A Single Vulnerability Affects All AMD Ryzen ProcessorsResearcher: Flaw Allows Nonprivileged Users to Access Data
Security firm ZeroPeril has disclosed a vulnerability in AMD's Platform Security Processor, or PSP, chipset driver that affects almost all generations of its Ryzen processors, including some of the older AMD CPUs.
See Also: OnDemand | Making Sense of XIoT
For a complete list of affected products, refer to AMD's security advisory.
The flaw, which is tracked as CVE-2021-26333 was first discovered in April 2021 by Kyriakos Economou, the co-founder of security firm ZeroPeril. Economou responsibly disclosed the flaw to AMD.
Describing the vulnerability, Economou tells Information Security Media Group, "There were two issues inside the amdpsp.sys [v126.96.36.199] kernel driver module that is being shipped with multiple AMD chipsets. The first issue was the information disclosure through userland mapping of uninitialized physical pages, and the second is the memory leak bug that does not release all memory resources back to the system when it ideally should."
"The first one is a more dangerous issue," he says. "[It] allows a nonprivileged user to access data that otherwise would only be accessible by code running at kernel level and/or by processes that run with high security privileges."
Economou says the process "can open a handle to the userland exposed device name symbolic link and send a set of specific control code requests to the driver repeatedly to disclose as much data as possible." Economou's vulnerability report adds that the discretionary access control list [DACL] may allow low privileged users to open a handle and send requests to the driver resulting in a potential data leak from uninitialized physical pages.
Economou notes that these two flaws are completely irrelevant to each other but had been verified in the latest revision number at the time - 188.8.131.521. He adds: "AMD's current fixes have however, addressed both the issues."
The Estimated Impact
Economou says he tested this vulnerability in two different systems using Ryzen 2000 and 3000 series CPUs and was able to leak "several gigabytes of uninitialized physical pages" from 100 continuous allocations until there was no physical page buffer left to return.
"The contents of those physical pages varied from kernel objects and arbitrary pool addresses that can be used to circumvent exploitation mitigations such as KASLR, and even registry key mappings of RegistryMachineSAM containing NTLM hashes of user authentication credentials that can be used in subsequent attack stages. For example, these can be used to steal credentials of a user with administrative privilege and/or be used in pass-the-hash style attacks to gain further access inside a network," he says in the vulnerability report he prepared when reporting to AMD.
Mitigations released by AMD can be implemented either with the recently released Windows Update that recommends updating to AMD PSP driver 184.108.40.206 or by manually downloading the updated AMD Chipset Driver 3.08.17.735 from its support page.
Economou told ISMG that he is unaware of any other remediation. But in his vulnerability report, he advises the following:
- Use appropriate DACLs on device objects to block nonprivileged users from sending input/output control requests to a kernel driver whenever possible;
- Avoid userland mappings of kernel pool memory;
- If mapping kernel pool memory in userland is necessary due to the current design, then make sure that the memory has been initialized appropriately;
- Always make sure that allocated resources are freed back to the system when no longer in use.