There is a new vulnerability in the market and AMD has finally shared some details about it. The new chipset vulnerability can allow non-privileged users to read and dump some types of memory pages in Windows.
This technique will allow an attacker to easily steal passwords or enable other types of attacks, which even includes circumventing standard KASLR exploitation mitigations. This latest information about the above-mentioned chipset vulnerability came out as a part of a coordinated disclosure with Kyriakos Economou, a security researcher and co-founder of ZeroPeril.
Kyriakos Economou has previously exploited the vulnerability to downloaded several gigabytes of sensitive data from impacted AMD processors and it did this as a non-admin user. AMD has prepared mitigations that can be downloaded either as part of its latest chipset drivers or by using Windows Update to update the AMD PSP driver.
The patch was originally issued by AMD several weeks ago, however, it was without disclosing which vulnerabilities were addressed. But this new disclosure has answered all those questions. According to sources, the security researchers first discovered the flaw with Ryzen 2000- and 3000-series chips, however, initially AMD had listed only the Ryzen 1000 and older chips in its advisory.
But, Kyriakos Economou noted the discrepancy and followed up with AMD about the issue. The chipmaker was quick enough to update the page with a full list of impacted processors that spans its entire modern consumer processor lineup as well as many older models.
The models affected are given below(Updated list):
- 2nd Gen AMD Ryzen Mobile Processor with Radeon Graphics
- 2nd Gen AMD Ryzen Threadripper processor
- 3rd Gen AMD Ryzen™ Threadripper™ Processors
- 6th Generation AMD A-series CPU with Radeon™ Graphics
- 6th Generation AMD A-Series Mobile Processor
- 6th Generation AMD FX APU with Radeon™ R7 Graphics
- 7th Generation AMD A-Series APUs
- 7th Generation AMD A-Series Mobile Processor
- 7th Generation AMD E-Series Mobile Processor
- AMD A4-Series APU with Radeon Graphics
- AMD A6 APU with Radeon R5 Graphics
- AMD A8 APU with Radeon R6 Graphics
- AMD A10 APU with Radeon R6 Graphics
- AMD 3000 Series Mobile Processors with Radeon™ Graphics
- AMD Athlon 3000 Series Mobile Processors with Radeon™ Graphics
- AMD Athlon Mobile Processors with Radeon™ Graphics
- AMD Athlon X4 Processor
- AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
- AMD Athlon™ X4 Processor
- AMD E1-Series APU with Radeon Graphics
- AMD Ryzen™ 1000 series Processor
- AMD Ryzen™ 2000 series Desktop Processor
- AMD Ryzen™ 2000 series Mobile Processor
- AMD Ryzen™ 3000 Series Desktop Processor
- AMD Ryzen™ 3000 series Mobile Processor with Radeon™ Graphics
- AMD Ryzen™ 3000 series Mobile Processor
- AMD Ryzen™ 4000 Series Desktop Processor with Radeon™ Graphics
- AMD Ryzen™ 5000 Series Desktop Processor
- AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
- AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
- AMD Ryzen™ Threadripper™ PRO Processor
- AMD Ryzen™ Threadripper™ Processor
In its research, Economou attacked two separate issues with AMD’s amps.sys driver for its Platform Security Processor (PSP). The vulnerability allowed them to easily extract multiple gigabytes of the uninitialized physical memory page. Here’s a summary from their report:
“During our tests, we managed to leak several gigabytes of uninitialized physical pages by allocating and freeing blocks of 100 allocations continuously until the system was not able to return a contiguous physical page buffer.
The contents of those physical pages varied from kernel objects and arbitrary pool addresses that can be used to circumvent exploitation mitigations such as KASLR, and even registry key mappings of \Registry\Machine\SAM containing NTLM hashes of user authentication credentials that can be used in subsequent attack stages.
For example, these can be used to steal credentials of a user with administrative privilege and/or be used in pass-the-hash style attacks to gain further access inside a network.”
AMD has issued advice to the users with impacted CPUs to update to AMD PSP driver 184.108.40.206 via Windows Update or to AMD Chipset Driver 3.08.17.735 or newer in the future. AMD’s chipset vulnerability disclosure comes on the heels of news that all of its processors suffer from a Meltdown-like vulnerability.