AMD Chipset Driver Bug Allows Bypassing KASLR And Accessing Sensitive Data

AMD engineers fixed a bug in the chipset driver, and the company advised Windows users to update systems as soon as possible, since the vulnerability could be used to dump system memory and steal confidential information from the target machine.

The vulnerability has the identifier CVE-2021-26333 and was discovered by ZeroPeril specialists. The bug was related to the operation of Processor Platform Security (PSP), the equivalent of AMD’s Intel SGX technology. For example, AMD PSP creates secure enclaves inside AMD processors that allow the operating system to process sensitive information in cryptographically protected memory.

Windows relies on the amdsps.sys kernel driver to communicate with PSP enclaves, and researchers at ZeroPeril write that they have found a number of problems with it. During testing, they were able to retrieve several gigabytes of uninitialized physical pages, and the content of those pages ranged from kernel objects and arbitrary pool addresses that could be used to bypass KASLR, extract NTLM hashes and user authentication credentials.

Experts successfully tested the exploitation of the CVE-2021-26333 vulnerability on AMD Ryzen 2000 and 3000 series processors before reporting the issue to the manufacturer in April this year.

When Microsoft released the patches as part of the September Patch Tuesday, AMD posted a message urging users to install the updates as soon as possible, as they also contain patches for the PSP chipset driver.

According to the company, the vulnerability threatens the following processors:

1. 6th Gen AMD FX APU with Radeon R7 Graphics;
2. AMD A10 APU with Radeon R6 graphics;
3. AMD A8 APU with Radeon R6 graphics;
4. AMD A6 APU with Radeon R5 graphics;
5. AMD A4 Series APU with Radeon Graphics;
6. AMD Athlon X4;
7. AMD E1 Series APU with Radeon Graphics;
8. AMD Ryzen 1000 Series.

Let me remind you that we wrote that AMD Zen 3 processors are vulnerable to side-channel attacks.