[TheRecord] AMD CPU driver bug can break KASLR, expose passwords

AMD has advised Windows users this week to update their operating systems in order to receive a patch for a dangerous vulnerability in one of its CPU chipset drivers that can be exploited to dump system memory and steal sensitive information from AMD-powered computers.

Tracked as CVE-2021-26333 and discovered by Kyriakos Economou, co-founder of security firm ZeroPeril, the vulnerability resides in the driver for  AMD Platform Security Processor (PSP), which is AMD’s equivalent for Intel’s SGX technology.

Also known as a trusted execution environment (TEE), the AMD PSP creates secure enclaves inside AMD processors that allow the operating system to process sensitive information inside cryptographically secured memory.

In order to interact with PSP enclaves, the Windows OS uses a kernel driver named amdsps.sys.

But in a report published on Wednesday, Economou said he found two issues in this driver that allows a non-admin user to dump the system memory and search for sensitive information handled by the OS.

“During our tests we managed to leak several gigabytes of uninitialized physical pages,” the ZerPeril co-founder said.

The contents of those physical pages varied from kernel objects and arbitrary pool addresses that can be used to circumvent exploitation mitigations such as KASLR, and even registry key mappings of RegistryMachineSAM containing NTLM hashes of user authentication credentials that can be used in subsequent attack stages. For example, these can be used to steal credentials of a user with administrative privilege and/or be used in pass-the-hash style attacks to gain further access inside a network.

Kyriakos Economou, co-founder of security firm ZeroPeril

Patches available via Windows Update

Economou said they successfully tested attacks on AMD Ryzen 2000- and 3000-series CPUs before reporting the issue to the vendor earlier this year in April.

On Tuesday, as Microsoft rolled out its monthly batch of security updates known as Patch Tuesday, AMD issued its own advisory urging users to apply the updates as they also contained updates for its PSP chipset driver.

“AMD recommends updating to AMD PSP driver through Windows Update or by updating to AMD Chipset Driver,” the company said this week.

The Santa Clara-based hardware vendor said the following AMD CPU products are affected and that users running these products will need to look into updating their systems as well.

6th Generation AMD FX APU with Radeon™ R7 GraphicsAMD A10 APU with Radeon R6 GraphicsAMD A8 APU with Radeon R6 GraphicsAMD A6 APU with Radeon R5 GraphicsAMD A4-Series APU with Radeon GraphicsAMD Athlon™ X4 ProcessorAMD E1-Series APU with Radeon GraphicsAMD Ryzen™ 1000 series Processor

The post AMD CPU driver bug can break KASLR, expose passwords appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Chronicles Of Mandiant: Google put a ring on it

All posts, ZDNet

This acquisition augments Google Project Zero with an infusion of sophisticated practitioners in forensics, malware analysis, threat intelligence, and security research. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Ransomware Gang Threatens Release of DC Police Records

All posts, Security Week

A Russian-speaking ransomware syndicate that stole data from the Washington, D.C., police department says negotiations over payment have broken down, with it rejecting a $100,000 payment, and it will release sensitive information that could put lives at risk if more money is not offered. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[HackerNews] Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released

All posts, HackerNews

New details have been revealed about a recently remediated critical vulnerability in Netgear smart switches that could be leveraged by an attacker to potentially execute malicious code and take control of vulnerable devices. The flaw — dubbed “Seventh Inferno” (CVSS score: 9.8) — is part of a trio of security weaknesses, called Demon’s Cries (CVSS […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.