Issues affecting Swift 3 SF314-43 and SF314-512. AMD Zenbleed Vulnerability and KB backlit issue.

Dear Acer support,

Since it is not possible to contact Acer company directly via email, I hope one of the employees will see this message and hopefully take care of the following problems related to the Acer Swift 3 laptop.

1.) AMD Zenbleed Vulnerability.

Acer Swift 3 SF314-43 comes with AMD Ryzen™ 5 5500U. This CPU is affected by Zenbleed Vulnerability.

The last BIOS version that has been released for Swift 3 SF314-43 is v.1.08 . However this new version does not fix the Zenbleed vulnerability of AMD Ryzen™ 5 5500U.

The BIOS release notes mention that this BIOS version updates AGESA firmware to PI FP6_1.0.0.C but in order to fix the Zenbleed vulnerability for this particular CPU, AGESA firmware needs to be updated to version Cezanne PI FP6 1.0.1.0 - please refer to:

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4002.html

and

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

As you can see, CezannePI-FP6 1.0.1.0 is required in order to fix the following bugs:

CVE-2023-20563 - High Severity
CVE-2023-20565 - High Severity
CVE-2023-20571 - Medium Severity
CVE-2023-20593 - Medium Severity

Could you please confirm if Acer plans to release new BIOS version that would contain AGESA™ firmware - CezannePI FP6 1.0.1.0 to fix all of the above vulnerabilities? If so, when is the new BIOS version going to be released?

2.) Keyboard backlit (the same problem affects another model: Acer Swift 3 SF314-512 and possibly others).

The keyboard backlight on the Acer Swift 3 SF314-43 and SF314-512 models cannot be turned off by default. While it can be disabled temporarily using the Fn + F11 shortcut, the setting does not persist after a reboot. In BIOS it is only possible to change keyboard backlit timeout (Enable/Disable) however it is not possible to keep keyboard light turn off.

This poses visibility challenges, particularly in well-lit environments with the silver keyboard. Could you please introduce the new BIOS setting that allows users to configure the default keyboard backlight status to be ENABLED or DISABLED at boot, or ensure that the laptop preserves the last keyboard backlight status post-reboot?

I would greatly appreciate your feedback regarding both issues.

Accepted answers

All comments

billsey

There are no Acer employees that monitor the community support board. You have to contact Acer themselves for an answer to a question like "when will they release a BIOS".

msander452

https://community.acer.com/en/discussion/comment/1279002#Comment_1279002

Yes, sure but the problem is that ACER makes virtually impossible to contact them. Other companies make it easier to get in touch with their tech departments and in general release critical patches much quicker. This is a very serious security issue and until it is fixed by ACER people should refrain from buying this particular model of the laptop.

Since this affects all Acer laptops based on AMD Ryzen 5 it should be assigned highest priority by ACER… unless ACER does not care about their customers and sales level.

eGomes

Hi @msander452,

You can try reporting this issue via Acer's dedicated channel. However, I very much doubt and don't believe that Acer will do anything about it:

https://community.acer.com/en/kb/articles/17093-report-a-vulnerability

I've already tried to ask (countless times…) for help, and I've only wasted my precious time!

msander452

well in that case it's time to stop buying of ACER products since it looks like this company absolutely does not care about their customers and does not provide any support and takes no responsibility

billsey

Typically when those types of vulnerability are addressed, it's through update via Windows update. I just had an update like that on my main laptop with the last patch Tuesday. It took about a week before Microsoft pushed out the update. But then I'm on an Intel system, not AMD.

msander452

edit: removed duplicated post

msander452

AMD informed that this issue needs to be fixed by microcode pushed via BIOS update so that the fix is OS independent, not by Windows update. AMD already prepared and released relevant microcode patched that should be incorporated in BIOS by laptop manufacturers.

