Security Vulnerabilities processor with unpatched AMD AGESA PI in Acer Swift 3 SF314-43-R2LX

Marty11
Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
edited November 2022 in Swift and Spin Series
The Acer Swift 3 SF314-43-R2LX contains an AMD processor with unpatched security vulnerabilities. They allow attackers to run arbitrary code and to bypass security mechanisms provided in the UEFI firmware. These attacks happen so early in Platform Initialization (PI), that they are undetectable and unstoppable by virus scanners.

Acer please respond to these vulnerabilities with a BIOS update that contains the 2022/02/28 AGESA patches provided by AMD.

Just like other modern processors the AMD 5700U is a SoC (System on a Chip) that contains its own discrete Platform Security Processor (PSP). The PSP itself is a simple ARM Cortex processor core, that does initialization of the main CPU and secure boot loading. The (firmware) code that is run by this Security Processor is called AGESA PI (AMDs Generic Encapsulated Software Architecture - Platform Initialization). It contains flaws. These flaws have been confirmed by AMD (see below). Luckily AMD provided patches for these flaws. The patches are in AGESA PI version: CezannePI-FP6 1.0.0.9a 02/28/2022. A user can't install those directly. In order to update the AGESA PI code, it needs to be integrated into a BIOS update. Acer needs to integrate the patches by AMD into a new BIOS update in order for users of Acer systems to install them and patch the vulnerabilities.

Here are the details about the security flaws:

The SoC AMD 5700U processor in the Acer Swift 3 SF314-43-R2LX contains unmitigated security flaws that need to be patched with AGESA PI update CezannePI-FP6 1.0.0.9a 2022/02/28. The AGESA patches need to be integrated into a new BIOS update.
The latest BIOS update from Acer is: version 1.04 with external release date 2021/08/31 and internal date: 2021/07/28 does not contain the AGESA PI patches from 2022/02/28.

In AMD's may 2022 security bulletin (Bulletin ID: AMD-SB-1027) the following security vulnerabilities were identified:
During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Secure Processor (ASP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD AGESA™ PI packages.
For the AMD 5700U processor (an AMD Ryzen™ 5000 Series Mobile processor  with Radeon™ graphics, internal name: “Lucienne”) the vulnerabilities are:
  • CVE-2020-12944
    CVE-2020-12946
    CVE-2020-12951
    CVE-2021-26312
    CVE-2021-26361
    CVE-2021-26362
    CVE-2021-26363
    CVE-2021-26366
    CVE-2021-26368
    CVE-2021-26369
    CVE-2021-26386
    CVE-2021-26388
    CVE-2021-26382
    CVE-2021-26317
    CVE-2021-39298
    CVE-2021-26339
    CVE-2021-26384
(Read more about the details of these vulnerabilities here.)

As the latest available BIOS update for the Acer Swift 3 SF314-43-R2LX is from 2021/07/28 and the patches were release by AMD on 02/28/2022. The vulnerabilities cannot be patched and therefore the Acer Swift 3 SF314-43 is at risk.

To determine your current AGESA version is very hard if not impossible without information from Acer. The AGESA version contained in a BIOS update needs to be stated in the release notes of that BIOS update. But Acer did not provide that information.

With the tool HWiNFO the following information can be retrieved from an Acer Swift 3 SF314-43 running BIOS update V1.04  2021/08/3 (the latest BIOS update available by Acer at this moment):
  • Current MCU (CPU Microcode Update revision): 8608102
  • BIOS: V1.04  07/28/2021
  • SMU Firmware: 55.75.0 (System Management Unit)
How can one determine AGESA PI version from these values?
[Edited the thread to add issue detail]
«13

Answers

  • JackE
    JackE ACE Posts: 45,069 Trailblazer
    Sorry. You've posted to an Acer user's forum. We are not Acer employees, customer or technical service reps or contractors who have any influence over release of updates that address or otherwise fix this or any other alleged issues that may or may not pose significant real-world risks.

    Jack E/NJ

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
    @JackE Okay, do you know what the proper channels are to get this under the attention of Acer? I was not expecting that a new laptop would be vulnerable and furthermore unsecurable? All those management engines are proving to be a security nightmare.

