AMD fixed a vulnerability in its chipset drivers that let non-administrators get passwords

Published by


First off, the vulnerability was fixed in AMD's newest PSP and chipset drivers (download here), which AMD recommends updating. Kyriakos Economou, a security researcher and co-founder of ZeroPeril, uncovered the flaw and promptly contacted AMD, working closely with the red team to patch it.

This vulnerability allows obtaining information of all kinds, including credentials of users with administrative privileges to escalate privileges or hashes that allow network access, and even exceeding mitigations of different vulnerabilities to later exploit them. Economou said this regarding the new vulnerability:

During our tests we were able to filter out multiple gigabytes of uninitialized physical pages when reserving and continuously release blocks of 100 reservations until the system fails to return a buffer of contiguous physical pages.

The content on these physical pages ranged from kernel objects to arbitrary pool addresses that served to bypass mitigations for vulnerabilities such as KASLR, and they even had registry key mappings of \ Registry \ Machine \ SAM containing NTLM hashes of authentication credentials. that could be used in subsequent attacks.

For example, this technique can be used to steal credentials from a user with administrative privileges or used in the "pass-the-hash" style to gain access within a network.

The PSP (Platform Security Processor) drivers should be updated to version via Windows Update, and the chipset drivers should be updated to version or newer, which already includes the PSP update that resolves this vulnerability. No BIOS updates are required.

Share this content
Twitter Facebook Reddit WhatsApp Email Print