AMD finder to alvorlige sikkerhedssårbarheder

Radeon rx 6000 event okt
For at gøre tingene værre er dette en tredje sikkerhedssårbarhed, der er bekræftet af AMD i løbet af kun en uge. Den 7. oktober rapporterede AMD om “CreateAllocation” -problemet, et potentielt sikkerhedsproblem i AMD-grafikdriveren. AMD har endnu ikke leveret en løsning på dette problem, og det forventes først at ske i første kvartal af 2021.

I dag rapporterede AMD om endnu et problem opdaget i AMD-grafikdrivere (Radeon Software Adrenalin) kaldet "EscapeHandler". Det nye problem kan resultere i en BSOD, men i modsætning til CreateAllcation var det allerede rettet med den seneste driveropdatering.

Et tredje problem påvirker AMD Ryzen Master, overclocking og finjusteringsværktøjet til AMD Ryzen-processorer. Problemet tillader muligvis godkendte brugere at fjerne systemrettigheder fra alle andre. AMD har allerede bekræftet problemet og leveret et hotfix i Ryzen Master 2.2.0.1543.

Det er værd at bemærke, at to af sårbarhederne blev opdaget af Cisco Talos efterretnings- og sikkerhedsexperter.

CreateAllocation (CVE-2020-12911)

10/7/2020

“Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. AMD believes that confidential information and long-term system functionality are not impacted, and that the user can resolve the issue by restarting the computer. AMD plans to issue updated graphics drivers to address the issue in the first quarter of 2021.

The research finds that a specially crafted D3DKMTCreateAllocation API request can cause an out-of-bounds read and denial of service (BSOD). This vulnerability can be triggered from non-privileged accounts.

We thank the researchers for their ongoing collaboration and coordinated disclosure.”

AMD Ryzen Master™ Driver Vulnerability (CVE-2020-12928)

10/13/2020

“A researcher has discovered a potential security vulnerability impacting AMD Ryzen™ Master that may allow authenticated users to elevate from user to system privileges. AMD has released a mitigation in AMD Ryzen Master 2.2.0.1543. AMD believes that the attack must come from a non-privileged process already running on the system when the local user runs AMD Ryzen™ Master and that a remote attack has not been demonstrated.

We thank the researcher for the ongoing collaboration and coordinated disclosure.”

Escape Handler (CVE-2020-12933)

10/13/2020

“Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. The issue was addressed in Radeon™ Software Adrenalin 2020 Edition. 

AMD believes that confidential information and long-term system functionality are not impacted, and users can resolve the issue by restarting the computer.

A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from a non-privileged account.

We thank the researchers for their ongoing collaboration and coordinated disclosure.”



Source & Image credit:

AMD