Strix
26.1K

CVE-2023-20521

MEDIUMCVSS 5.7/10EPSS 0.26%

Last modified

CVE-2023-20521 is a medium-severity vulnerability rated 5.7/10 on the CVSS scale. TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.. EPSS estimates a 0.26% chance of exploitation in the next 30 days.

Description

TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.

Metrics

CVSS 3.1
5.7/10

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Probability
0.26%

16.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
AmdEpyc 7001 Firmware< naplespi_1.0.0.h
AmdEpyc 7251 Firmware< naplespi_1.0.0.h
AmdEpyc 7261 Firmware< naplespi_1.0.0.h
AmdEpyc 7281 Firmware< naplespi_1.0.0.h
AmdEpyc 7301 Firmware< naplespi_1.0.0.h
AmdEpyc 7351 Firmware< naplespi_1.0.0.h
AmdEpyc 7351p Firmware< naplespi_1.0.0.h
AmdEpyc 7371 Firmware< naplespi_1.0.0.h
AmdEpyc 7401 Firmware< naplespi_1.0.0.h
AmdEpyc 7401p Firmware< naplespi_1.0.0.h
AmdEpyc 7451 Firmware< naplespi_1.0.0.h
AmdEpyc 7501 Firmware< naplespi_1.0.0.h
AmdEpyc 7551 Firmware< naplespi_1.0.0.h
AmdEpyc 7551p Firmware< naplespi_1.0.0.h
AmdEpyc 7601 Firmware< naplespi_1.0.0.h
AmdEpyc 7232p Firmware< romepi_1.0.0.d
AmdEpyc 7252 Firmware< romepi_1.0.0.d
AmdEpyc 7262 Firmware< romepi_1.0.0.d
AmdEpyc 7272 Firmware< romepi_1.0.0.d
AmdEpyc 7282 Firmware< romepi_1.0.0.d
AmdEpyc 7302 Firmware< romepi_1.0.0.d
AmdEpyc 7302p Firmware< romepi_1.0.0.d
AmdEpyc 7352 Firmware< romepi_1.0.0.d
AmdEpyc 7402 Firmware< romepi_1.0.0.d
AmdEpyc 7402p Firmware< romepi_1.0.0.d
AmdEpyc 7452 Firmware< romepi_1.0.0.d
AmdEpyc 7502 Firmware< romepi_1.0.0.d
AmdEpyc 7502p Firmware< romepi_1.0.0.d
AmdEpyc 7532 Firmware< romepi_1.0.0.d
AmdEpyc 7542 Firmware< romepi_1.0.0.d
AmdEpyc 7552 Firmware< romepi_1.0.0.d
AmdEpyc 7642 Firmware< romepi_1.0.0.d
AmdEpyc 7662 Firmware< romepi_1.0.0.d
AmdEpyc 7702 Firmware< romepi_1.0.0.d
AmdEpyc 7702p Firmware< romepi_1.0.0.d
AmdEpyc 7742 Firmware< romepi_1.0.0.d
AmdEpyc 7f32 Firmware< romepi_1.0.0.d
AmdEpyc 7f52 Firmware< romepi_1.0.0.d
AmdEpyc 7f72 Firmware< romepi_1.0.0.d
AmdEpyc 7h12 Firmware< romepi_1.0.0.d
AmdEpyc 7763 Firmware< milanpi_1.0.0.7
AmdEpyc 7713p Firmware< milanpi_1.0.0.7
AmdEpyc 7713 Firmware< milanpi_1.0.0.7
AmdEpyc 7663p Firmware< milanpi_1.0.0.7
AmdEpyc 7663 Firmware< milanpi_1.0.0.7
AmdEpyc 7643p Firmware< milanpi_1.0.0.7
AmdEpyc 7773x Firmware< milanpi_1.0.0.7
AmdEpyc 7643 Firmware< milanpi_1.0.0.7
AmdEpyc 7573x Firmware< milanpi_1.0.0.7
AmdEpyc 75f3 Firmware< milanpi_1.0.0.7

Showing 50 of 93 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-20521?
TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.
How severe is CVE-2023-20521?
CVE-2023-20521 has a CVSS score of 5.7/10 (MEDIUM severity). The EPSS model estimates a 0.26% probability of exploitation in the next 30 days.
How do I fix CVE-2023-20521?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-20521?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST