Friday, January 24th 2020

AMD Quietly Patched Four Major GPU Security Vulnerabilities with Radeon 20.1.1 Drivers

If you haven't updated your AMD Radeon drivers in a while, here's one major reason to. The company secretly patched four major security vulnerabilities affecting Radeon GPUs, in its recent Adrenalin 20.1.1 drivers, with no mention of doing so in its changelog. Talos Intelligence reports four vulnerabilities, which are are chronicled under CVE-2019-5124, CVE-2019-5146, CVE-2019-5147 and CVE-2019-5183. This class of attacks exploits a vulnerability in the AMD Radeon driver file ATIDXX64.dll, which can lead to denial of service or even remote code execution. What makes things much more serious is that this attack vector can be used to exploit the host machine from a VM (tested with VMWare). It even seems possible to trigger the vulnerability from a web page, through WebGL (which allows running 3D applications on a remote website). The vulnerabilities were tested on Radeon RX 550 / 550 Series VMware Workstation 15 (15.5.0 build-14665864) with Windows 10 x64 as guest VM, but there is no reason to assume that the issue is limited to just RX 550 as the AMD shader compiler shares a common code basis for all recent DirectX 12 GPUs.

All vulnerabilities rely on a common attack vector: specially crafted shader code that exploits bugs in the shader compiler. Even though HLSL shader code looks similar to assembly, it actually is a relatively high-level language that gets optimized and compiled by the graphics driver. VMWare's graphics acceleration lets you run 3D graphics in virtual machines, by passing along rendering info to the host GPU and then funneling the output back into the VM. Since the shader code gets compiled using the graphics driver of the host OS, this creates interesting opportunities for attacks.
Normally you'd expect the shader compiler to properly check all code it compiles and simply reject things that aren't supposed to work.
  • The first vulnerability, CVE-2019-5146, is briefly described as "AMD ATI Radeon ATIDXX64.DLL MAD shader functionality denial-of-service vulnerability."
  • CVE-2019-5147 describes "AMD ATI Radeon ATIDXX64.DLL MOVC shader functionality denial-of-service vulnerability."
  • CVE-2019-5124 points to "AMD ATI Radeon ATIDXX64.DLL shader functionality constant buffer denial-of-service vulnerability."
  • CVE-2019-5183 talks about "AMD ATI Radeon ATIDXX64.DLL shader functionality VTABLE remote code execution vulnerability."
The first three CVEs are all variations of a similar approach, which lets malformed shader code lets crash the graphics driver, which in a VM situation would crash the VM software, taking all running virtual machines down with it.

The last vulnerability is more serious, because it potentially allows remote code execution. If you pass a properly crafted shader, you can execute vTable methods, which give you control over code flow, instead of crashing with an error. With further bug exploitation that would let you execute arbitrary code that you supply.

All four vulnerabilities have been patched with Adrenalin 20.1.1 drivers. AMD rival NVIDIA also battles security vulnerabilities in secret, but the company tends to be more transparent in mentioning vulnerabilities patched in its driver release-notes. AMD's release notes for 20.1.1, in contrast omit any mention of the vulnerabilities, so most people aren't even aware that they should update their drivers to fix a security issue. Sources: Talos Intelligence 1, 2, 3, 4
Add your own comment

41 Comments on AMD Quietly Patched Four Major GPU Security Vulnerabilities with Radeon 20.1.1 Drivers

#1
Cobain
This is not good. But I'm sure ppl wont make as a big deal from this, as if it was with Intel or nVidia
Posted on Reply
#2
Romulus2K4
That's pretty disingenuous of AMD.
Posted on Reply
#3
Dave65
Yeah, Nvidia gets such awful treatment:/
Posted on Reply
#4
GoldenX
Quick to laugh at Intel on vulnerabilities, but so quiet when it happens to them. What a joke.
Posted on Reply
#5
Chomiq
Someone would complain either way. Keeping it quiet wasn't a good move PR wise.
Posted on Reply
#6
delshay
So i take it 20.1.2 & 20.1.3 are not affected.
Posted on Reply
#7
Romulus2K4
delshay
So i take it 20.1.2 & 20.1.3 are not affected.
One would assume that the vulnerability fixes are carried on to newer drivers.
Posted on Reply
#8
r.h.p
Ive reverted back to Oct 19.10.01 drivers. less performance and firkin see through apps on desktop and game crashes with the Christmas whml update , and also todays beta is no better.

