AMD Patches Zenbleed Vulnerability with AGESA 1.2.0.Ca Update

[AleksandarK]

AMD classified the Zenbleed vulnerability, CVE-2023-20593, as a medium-level threat about a year ago. AMD has acknowledged that it could potentially allow an attacker to access sensitive information under certain microarchitectural circumstances. Today, MSI has released new BIOS updates featuring AMD's AM4 AGESA 1.2.0.Ca firmware update. This update addresses the Zenbleed vulnerability affecting AMD's Ryzen 4000 series Zen 2 APUs. MSI is proactively rolling out the new BIOS updates across its range of compatible motherboards. The updates are currently available for almost all X570 motherboards, with support for other chipsets and 400 series motherboards expected to follow soon.

The AGESA 1.2.0.Ca firmware update specifically targets the Zenbleed vulnerability in the Zen 2 microarchitecture. Although the vulnerability primarily affects Ryzen 4000 "Renoir" APUs, it also exists in other Zen 2 processors, including the Ryzen 3000 series and certain EPYC and Threadripper CPUs. AMD has already addressed the Zenbleed vulnerability in previous AGESA microcode updates for Ryzen 3000 processors and other platforms, such as EPYC server CPUs and Ryzen mobile CPUs. However, the Ryzen Embedded V2000 CPUs are still awaiting the EmbeddedPi-FP6 1.0.0.9 AGESA firmware update, which is expected to be released by April. While AMD has not explicitly stated whether the security update will impact performance, previous testing of Zenbleed fixes has shown potential performance drops of up to 15% in certain workloads, although gaming performance remained relatively unaffected. Users with AM4 chips based on architectures other than Zen 2, such as Zen+ or Zen 3, do not need to update their BIOS as they are not affected by this specific vulnerability.



View at TechPowerUp Main Site | Source

 

[Quicks]

How does this affect performance?

Anyone willing to test and share their findings.

 

[Muser99]

How does this affect performance?

Anyone willing to test and share their findings.

See this AMD Zenbleed Vulnerability Fix Tested: Some Apps Drop 15%, Gaming Unaffected | Tom's Hardware (tomshardware.com)

 

[azrael]

ASUS released BIOS updates with this AGESA version for several motherboards about a month ago. Seems MSI is somewhat late to the party.

 

[archaon89]

I updated some time ago on my Asus, having a 5800x3d I don't have any performance decrease right?

 

[Quicks]

I updated some time ago on my Asus, having a 5800x3d I don't have any performance decrease right?

"Users with AM4 chips based on architectures other than Zen 2, such as Zen+ or Zen 3, do not need to update their BIOS as they are not affected by this specific vulnerability."

So technically you are not affected by this and should not lose any performance.

 

[P4-630]

I updated some time ago on my Asus, having a 5800x3d I don't have any performance decrease right?

You're ok it seems.

5800X3D safe from Zen bleed?

From everything I've seen it's exclusively zen 2 architecture chips that are vulnerable, which should rule out my 5800X3D being Zen 3 based, but I keep seeing mention of some 5000 series being affected too. Are these just a few APUs still using Zen 2 or is it wider than this? I'd rather avoid a...

www.techpowerup.com

 

[Makaveli]

i've been running this bios for a few weeks now and its been good. I feel like they fixed more than what the release notes say it. On the desktop for me I find windows feels alittle faster.

Some people reported similar on reddit.

https://www.reddit.com/r/ASUS/comments/1bw1wem

 

[Waldorf]

Since the previous one was running for a couple of month, i can tell something is up,
multiple times it got stuck on powering up/reboot and i had to use (case) reboot to get it to post.

so far it seems to within range when it comes to perf, but still saw numbers being a little lower than prior test runs
with a "dirty" os, only tested CB adn 3DMark tho.

 

[cvaldes]

ASUS released BIOS updates with this AGESA version for several motherboards about a month ago. Seems MSI is somewhat late to the party.

MSI is late to the party but not all other motherboard manufacturers have patched all of their products yet.

I have an ASUS ROG Strix B550-I that still does not have the latest AGESA on the ASUS support website.

 

[chrcoluk]

i've been running this bios for a few weeks now and its been good. I feel like they fixed more than what the release notes say it. On the desktop for me I find windows feels alittle faster.

