AMD Bug could expose Credentials

AMD has advised Windows users to update their OS in order to receive a patch for a dangerous vulnerability in one of its CPU chipset drivers that can be exploited to dump system memory and steal sensitive information from AMD-powered computers.

Tracked as CVE-2021-26333, vulnerability resides in the driver for  AMD Platform Security Processor (PSP), which is AMD’s equivalent for Intel’s SGX technology known as a trusted execution environment (TEE), the AMD PSP creates secure enclaves inside AMD processors that allow the operating system to process sensitive information inside cryptographically secured memory.

To interact with PSP enclaves, the Windows OS uses a kernel driver named amdsps.sys, this driver that allows a non-admin user to dump the system memory and search for sensitive information handled by the OS.

The contents of those physical pages varied from kernel objects and arbitrary pool addresses that can be used to circumvent exploitation mitigations such as KASLR, and even registry key mappings of \Registry\Machine\SAM contain NTLM hashes of user authentication credentials that can be used in subsequent attack stages.

Researcher Note

Microsoft rolled out its monthly batch of security updates known as Patch Tuesday, AMD issued its own advisory urging users to apply the updates as they also contained updates for its PSP chipset driver.

AMD recommends updating to AMD PSP driver 5.17.0.0 through Windows Update or by updating to AMD Chipset Driver 3.08.17.735. Users running these products will need to look into updating their systems as well.