AMD Graphics Driver Security Exploits for Windows 10

Bulletin ID AMD-SB-1000

Potential Impact Varies by CVE, see descriptions below

Severity Varies by CVE, see descriptions below

Summary

In a comprehensive analysis of the AMD Escape calls, a potential set of weaknesses in several APIs was discovered, which could result in escalation of privilege, denial of service, information disclosure, KASLR bypass, or arbitrary write to kernel memory.

Affected Products

AMD Graphics Driver for Windows 10

CVE Details

CVESeverityDescriptionCVE-2020-12902HighArbitrary Decrement Privilege Escalation in AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service.CVE-2020-12891HighAMD Radeon Software may be vulnerable to DLL Hijacking through path variable. An unprivileged user may be able to drop its malicious DLL file in any location which is in path environment variable.CVE-2020-12892HighAn untrusted search path in AMD Radeon settings Installer may lead to a privilege escalation or unauthorized code execution.CVE-2020-12893HighStack Buffer Overflow in AMD Graphics Driver for Windows 10 in Escape 0x15002a may lead to escalation of privilege or denial of service.CVE-2020-12894HighArbitrary Write in AMD Graphics Driver for Windows 10 in Escape 0x40010d may lead to arbitrary write to kernel memory or denial of service.CVE-2020-12895HighPool/Heap Overflow in AMD Graphics Driver for Windows 10 in Escape 0x110037 may lead to escalation of privilege, information disclosure or denial of service.CVE-2020-12898HighStack Buffer Overflow in AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service.CVE-2020-12901HighArbitrary Free After Use in AMD Graphics Driver for Windows 10 may lead to KASLR bypass or information disclosure.CVE-2020-12903HighOut of Bounds Write and Read in AMD Graphics Driver for Windows 10 in Escape 0x6002d03 may lead to escalation of privilege or denial of service.CVE-2020-12900HighAn arbitrary write vulnerability in the AMD Radeon Graphics Driver for Windows 10 potentially allows unprivileged users to gain Escalation of Privileges and cause Denial of Service.CVE-2020-12929HighImproper parameters validation in some trusted applications of the PSP contained in the AMD Graphics Driver may allow a local attacker to bypass security restrictions and achieve arbitrary code execution.CVE-2020-12960HighAMD Graphics Driver for Windows 10, amdfender.sys may improperly handle input validation on InputBuffer which may result in a denial of service (DoS).CVE-2020-12980HighAn out of bounds write and read vulnerability in the AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service.CVE-2020-12981HighAn insufficient input validation in the AMD Graphics Driver for Windows 10 may allow unprivileged users to unload the driver, potentially causing memory corruptions in high privileged processes, which can lead to escalation of privileges or denial of service.CVE-2020-12982HighAn invalid object pointer free vulnerability in the AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service.CVE-2020-12983HighAn out of bounds write vulnerability in the AMD Graphics Driver for Windows 10 may lead to escalation of privileges or denial of service.CVE-2020-12985HighAn insufficient pointer validation vulnerability in the AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service.CVE-2020-12986HighAn insufficient pointer validation vulnerability in the AMD Graphics Driver for Windows 10 may cause arbitrary code execution in the kernel, leading to escalation of privilege or denial of service.CVE-2020-12962MediumEscape call interface in the AMD Graphics Driver for Windows may cause privilege escalation.CVE-2020-12904MediumOut of Bounds Read in AMD Graphics Driver for Windows 10 in Escape 0x3004203 may lead to arbitrary information disclosure.CVE-2020-12905MediumOut of Bounds Read in AMD Graphics Driver for Windows 10 in Escape 0x3004403 may lead to arbitrary information disclosure.CVE-2020-12964MediumA potential privilege escalation/denial of service issue exists in the AMD Radeon Kernel Mode driver Escape 0x2000c00 Call handler. An attacker with low privilege could potentially induce a Windows BugCheck or write to leak information.CVE-2020-12987MediumA heap information leak/kernel pool address disclosure vulnerability in the AMD Graphics Driver for Windows 10 may lead to KASLR bypass.CVE-2020-12920MediumA potential denial of service issue exists in the AMD Display driver Escape 0x130007 Call handler. An attacker with low privilege could potentially induce a Windows BugCheckCVE-2020-12899MediumArbitrary Read in AMD Graphics Driver for Windows 10 may lead to KASLR bypass or denial of service.CVE-2020-12897MediumKernel Pool Address disclosure in AMD Graphics Driver for Windows 10 may lead to KASLR bypass.CVE-2020-12963MediumAn insufficient pointer validation vulnerability in the AMD Graphics Driver for Windows may allow unprivileged users to compromise the system.
Mitigation

CVEAMD Radeon Software
Mitigated Version
AMD Radeon Pro Software for Enterprise
First Mitigated Version
CVE-2020-12894
CVE-2020-12900
CVE-2020-12964
CVE-2020-12980
CVE-2020-12981
CVE-2020-12982
CVE-2020-12983
CVE-2020-12985
CVE-2020-12986
CVE-2020-1298720.7.1 and higher21.Q1 Enterprise DriverCVE-2020-12893
CVE-2020-12899
CVE-2020-12901
CVE-2020-12902
CVE-2020-12903
CVE-2020-12904
CVE-2020-12905
CVE-2020-12920
CVE-2020-12929
CVE-2020-12962
CVE-2020-12963
CVE-2020-12895
CVE-2020-1289820.11.2 and higher21.Q1 Enterprise DriverCVE-2020-12897
CVE-2020-1289221.3.1 and higher21.Q2 Enterprise DriverCVE-2020-12891
CVE-2020-1296021.4.1 and higher21.Q2 Enterprise Driver
Acknowledgement

AMD thanks the following for reporting these issues and engaging in coordinated vulnerability disclosure.

Ori Nimron (@orinimron123) : CVE-2020-12892, CVE-2020-12893, CVE-2020-12894, CVE-2020-12895, CVE-2020-12897, CVE-2020-12898, CVE-2020-12899, CVE-2020-12900, CVE-2020-12901, CVE-2020-12902, CVE-2020-12903, CVE-2020-12904, CVE-2020-12905, CVE-2020-12963, CVE-2020-12964, CVE-2020-12980, CVE-2020-12981, CVE-2020-12982, CVE-2020-12983, CVE-2020-12986, CVE-2020-12987

Eran Shimony of CyberArk Labs: CVE-2020-12892

Lucas Bouillot, of the Apple Media Products RedTeam: CVE-2020-12929

driverThru_BoB 9th: CVE-2020-12960

Source: https://www.amd.com/en/corporate/pro…in/amd-sb-1000

Thanks for info Shawn….Updated.

About the Author

Leave a Reply

Your email address will not be published.

You may also like these