    Do you know how one can determine the AGESA PI version? I can't believe there aren't any release notes with the BIOS code. There must be. How could one obtain them?
  • JackE
    JackE ACE Posts: 45,069 Trailblazer
    Any updates or patches relating to your concerns would appear at this link. If you don't find any now, you must keep checking the link like the rest of us users to see if any new updates are posted and available for downloading that address your concerns. They can appear at any time and, as noted earlier, we users have little or no influence on if/when this gets done for any model.

    HWINFO or AIDA might reveal the version number. The BIOS also might have hidden options and info in each tab that would revealed by pressing Ctrl+S if they exist.

    If you find this response unacceptable, then I suggest that you IMMEDIATELY return the machine to the vendor/seller as not meeting your security needs for a refund or exchange on another brand or model before the seller's return merchandise authorization (RMA) period expires. Usually only a few weeks. 

    Jack E/NJ

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
    @JackE Thanks for your response. The <CTRL>+S did reveal 2 options (thanks for the tip), but it didn't reveal the current AGESA PI version.
    I dove deep into the most recent V1.04 BIOS image with a Hex-editor. In the UEFI module "SetupUtility" I found:
    Cezanne PI-FP6 1.0.0.1a
    So the AGESA PI version in the latest v1.04 BIOS image is lagging behind and vulnerable to the described exploits.
    Returning the machine within the RMA period is a passed station unfortunately.
    I hope Acer will quickly create a new BIOS update that incorporates the AGESA PI update CezannePI-FP6 1.0.0.9a 2022/02/28 from AMD that contains patches for the vulnerabilities. Any progress updates by Acer would be welcome, even a won't fix notice.
  • jcmolero71
    jcmolero71 Member Posts: 24 Networker
    I found a way to read that info from bios unlocking the hidden menus and the results for my aspire 5 are:
    Original bios 1.08:CezannePI-FP6 1.0.0.1
    Updated bios 1.10: CezannePI-FP6 1.0.0.1
    1.10 from 2022/03/01

    It's sad ACER is not putting any effort in fixing  that issue, it's a clue where are my problems coming from
  • JackE
    JackE ACE Posts: 45,069 Trailblazer
    Perhaps if you click the green ask a question button to start your own new thread, we might be able to better address the cause for your problems whatever they seem to be.

    Jack E/NJ

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
    edited August 2022
    I found a way to read that info from bios unlocking the hidden menus and the results for my aspire 5 are:
    Original bios 1.08:CezannePI-FP6 1.0.0.1
    Updated bios 1.10: CezannePI-FP6 1.0.0.1
    1.10 from 2022/03/01

    It's sad ACER is not putting any effort in fixing  that issue, it's a clue where are my problems coming from

    @jcmolero71 Thanks for your reply. I'd be very curious to find out how you found out your AGESA PI version? Going through the BIOS image with a hex editor was quit a bit of work.
    I just checked the drivers support site again and there's still no BIOS update available. The latest one is still from 2021/08/31, which is almost a year ago. In the mean time my brand new system is vulnerable to security exploits and therefor not fit for use...
  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon

    It is now over a year ago since Acer's last BIOS release (2021/08/31 version 1.04).

    It's a new system bought in April. Is it EOL already?

    What are the chances that the security vulnerabilities will be patched with a new BIOS release?

  • JackE
    JackE ACE Posts: 45,069 Trailblazer

    >>>The vulnerabilities cannot be patched and therefore the Acer Swift 3 SF314-43 is at risk.>>>

    >>>What are the chances that the security vulnerabilities will be patched with a new BIOS release?>>>>

    Perhaps these 'potential' vulnerabilities --- whatever they are --- have been over-hyped or otherwise greatly exaggerated. Or perhaps the potential or risk is so low in Acer's proprietary mainboards, that patches might cause more problems or adverse side effects that are worse than the risk. Can you describe --- in 25 words or less --- exactly what risks or vulnerabilities we should be concerned with? A list would be good. Such as the vultnerability or risk can ---

    1. Reveal keyboard strokes to a remote user
    2. Allow access to personal info folders to a remote user
    3. Scan browser memory for saved passwords
    4. Track user search engine queries and sites visited
    5. Allow my neighbors to access my wifi router/modem
    6. All of the above
    7. And more.

    Jack E/NJ

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon

    Acer release a new BIOS update: v 1.06 (v 1.05 has not been released).

