AMD CPU Vulnerability Found, Divulges Passwords As Non-Administrative User

AMD released information about a driver vulnerability that affects their CPUs, allowing any user to not only gain access to information but also download the information through certain Windows memory pages. The attacker is capable of gaining access to passwords, as well as launching different attacks, such as interrupting KASLR exploit mitigations, also known as Spectre and Meltdown.

This information came to light after a security researcher and co-founder of ZeroPeril, Kyriakos Economou, discovered the exploit and contacted AMD. Through their work, AMD was able to issue mitigations that are currently part of the newest CPU drivers. You can also utilize Windows Update to receive the latest AMD PSP driver.

The affected AMD chipsets are

AMD's current driver update has been active for several weeks, but this is the first for AMD to explain the details of the current driver updates.

Economou explains the process in a disclosed report recently released. In the document, it shows the vulnerability in length.

During our tests we managed to leak several gigabytes of uninitialized physical pages by allocating and freeing blocks of 100 allocations continuously until the system was not able to return a contiguous physical page buffer.

The contents of those physical pages varied from kernel objects and arbitrary pool addresses that can be used to circumvent exploitation mitigations such as KASLR, and even registry key mappings of \Registry\Machine\SAM containing NTLM hashes of user authentication credentials that can be used in subsequent attack stages.

For example, these can be used to steal credentials of a user with administrative privilege and/or be used in pass-the-hash style attacks to gain further access inside a network.

Economou initially discovered the exploit utilizing the AMD Ryzen 2000 and 3000 series. AMD originally listed only Ryzen 1000 series and older generations of CPUs in its internal advisories. Website Tom's Hardware contacted AMD after reading the document from Economou to find the above listing of affected chipsets.

The report shows that Economou targeted two separate sections of the AMD amdsps.sys driver, which is utilized by the Platform Security Processor (PSP), "an embedded chip that manages chip security." This attack allowed Economou to download several gigabytes of "uninitialized physical memory pages."

It is speculated that due to AMD gaining more ground in market shares as of the last year, both their chipsets and graphics cards may see more attacks, and we may see more immediate fixes in the future. We have recently seen AMD GPUs under attack through an exploit found via the memory sections of their GPUs.

AMD is instructing users to download the AMD PSP driver through Windows Update (AMD PSP driver 5.17.0.0) or the AMD CPU driver from their support page (AMD Chipset Driver 3.08.17.735).

If you find that you have one of the listed CPUs in the above list and your AMD PSP driver is below 5.17.0.0, please refer to these instructions on how to update your system to prevent any attacks.

You can read the full report here.