Chipmakers Intel and AMD both released security advisories this Patch Tuesday, informing customers about a total of more than 130 vulnerabilities found in their products.
Intel has published 31 advisories covering roughly 105 vulnerabilities. One of the most interesting flaws patched by Intel this week is a CPU flaw discovered internally by the company and independently by Google researchers.
Dubbed Reptar and tracked as CVE-2023-23583, the security hole can allow an attacker with access to a guest machine in a multi-tenant virtualized environment to cause the host machine and other guest machines on the same host to crash. The vulnerability could potentially also lead to information disclosure or privilege escalation.
Intel also informed customers on Tuesday about a critical vulnerability — with a CVSS score of 10 — affecting Data Center Manager (DCM) software. The flaw, tracked as CVE-2023-31273, can allow an unauthenticated attacker to escalate privileges via network access.
In addition to the one describing Reptar, nine of the company’s latest advisories address high-severity vulnerabilities, including in oneAPI, Server Board and Server System BIOS firmware, QuickAssist Technology (QAT), NUC software, One Boot Flash Update (OFU) software, Connectivity Performance Suite software, In-Band Manageability software, and Unison software.
The remaining advisories describe medium- and low-severity vulnerabilities.
AMD on Tuesday published five new security advisories to inform customers about a total of 27 vulnerabilities.
One of the advisories covers CVE-2023-20592, aka CacheWarp, a new AMD CPU vulnerability that can pose a risk to virtual machines (VMs), potentially allowing attackers to hijack control flow, break into an encrypted VM, and escalate privileges. The weakness impacts AMD Secure Encrypted Virtualization (SEV).
The company has also informed customers about security holes found in Secure Processor (ASP), System Management Unit (SMU) and other components, including four high-severity issues that could lead to arbitrary code execution or privilege escalation.
A different advisory covers a high-severity flaw in SMM Supervisor, which attackers may be able to exploit for arbitrary code execution.
Ten server vulnerabilities affecting components such as ASP, SMU and SEV were also addressed, including a high-severity issue that can lead to code execution.
In graphics drivers, AMD fixed four medium-severity flaws that could allow an attacker to execute arbitrary code or cause a DoS condition.