I reached out to Framework support February 15 to ask about their patching plans for the processor vulnerabilities by AMD on February 13. Even with all the chaos of the Framework Laptop 16 launch, Framework support gave me a vary transparent and detailed response the next day. Impressive!
Hello Sean,
Thank you for reaching out and for your patience, this case was escalated for review. Our Framework Laptops on the AMD Ryzen™ 7040 Series platform are currently on version PI 1.0.0.2.
Our sustaining BIOS team is working on forthcoming BIOS updates that include the update to PI 1.1.0.2 which mitigates all listed CVEs for the platform. We are working with our BIOS Vendor to test this release internally and will release a community BIOS update as soon as this internal quality assurance is complete.
To be entirely transparent we had prepared this update previously, and during internal testing we identified issues with the update which needed addressing before a customer facing release, and the subsequent update has been delayed slightly by our Vendor’s closure during the Lunar New Year Holiday in Taiwan. This update is currently our sustaining team’s highest priority so we will endeavor to provide an update in our community very soon.
Regards,
Framework Support
Here are the vulnerability details for security nerds like me:
Bulletin ID: AMD-SB-7009
AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics
CVE-2023-20576
Severity: High
Insufficient Verification of Data Authenticity in AGESA™ may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation.
CVE-2023-20577
Severity: High
A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution.
CVE-2023-20579
Severity: High
Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.
CVE-2023-20587
Not affected
Minimum version to mitigate all listed CVEs: PhoenixPI-FP8-FP7 1.1.0.0 (2023-10-06)