Some people reported similar on reddit.

https://www.reddit.com/r/ASUS/comments/1bw1wem

CPU microcode updates can fix other stuff as well, so its possible.

 

[RJARRRPCGP]

multiple times it got stuck on powering up/reboot and i had to use (case) reboot to get it to post.

PSU may be the cause, possibly got unlucky with faulty PSU caps.
I have experienced that symptom when OC'ing CPU core(s) and forgot to enable CPU LLC, but that was with my Core 2 Duo E4500. But when I was in Windows, stability tests would pass.

 

[Waldorf]

with my 1y old RMX750 having no prior issues with the transients of my 2080S,
stable running pbo (170/120/140) on 5950x plus 2.2 GHz on the gpu,
but now suddenly cant handle everything on stock (incl jedec for ram)?

doubt that, if the only change is a bios update.

 

[RJARRRPCGP]

lol, so with my 1y RMX750 having no issues with the transients of my 2080S, and stable running pbo on 5950 + 2-2.2 oc on the gpu before,
but now suddenly cant handle everything on stock incl jedec for ram?
doubt that, if the only change is a bios update.

OK, so you checked it. Including of course, to see if there are abnormal voltage drops?

 

[Waldorf]

yeah, everything as expected, quite the opposite, i seem to have a little bit more SOC on jedec using auto,
but nothing im worried about, as im finished with clean install, and will go AMP soon.

kind of surprised, as i used msi for almost all of my friends/customer ryzen builds,
and having gone thru multiple bios releases, never had any issues,
except one beta.

gonna leave it for now, but technically speaking i wont need it,
so just might go back to v18..

 

[mechtech]

Hmmmm so another newer one 1.2.0.Ca

 

[Waldorf]

ummm, but it says 1.2.B?
thats the (old) "latest" for those not affected, 1.2.C is the security fix for pre 5000 series,
unless you're using d-sub (included fix), no need to install C on yours.

 

[Chry]

THIS COMMENT IS DIRECTED NOT AT THIS PARTICULAR UPDATE BUT AT THE CONCEPT OF CPU MICROCODE UPDATES THAT NOTABLY REDUCE PERFORMANCE

Imagine sacrificing 15% of your CPU power because of some remote, highly conditional vulnerability that you don't even care about on your gaming PC.
These patches need to be optional (as in, optional when updating)! Preferably in BIOS settings.

Also, are these patches another way of achieving the ability to claim "Our Zen5 CPUs are 80% more powerful than Zen2" or the like? Not nice they are basically nerfing the old platforms. At least the update is optional.

 

[freeagent]

Imagine sacrificing 15% of your CPU power

Intel users on LGA1366 to LGA 115x are for sure hooped. They took a major hit due to specter/meltdown mitigations. I just started using 3rd gen when Intel/MS started rolling them out. It was brutal watching my GFlop performance drop.

 

[R-T-B]

Another thing to consider is you are benefiting from herd immunity of sorts when they push these out, I have a feeling the bad guys would be using this attack vector far far more if it were universally sure to be available. As it stands, its nearly always patched, so they do not bother.

 

[Waldorf]

@Chry
except that +80% of gamers are gpu limited, hence it wont matter.
and if your system needs 15% more cpu to be able to run a game,
its probably a good idea to "upgrade" anyway..

@R-T-B
except for those in 3rd world countries that might not have heard much about the patched part,
and bought some "hacking" package to make some money.
sure this isnt something here, but if its something affecting me, i wont rely on the chance.

 

[Assimilator]

No update for my TRX40-E yet, hurry up ASUS...

 

[Waldorf]

yeah, funny.
you except they would start with the top and go downwards,
or maybe they go by volume sold, as in covering more units.

 

[Ferrum Master]

Another thing to consider is you are benefiting from herd immunity of sorts when they push these out, I have a feeling the bad guys would be using this attack vector far far more if it were universally sure to be available. As it stands, its nearly always patched, so they do not bother.

Yeah... but if you use Linux... imho you are already patched like for a year or so. If we dig into server area... well... no concerns then.

 

[Waldorf]

@RJARRRPCGP
definitely something up if used on 5000 series, event log full of critical issues,
only starting after 1.2.c was installed, and none since i downgraded back to 1.2.b.