AMD disclosed that its well-liked Ryzen Grasp software program utility, which allows CPU monitoring and overclocking capabilities for its lineup of client processors, has a brand new vulnerability, ranked 7.2 (Excessive), that would enable an attacker to imagine full management of the system. AMD has posted a brand new up to date model of Ryzen Grasp for Home windows 10 and Home windows 11 that corrects the difficulty.
AMD notes the difficulty stems from not validating the privilege degree of a person in the course of the Ryzen Grasp set up course of, which “might enable an attacker with low privileges to switch recordsdata probably resulting in privilege escalation and code execution by the decrease privileged person.”
This implies a person with a low privilege degree on a pc might use an older model of Ryzen Grasp to realize administrator entry, and, finally, full management of the system by altering vital system recordsdata. Nonetheless, it stays unclear if a person with out administrator entry might use the older installer to facilitate an assault.
AMD Ryzen Grasp additionally gives a number of capabilities that allow fine-grained management of the system, like entry to altering voltages and clock charges in actual time. It is unclear if these options, if accessible to a low-level person, could possibly be used for clock and voltage timing assaults in the identical vein as Hertzbleed and Plundervolt. We’re following up with AMD for additional clarification.
AMD patched a earlier situation with Ryzen Grasp, found by HP again in 2020 (opens in new tab), that additionally allowed privilege escalation (CVE-2020-12928). The corporate additionally just lately patched an error that allowed its graphics card drivers to auto-overclock the CPU with out permission. AMD additionally unveiled 31 newly-discovered vulnerabilities final month.
AMD recommends updating to at the least model 126.96.36.1997 to deliver the software program updated and patch the vulnerability. The brand new model has a number of different notable enhancements over the prevailing model, together with including assist for setting a most working temperature, which might gradual the processor as soon as it exceeds an assigned temperature. It additionally now means that you can assign a voltage increased than 5.2V. Naturally, most customers will not want that functionality for the prevailing chips, however it’s helpful for excessive overclockers and may turn out to be useful with future fashions. Notably, not all options are supported on older processors.
The brand new vulnerability is assigned the CVE-2022-27677 identifier and was launched in a coordinated vulnerability disclosure with Conor McNamara.