So begs the question is my pc vunerable …….lol as if there is so much knowledge I have hehe
Posted on Reply
#9
Xuper
ohh , I'm using VirtualBox Ver 5.2.34 and AMD 19.9.2.I'm sure they update VIrtualbox.damn now i have to upgrade AMD driver.
Posted on Reply
#10
JB_Gamer
GoldenX
Quick to laugh at Intel on vulnerabilities, but so quiet when it happens to them. What a joke.
Have they (Amd) laughed - joker?
Posted on Reply
#12
$ReaPeR$
why would any company advertise their problems?! and since they already fixed it this is a non-issue.
Posted on Reply
#13
sutyi
$ReaPeR$
why would any company advertise their problems?! and since they already fixed it this is a non-issue.
To let users on older vulnerable driver packages know, that they might want to update...
Posted on Reply
#14
$ReaPeR$
sutyi
To let users on older vulnerable driver packages know, that they might want to update...
right... and you are complaining about it in a thread that informs you about the fixed vulnerabilities while you have a 1060 in your system specs.. makes a lot of sense.. in some universe.
Posted on Reply
#15
windwhirl
r.h.p
Ive reverted back to Oct 19.10.01 drivers. less performance and firkin see through apps on desktop and game crashes with the Christmas whml update , and also todays beta is no better.

So begs the question is my pc vunerable …….lol as if there is so much knowledge I have hehe
The vulnerabilities were disclosed during October, so it is safe to assume that drivers from that date are vulnerable too.

I think AMD should have issued a warning, not just add a line in the release notes, since this is a potential problem specially for users of WHQL versions, who tend to stay longer on a specific release before updating again.
Posted on Reply
#16
yeeeeman
OMG, thought AMD is perfect. I thought only Intel has vulnerabilities. My heart is pretty...broken right now.
Now, in a more serious note, I like how people are acting: "Oh my, so my PC is vulnerable now? What shall I do? Oh no!". Who gives a damn about your photos and sh*t?
Target PCs are government, banks, military, not the average Joe. But seems like the average Joe cares too much about this and govnmts probably don't give a damn. Which exactly the other way around.
Guys, there is no such thing as a safe chip. Chips have by design backdoors and various intricacies that, given enough time and interest from researchers (read people with no life), they will be found. And since Intel is basically in 90% of the PCs worldwide, you wouldn't expect them to focus on AMD, right? Fret not, I will spare you the surprise, AMD chips are as vulnerable if not more vulnerable than Intels. Intel has enough experience and safety requests from many of its partners that I don't think they just said, f*ck it, lets leave this chip full of holes. There are certain design trade-offs that you have to make and quite simply, given how complex these things are, it is impossible to make them without vulnerabilities. Amd is just a different design so it is not affected by the same things as Intel chips are. But this doesn't mean they are perfect. They just have different vulnerabilities that weren't researched yet.
So please, use your brains when reading news, because these guys (press) take us as fools. Which in part we are...unfortunately.
And stop this vulnerabilities panic, cause its getting boring now...really. Safety is a money making argument. Microsoft forces you to buy windows 10 cause it is safer. After 1-2 years they will make you buy windows 11 cause it is again...safer. These are just arguments that work on people that don't have a clue about how businesses work. They must create needs for us. To take your money.
Posted on Reply
#17
Cheeseball
Not a Potato
The first three vulnerabilities cause the driver to crash, the last one allows potential payloads to be executed through a VM.