    But don't get your hopes up. The AGESA PI version has not been updated, but low and behold, it was downgraded to: Cezanne PI-FP6 1.0.0.1 in BIOS update v 1.06.

    The only release note to be found was: "Support Win11 SV2.". To determine the AGESA version is very hard if not impossible without information from Acer. The AGESA version contained in a BIOS update needs to be stated in the release notes of that BIOS update. But Acer did not provide that information and even downgraded the AGESA PI version from Cezanne PI-FP6 1.0.0.1a to Cezanne PI-FP6 1.0.0.1, which is a far cry from the desired AGESA PI update CezannePI-FP6 1.0.0.9a 2022/02/28 which will fix the vulnerabilities.

    I dove deep into the most recent V1.06 BIOS image with a Hex-editor. In the UEFI module "AmdVersionDxe" I found:

    Cezanne PI-FP6 1.0.0.1

    So the AGESA PI version in the latest v1.06 BIOS image is lagging behind even more and still vulnerable to the described exploits.


    @JackE

    FYI, Here are some of the vulnerabilities:

    CVE-2021-26317

    7.9 (High)

    Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.

    CVE-2021-26335

    7.5 (High)

    Improper input and range checking in the AMD Secure Processor (ASP) boot loader image header may allow an attacker to use attacker-controlled values prior to signature validation potentially resulting in arbitrary code execution.

    CVE-2021-39298

    7.5 (High)

    A potential vulnerability in AMD System Management Mode (SMM) interrupt handler may allow an attacker with high privileges to access the SMM resulting in arbitrary code execution which could be used by malicious actors to bypass security mechanisms provided in the UEFI firmware.

    Please read up on the other 25 vulnerabilities yourself. They are linked in the opening post.

  • JackE
    JackE ACE Posts: 45,069 Trailblazer

    Unfortunately, doesn't seem like this kind of geek-speak can be easily translated into plain English that would allow most users on these forums, including myself, to adequately judge the actual real world probabilities (eg what's 'high' really mean? 99.44%? 10%? 1%? Less?) and seriousness (eg an online banking account emptied?) of these alleged firmware vulnerabilities.

    Jack E/NJ

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon

    From Wikipedia: CVE advisories

    The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-securityvulnerabilities and exposures.[1] The United States' National Cybersecurity FFRDC, operated by The Mitre Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security.[2]

    Stop making yourself ridiculous by calling CVE advisories a bunch bunch of geek-speak and alleged vulnerabilities. Troll elsewhere...

  • JackE
    JackE ACE Posts: 45,069 Trailblazer

    Sorry, most users on these forums can't relate to these acronyms, agencies or what they all mean in practical everyday terms. All most users care about are any updates available that can be downloaded to take care of this scary-sounding stuff. We are not Acer employees or tech service or software/firmware design folks on these forums. Only Acer users trying to help other users such as yourself. So you have do like the rest of us who might be concerned about this security issue and keep checking the Acer download site at this link for updates that might address it. Because we neither can predict nor have any influence on when or even if these updates will appear for this model. Good luck.

    Jack E/NJ

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
    Encryption-breaking, password-leaking bug in AMD CPU 5700U contained in the Acer Swift 3 SF314-43

    "Zenbleed" bug affects all Zen 2-based Ryzen, Threadripper, and EPYC CPUs.

    A recently disclosed bug in many of AMD's newer consumer, workstation,
    and server processors can cause the chips to leak data at a rate of up
    to 30 kilobytes per core per second, writes Tavis Ormandy, a member of Google's Project Zero security team.
    Executed properly, the so-called "Zenbleed" vulnerability
    (CVE-2023-20593) could give attackers access to encryption keys and root
    and user passwords, along with other sensitive data from any system
    using a CPU based on AMD's Zen 2 architecture.

    Read all about it at: arstechnica.com.

    AMD security bulletin confirms Zenbleed bug

    In AMD's Jul 24, 2023 security bulletin (Bulletin ID: AMD-SB-7008) the new security vulnerability was confirmed:

    MOBILE - AMD Ryzen™ Series

    Mitigation details

    Update to versions listed or higher

    AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
    “Lucienne”

    AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics
    “Renoir”

    AMD Ryzen™ 7020 Series Processors

    “Mendocino” FT6

    AGESA™ firmware

    CezannePI-FP6_1.0.1.0

    (Target Dec 2023)

    RenoirPI-FP6_1.0.0.D

    (Target Nov 2023)

    MendocinoPI-FT6_1.0.0.6

    (Target Dec 2023)

    A fix by AMD isn't expected before Dev 2023. Then that fix will need to be propagated by Acer to its end-customers via a Firmware ( / BIOS) update for the Acer Swift 3 SF314-43.

