AMD logo image 2

Security vulnerabilities found in AMD’s Radeon Software GPU driver and Ryzen Master Tool


Some security vulnerabilities were spotted recently in AMD’s software, notably in the Radeon Software Adrenalin GPU graphics driver, and the Ryzen Master utility/app which is used to overclock and tune AMD Ryzen processors.

The good news is that two of these recent vulnerabilities have been patched by AMD, with a fix coming in first quarter of 2021 for the remaining third vulnerability. These three vulnerabilities are Escape Handler, AMD Ryzen Master Driver Vulnerability, and CreateAllocation, respectively.

CreateAllocation was first highlighted on October 7’Th and the remaining two have been reported just after 1 week on the 13’Th. ‘Escape Handler’ and ‘CreateAllocation’ both affect AMD’s Radeon Software graphics driver, and the ‘AMD Ryzen Master Driver Vulnerability’ only affects the Ryzen Master OC tool.

EscapeHandler issue can result in a blue screen, and the AMD Ryzen Master Driver Vulnerability may allow authenticated users to elevate from user to system privileges. These vulnerabilities were discovered by Cisco Talos intelligence group and other security experts.

Here is the full description.

Escape Handler (CVE-2020-12933):

10/13/2020

“Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. The issue was addressed in Radeon™ Software Adrenalin 2020 Edition available here. AMD believes that confidential information and long-term system functionality are not impacted, and users can resolve the issue by restarting the computer.

A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from a non-privileged account. We thank the researchers for their ongoing collaboration and coordinated disclosure. More information on their research can be found on the Cisco Talos website.”

AMD Ryzen Master™ Driver Vulnerability (CVE-2020-12928):

10/13/2020

“A researcher has discovered a potential security vulnerability impacting AMD Ryzen™ Master that may allow authenticated users to elevate from user to system privileges. AMD has released a mitigation in AMD Ryzen Master 2.2.0.1543. AMD believes that the attack must come from a non-privileged process already running on the system when the local user runs AMD Ryzen™ Master and that a remote attack has not been demonstrated. The latest version of the software is available for download at https://www.amd.com/en/technologies/ryzen-master

We thank the researcher for the ongoing collaboration and coordinated disclosure.”

CreateAllocation (CVE-2020-12911)

10/7/2020

“Our ecosystem collaborator Cisco Talos has published a new potential vulnerability in AMD graphics drivers, which may result in a blue screen. AMD believes that confidential information and long-term system functionality are not impacted, and that the user can resolve the issue by restarting the computer. AMD plans to issue updated graphics drivers to address the issue in the first quarter of 2021.

The research finds that a specially crafted D3DKMTCreateAllocation API request can cause an out-of-bounds read and denial of service (BSOD). This vulnerability can be triggered from non-privileged accounts.

We thank the researchers for their ongoing collaboration and coordinated disclosure. More information on their research can be found on the Cisco Talos website.”

Stay tuned for more!