AMD reports two security vulnerabilities in a single day

Published: 14th Oct 2020, 07:17 GMT   Comments

AMD Ryzen Master and Radeon Software vulnerabilities

To make matters worse, there is a third security vulnerability confirmed by AMD in a span of just one week. On October 7th AMD reported on the “CreateAllocation” issue, a potential security concern in AMD graphics driver. AMD has not yet provided a fix for this issue and it is expected in the first quarter of 2021.

Today AMD reported on another issue discovered in AMD graphics drivers (Radeon Software Adrenalin) called “EscapeHandler”. The new issue can result in a blue screen, but unlike CreateAllcation it was already fixed with the recent driver update.

A third issue affects AMD Ryzen Master, the overclocking and fine-tuning tool for AMD Ryzen processors. The issue may allow authenticated users to elevate from user to system privileges. AMD has already confirmed the issue and provided a hotfix in Ryzen Master 2.2.0.1543.

It is worth noting that two of the vulnerabilities were discovered by Cisco Talos intelligence and security experts.

AMD October 2020 Security Vulnerabilities
VulnerabilityCVE codeAffectedFix
CreateAllocationCVE-2020-12911AMD graphics driverComing Q1 2020
AMD Ryzen Master™ Driver VulnerabilityCVE-2020-12928AMD Ryzen MasterFixed in the latest release
Escape HandlerCVE-2020-12933AMD graphics driverFixed in the latest release

CreateAllocation (CVE-2020-12911)

10/7/2020

Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. AMD believes that confidential information and long-term system functionality are not impacted, and that the user can resolve the issue by restarting the computer. AMD plans to issue updated graphics drivers to address the issue in the first quarter of 2021.

The research finds that a specially crafted D3DKMTCreateAllocation API request can cause an out-of-bounds read and denial of service (BSOD). This vulnerability can be triggered from non-privileged accounts.

We thank the researchers for their ongoing collaboration and coordinated disclosure.

AMD Ryzen Master™ Driver Vulnerability (CVE-2020-12928)

10/13/2020

A researcher has discovered a potential security vulnerability impacting AMD Ryzen™ Master that may allow authenticated users to elevate from user to system privileges. AMD has released a mitigation in AMD Ryzen Master 2.2.0.1543. AMD believes that the attack must come from a non-privileged process already running on the system when the local user runs AMD Ryzen™ Master and that a remote attack has not been demonstrated.

We thank the researcher for the ongoing collaboration and coordinated disclosure.

Escape Handler (CVE-2020-12933)

10/13/2020

Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. The issue was addressed in Radeon™ Software Adrenalin 2020 Edition.

AMD believes that confidential information and long-term system functionality are not impacted, and users can resolve the issue by restarting the computer.

A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from a non-privileged account.

We thank the researchers for their ongoing collaboration and coordinated disclosure.

Source: AMD




Comment Policy
  • Comments must be written in English.
  • Comments deemed to be spam or solely promotional in nature will be deleted. Including a link to relevant content is permitted, but comments should be relevant to the post topic.
  • Comments containing language or concepts that could be deemed offensive will be deleted. Note this may include abusive, threatening, pornographic, offensive, misleading or libelous language.
  • A failure to comply with these rules will result in a warning and, in extreme cases, a ban.
  • Please note that comments that attack or harass an individual directly will be deleted and such comments will result in a ban.
  • VideoCardz Moderating Team reserves the right to edit or delete any comments submitted to the site without notice.
  • If you have any questions about the commenting policy, please let us know through the Contact Page.
Hide Comment Policy
Comments