    Acer hasn't even incorporated the previous security vulnerabilities wherefore fixes do exist (see above).

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
    edited July 2023

    If you're running linux, you can check vulnerability for the Zenbleed bug with the spectre-meltdown-checker.

    When I check on the latest Ubuntu LTS release, then I get the following output :

    CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
    Zenbleed mitigation is supported by kernel:  NOZenbleed kernel mitigation enabled and active:  NO  (FP_BACKUP_FIX is cleared in DE_CFG)Zenbleed mitigation is supported by CPU microcode:  NO
    STATUS:  VULNERABLE  (Your kernel is too old to mitigate Zenbleed and your CPU microcode doesn't mitigate it either)
    

    Debian also have a Security Advisory regarding Zenbleed: DSA-5459-1 amd64-microcode -- security update

    Be aware that a future Linux kernel patch will not secure you when you're running Windows. You really need a Firmware/BIOS patch.

  • eGomes
    eGomes Member Posts: 4,534 Guru

    Hi @Marty11,

    Unfortunately Acer is a totally irresponsible and brazen Company, which simply ignores this problem of the lack of updating of the AGESA and SMU microcode in its laptops equipped with AMD Ryzen processors.

    In view of such gravity, I am trying to draw up a preliminary survey containing BIOS, AGESA and SMU versions in the topic below:

    Thank you Acer! 🤡

  • billsey
    billsey ACE Posts: 34,536 Trailblazer

    Heheh, complaining about a missing patch three days after it's announced… These days almost all EFI patches are pushed by Microsoft through Windows update.

    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • eGomes
    eGomes Member Posts: 4,534 Guru

    Sorry @billsey,

    But we've been waiting for these AGESA patches for over a year, and Acer just does absolutely nothing. Microsoft has no obligation to offer such patches, since AMD mentions that they should be done through UEFI firmware.

    Kindly stop trying to demoralize and make light of our complaint. Because you as an "honorary member" of the Acer Community's doesn't need this!

    Regards,

    eGomes

  • billsey
    billsey ACE Posts: 34,536 Trailblazer

    I get EFI updates through Windows Update every month or so, on all my machines that aren't too old. It doesn't matter the brand of system, just the chipset.

    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • msander452
    msander452 Member Posts: 17 Troubleshooter

    The last BIOS version that has been released for Swift 3 SF314-43 is v.1.08.

    However this new version does not fix the Zenbleed vulnerability of AMD Ryzen™ 5 5500U. The BIOS release notes mention that this BIOS version updates AGESA firmware to PI FP6_1.0.0.C but  in order to fix the Zenbleed vulnerability for this particular CPU, AGESA firmware needs to be updated to version Cezanne PI FP6 1.0.1.0  - please refer to:

    https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4002.html and https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html


    CezannePI-FP6 1.0.1.0 is required in order to fix the following bugs:


    CVE-2023-20563 - High Severity

    CVE-2023-20565 - High Severity

    CVE-2023-20571 - Medium Severity

    CVE-2023-20593 - Medium Severity

    Acer please release new BIOS version that would contain AGESA™ firmware - CezannePI FP6 1.0.1.0 to fix all of the above vulnerabilities.

    Also, there seems to be another issue with this and SF314-512 model - not really a security but something that could be fixed in BIOS - the problem of keyboard backlight, it seems that this backlit cannot be turned off by default. While it can be disabled temporarily using the Fn + F11 shortcut, the setting does not persist after a reboot. In BIOS it is only possible to change keyboard backlit timeout (Enable/Disable) however it is not possible to keep keyboard light turn off. This poses visibility challenges, particularly in well-lit environments with the silver keyboard. Could you please introduce the new BIOS setting that allows
    users to configure the default keyboard backlight status to be ENABLED or DISABLED at boot, or ensure that the laptop preserves the last keyboard backlight status post-reboot?