CVE-2023-20572: An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force atta...
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing the input of an arbitrary message, potentially leading to a loss of data integrity.
Security readout for executives and security teams
Plain-English summary
CVE-2023-20572 is an AMD processor firmware/security processor issue. A highly privileged local attacker may use timing differences to brute-force a message authentication check and submit an arbitrary message, risking data integrity. The public data rates it medium severity and does not indicate active exploitation.
Executive priority
Treat as a planned firmware remediation item, not an emergency internet-facing incident. Prioritize assets where local administrators, contractors, or malware could reach privileged access, because the impact is integrity loss in a trusted processor component.
Technical view
The flaw is CWE-208, an observable timing discrepancy in the AMD Secure Processor. With local access and high privileges, an attacker could brute-force an HMAC and input an arbitrary message. CVSS v4.0 is 5.6: local attack vector, high complexity, high privileges, no user interaction, high vulnerable-system integrity impact.
Likely exposure
Exposure is limited to systems using the AMD processor families and firmware/PI versions listed in AMD-SB-4012, including multiple Ryzen, Athlon, and Threadripper desktop, mobile, and workstation lines. The attacker already needs privileged local access, reducing broad external exposure.
Exploitation context
No KEV listing is provided, and the supplied sources do not report active exploitation or public exploit availability. Practical exploitation appears constrained by local access, high privileges, and high attack complexity, but successful abuse could affect integrity protections inside the AMD security processor context.
Researcher notes
The public record identifies timing leakage in HMAC validation within ASP and potential arbitrary message input. The sources do not provide proof-of-concept details, fixed-version mapping, or exploitation evidence. Validation should remain asset-and-firmware focused and avoid speculative exploit assumptions.
Mitigation direction
Check AMD-SB-4012 and OEM advisories for corrected BIOS, firmware, or AGESA guidance.
Inventory AMD processor models and firmware versions against the affected list.
Prioritize updates for shared workstations, developer endpoints, and high-trust systems.
Limit and review local administrator or root access on affected systems.
Monitor vendor advisories for updated remediation details.
Validation and detection
Confirm CPU family and platform firmware version on each AMD system.
Compare findings with the AMD-SB-4012 affected-version matrix.
Review OEM BIOS release notes for CVE-2023-20572 or AMD-SB-4012 references.
Verify privileged local access is restricted to approved administrators.
Document systems awaiting vendor firmware guidance or updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-208: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-208 · source CWE mapping
Observable Timing Discrepancy
Observable Timing Discrepancy represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.