A Single Vulnerability Affects All AMD Ryzen Processors

Researcher: Flaw Allows Nonprivileged Users to Access Data
A Single Vulnerability Affects All AMD Ryzen Processors
Almost all generations of AMD Ryzen processors affected by vulnerability (Image source: Shutterstock)

Security firm ZeroPeril has disclosed a vulnerability in AMD's Platform Security Processor, or PSP, chipset driver that affects almost all generations of its Ryzen processors, including some of the older AMD CPUs.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

For a complete list of affected products, refer to AMD's security advisory.

The Vulnerability

The flaw, which is tracked as CVE-2021-26333 was first discovered in April 2021 by Kyriakos Economou, the co-founder of security firm ZeroPeril. Economou responsibly disclosed the flaw to AMD.

Describing the vulnerability, Economou tells Information Security Media Group, "There were two issues inside the amdpsp.sys [v4.13.0.0] kernel driver module that is being shipped with multiple AMD chipsets. The first issue was the information disclosure through userland mapping of uninitialized physical pages, and the second is the memory leak bug that does not release all memory resources back to the system when it ideally should."

"The first one is a more dangerous issue," he says. "[It] allows a nonprivileged user to access data that otherwise would only be accessible by code running at kernel level and/or by processes that run with high security privileges."

Economou says the process "can open a handle to the userland exposed device name symbolic link and send a set of specific control code requests to the driver repeatedly to disclose as much data as possible." Economou's vulnerability report adds that the discretionary access control list [DACL] may allow low privileged users to open a handle and send requests to the driver resulting in a potential data leak from uninitialized physical pages.

Economou notes that these two flaws are completely irrelevant to each other but had been verified in the latest revision number at the time - He adds: "AMD's current fixes have however, addressed both the issues."

The Estimated Impact

Economou says he tested this vulnerability in two different systems using Ryzen 2000 and 3000 series CPUs and was able to leak "several gigabytes of uninitialized physical pages" from 100 continuous allocations until there was no physical page buffer left to return.

"The contents of those physical pages varied from kernel objects and arbitrary pool addresses that can be used to circumvent exploitation mitigations such as KASLR, and even registry key mappings of RegistryMachineSAM containing NTLM hashes of user authentication credentials that can be used in subsequent attack stages. For example, these can be used to steal credentials of a user with administrative privilege and/or be used in pass-the-hash style attacks to gain further access inside a network," he says in the vulnerability report he prepared when reporting to AMD.

The Mitigation

Mitigations released by AMD can be implemented either with the recently released Windows Update that recommends updating to AMD PSP driver or by manually downloading the updated AMD Chipset Driver from its support page.

Economou told ISMG that he is unaware of any other remediation. But in his vulnerability report, he advises the following:

  • Use appropriate DACLs on device objects to block nonprivileged users from sending input/output control requests to a kernel driver whenever possible;
  • Avoid userland mappings of kernel pool memory;
  • If mapping kernel pool memory in userland is necessary due to the current design, then make sure that the memory has been initialized appropriately;
  • Always make sure that allocated resources are freed back to the system when no longer in use.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.