[TheRecord] AMD CPU driver bug can break KASLR, expose passwords

AMD has advised Windows users this week to update their operating systems in order to receive a patch for a dangerous vulnerability in one of its CPU chipset drivers that can be exploited to dump system memory and steal sensitive information from AMD-powered computers.

Tracked as CVE-2021-26333 and discovered by Kyriakos Economou, co-founder of security firm ZeroPeril, the vulnerability resides in the driver for  AMD Platform Security Processor (PSP), which is AMD’s equivalent for Intel’s SGX technology.

Also known as a trusted execution environment (TEE), the AMD PSP creates secure enclaves inside AMD processors that allow the operating system to process sensitive information inside cryptographically secured memory.

In order to interact with PSP enclaves, the Windows OS uses a kernel driver named amdsps.sys.

But in a report published on Wednesday, Economou said he found two issues in this driver that allows a non-admin user to dump the system memory and search for sensitive information handled by the OS.

“During our tests we managed to leak several gigabytes of uninitialized physical pages,” the ZerPeril co-founder said.

The contents of those physical pages varied from kernel objects and arbitrary pool addresses that can be used to circumvent exploitation mitigations such as KASLR, and even registry key mappings of RegistryMachineSAM containing NTLM hashes of user authentication credentials that can be used in subsequent attack stages. For example, these can be used to steal credentials of a user with administrative privilege and/or be used in pass-the-hash style attacks to gain further access inside a network.

Kyriakos Economou, co-founder of security firm ZeroPeril

Patches available via Windows Update

Economou said they successfully tested attacks on AMD Ryzen 2000- and 3000-series CPUs before reporting the issue to the vendor earlier this year in April.

On Tuesday, as Microsoft rolled out its monthly batch of security updates known as Patch Tuesday, AMD issued its own advisory urging users to apply the updates as they also contained updates for its PSP chipset driver.

“AMD recommends updating to AMD PSP driver 5.17.0.0 through Windows Update or by updating to AMD Chipset Driver 3.08.17.735,” the company said this week.

The Santa Clara-based hardware vendor said the following AMD CPU products are affected and that users running these products will need to look into updating their systems as well.

6th Generation AMD FX APU with Radeon™ R7 GraphicsAMD A10 APU with Radeon R6 GraphicsAMD A8 APU with Radeon R6 GraphicsAMD A6 APU with Radeon R5 GraphicsAMD A4-Series APU with Radeon GraphicsAMD Athlon™ X4 ProcessorAMD E1-Series APU with Radeon GraphicsAMD Ryzen™ 1000 series Processor

The post AMD CPU driver bug can break KASLR, expose passwords appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] XSS vulnerability found in popular WYSIWYG website editor

All posts, ZDNet

The security flaw was found in how HTML sanitizing is performed. Source: Read More (Latest topics for ZDNet in Security)

Read More

[NCSC-NL] Fraudster pretends to be NCSC-NL employee

All posts, NCSC-NL

We received multiple messages from civilians who were contacted by an individual who pretends to be an employee at NCSC-NL. Source: Read More (National Cyber Security Centre – News items)

Read More

[HackerNews] Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks

All posts, HackerNews

IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers in an attempt to penetrate their computers and gain access to the company’s clients. The attacks, which […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.