For now I can't recommend buying or using Acer Swift 3 SF314-43 laptop since the issue is not fixed and ACER did not comment anything regarding releasing new BIOS that would fix this problem. Nobody wants the have his passwords or credit cards info being stolen due to the CPU vulnerability…

eGomes

The motherboard OEM is also to blame! Which, in turn, doesn't make such updates available for the projects of its commercial partners.

Models manufactured by Compal Eletronics still receive firmware / BIOS updates, while other specific models manufactured by Quanta Computer, don't!

Don't expect these updates to be made available via Windows Update. They need to be sent by their respective manufacturers!

Unfortunately we users of the Aspire 5 A515-45(G) and Nitro 5 AN515-44 series have been abandoned and are exposed to all these vulnerabilities issues.

This is without forgetting the fTPM stuttering and audio glitches issues caused by Ryzen SMU (System Management Unit) bugs, which have already been properly resolved in AMD AGESA PI patches previously.

msander452

Exactly, ACER shouldn't abandon its clients and leave them with no support. Especially that Acer Swift 3 SF314-43 model is still being offered by Acer.

Our company was looking to by new laptops and was seriously considering to buy a couple of Swift 3 SF314-43 but after finding out about all these serious vulnerabilities and seeing that no BIOS updates were provide by ACER we won't take the risk and most likely buy laptops from different manufacturer.

billsey

Well, all my Intel based laptops (and I have several) are getting BIOS updates through Windows Update. I don't have any AMD based laptops, and my AMD based desktops are too old to be considered.

msander452

Zenbleed vulnerability is a lot more dangerous than issues that were affecting Intel processors. This vulnerability hasn't been fixed by Microsoft and there are no Windows updates that would fix all the security issues I listed in my 1st post. Also Microsoft had no obligation to provide such updates and not all customers use Windows OS.

AMD already prepared fixes that now should be incorporated in BIOS update by laptop manufacturers. Others companies such as Asus, Dell, MSI have already prepared and started offering BIOS updates for their devices that address Zenbleed, Acer has not!

It's time that they start treating their customer seriously and release new BIOS version that contains patched microcode , they need to do this for Swift 3 SF314-43 and other laptops that come with AMD processors based on Zen 2 architecture.

I believe Acer should be a bit more serious about the post sale support they provide. The company offers 2 year warranty so they are obliged to provide this kind of critical updates.

I guess customers who still have valid warranty for their AMD Zen 2 laptops could even return their products since they basically got faulty hardware…

jose23

it's ridiculous that ACER did not fix this problem and still selling this laptop, next time I will choose a different brand, horrible support!

oliv2

So I have contacted ACER support and here is the response that I have received:

"Dear Olivier,

Thank you for contacting Acer Group regarding your query. After checked internal BIOS team, Due to this project has EOL (End-of-Life) and RD evaluate PI code update from v1.0.0.C to v1.0.1.0 is a big change (Equivalent to doing 1/4 of new project). This PI code update requirement can't be supported, thanks for your understanding […]

Regards,

Thato
Acer Support."

This is a joke! This laptop model is pretty new and is still being offered by many sellers but ACER claims is that the laptop too old to fix a CRITICAL SECURITY issue affecting the processor - the laptop that they still have on offer!!! I bought this laptop 2 months ago, brand new, in a shop!!! Basically STAY AWAY FROM ACER PRODUCTS!! This is the only advice I can give to everyone who was considering to buy anything from ACER! Stay AWAY!

oliv2

So I have contacted ACER support

"Dear Olivier,

Thank you for contacting Acer Group regarding your query. After checked internal BIOS team, Due to this project has EOL (End-of-Life) and RD evaluate PI code update from v1.0.0.C to v1.0.1.0 is a big change (Equivalent to doing 1/4 of new project). This PI code update requirement can't be supported, thanks for your understanding […]

Regards,

Thato
Acer Support."

This is a joke! This laptop model is pretty new and is still being offered by many sellers but ACER claims is that the laptop too old to fix a CRITICAL SECURITY issue affecting the processor - the laptop that they still have on offer!!! I bought this laptop 2 months ago, brand new, in a shop!!!