	cpe:2.3:a:amd:epyc_embedded_3000:::::::: cpe:2.3:a:amd:epyc_embedded_7002:::::::: cpe:2.3:a:amd:epyc_embedded_7003:::::::: cpe:2.3:a:amd:epyc_embedded_9003:::::::: cpe:2.3:a:amd:ryzen_embedded_7000:::::::: cpe:2.3:a:amd:ryzen_embedded_v3000::::::::
Vendors & Products	Amd ryzen	Amd epyc Embedded 3000 Amd epyc Embedded 7002 Amd epyc Embedded 7003 Amd epyc Embedded 9003 Amd ryzen Embedded 7000 Amd ryzen Embedded V3000

Thu, 15 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amd Amd epyc 7001 Amd epyc 7002 Amd epyc 9004 Amd ryzen
CPEs		cpe:2.3:a:amd:epyc_9004:::::::: cpe:2.3:h:amd:epyc_7001:-:::::::* cpe:2.3:h:amd:epyc_7002:-:::::::* cpe:2.3:h:amd:ryzen:-:::::::*
Vendors & Products		Amd Amd epyc 7001 Amd epyc 7002 Amd epyc 9004 Amd ryzen
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Aug 2024 17:00:00 +0000

Type	Values Removed	Values Added
Description		A TOCTOU (Time-Of-Check-Time-Of-Use) in SMM may allow an attacker with ring0 privileges and access to the BIOS menu or UEFI shell to modify the communications buffer potentially resulting in arbitrary code execution.
References		https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: AMD

Published: 2024-08-13T16:52:58.457Z

Updated: 2024-08-15T18:08:38.953Z

Reserved: 2022-10-27T18:53:39.757Z

Link: CVE-2023-20578

Vulnrichment

Updated: 2024-08-15T16:05:38.025Z

NVD

Status : Awaiting Analysis

Published: 2024-08-13T17:15:19.510

Modified: 2024-08-14T02:07:05.410

Link: CVE-2023-20578

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object