This is not too critical considering the general userbase of Radeon Software. At most this would affect workstations that have any consumer-level Radeon (and not Radeon Pro or Instinct). Unless the ATIDXX64.DLL in Radeon Software is the same one in the PRO drivers.
Posted on Reply
#18
$ReaPeR$
yeeeeman
OMG, thought AMD is perfect. I thought only Intel has vulnerabilities. My heart is pretty...broken right now.
Now, in a more serious note, I like how people are acting: "Oh my, so my PC is vulnerable now? What shall I do? Oh no!". Who gives a damn about your photos and sh*t?
Target PCs are government, banks, military, not the average Joe. But seems like the average Joe cares too much about this and govnmts probably don't give a damn. Which exactly the other way around.
Guys, there is no such thing as a safe chip. Chips have by design backdoors and various intricacies that, given enough time and interest from researchers (read people with no life), they will be found. And since Intel is basically in 90% of the PCs worldwide, you wouldn't expect them to focus on AMD, right? Fret not, I will spare you the surprise, AMD chips are as vulnerable if not more vulnerable than Intels. Intel has enough experience and safety requests from many of its partners that I don't think they just said, f*ck it, lets leave this chip full of holes. There are certain design trade-offs that you have to make and quite simply, given how complex these things are, it is impossible to make them without vulnerabilities. Amd is just a different design so it is not affected by the same things as Intel chips are. But this doesn't mean they are perfect. They just have different vulnerabilities that weren't researched yet.
So please, use your brains when reading news, because these guys (press) take us as fools. Which in part we are...unfortunately.
And stop this vulnerabilities panic, cause its getting boring now...really. Safety is a money making argument. Microsoft forces you to buy windows 10 cause it is safer. After 1-2 years they will make you buy windows 11 cause it is again...safer. These are just arguments that work on people that don't have a clue about how businesses work. They must create needs for us. To take your money.
dude... the post is about gpus. also, since when more than a decade of intels shit shortcuts that put speed over security is comparable to something like this?! i agree with your general point though, security is basically used by companies to get more money from us and trolls to polarize the audience. and yes, all companies are guilty, just not to the same degree.
Posted on Reply
#19
JB_Gamer
yeeeeman
OMG, thought AMD is perfect. I thought only Intel has vulnerabilities. My heart is pretty...broken right now.
Now, in a more serious note, I like how people are acting: "Oh my, so my PC is vulnerable now? What shall I do? Oh no!". Who gives a damn about your photos and sh*t?
Target PCs are government, banks, military, not the average Joe. But seems like the average Joe cares too much about this and govnmts probably don't give a damn. Which exactly the other way around.
Guys, there is no such thing as a safe chip. Chips have by design backdoors and various intricacies that, given enough time and interest from researchers (read people with no life), they will be found. And since Intel is basically in 90% of the PCs worldwide, you wouldn't expect them to focus on AMD, right? Fret not, I will spare you the surprise, AMD chips are as vulnerable if not more vulnerable than Intels. Intel has enough experience and safety requests from many of its partners that I don't think they just said, f*ck it, lets leave this chip full of holes. There are certain design trade-offs that you have to make and quite simply, given how complex these things are, it is impossible to make them without vulnerabilities. Amd is just a different design so it is not affected by the same things as Intel chips are. But this doesn't mean they are perfect. They just have different vulnerabilities that weren't researched yet.
So please, use your brains when reading news, because these guys (press) take us as fools. Which in part we are...unfortunately.
And stop this vulnerabilities panic, cause its getting boring now...really. Safety is a money making argument. Microsoft forces you to buy windows 10 cause it is safer. After 1-2 years they will make you buy windows 11 cause it is again...safer. These are just arguments that work on people that don't have a clue about how businesses work. They must create needs for us. To take your money.
You are SO clever, according your own judgement.
Posted on Reply
#21
Steevo
It's a driver level vulnerability, and if AMD and MS wanted I'm sure they could push the update of WHQL drivers, mostly on MS though as just imagine the outcry if AMD could push a notification or force a driver update...... People would lose their freaking minds.


Also, the difference here isn't a unsecure chip, but a function of a Browser viewing a webpage with OpenGL accelerated code that exposed a vulnerability due to how a driver handles that code. And it's been fixed without a BIOS update and performance drop. So nothing like Intel.
Posted on Reply
#22
Romulus2K4
IceShroom
https://www.techpowerup.com/257949/nvidia-issues-warning-to-upgrade-drivers-due-to-security-patches
And AMD didn't even bother to warn or notify anybody hence being disingenuous. So what's your point?

I am not sure why some users are telling people that not notifying the existence of these vulnerabilities or patching them under the hood without any disclosure doesn't matter. I am sure if the same things was done by intel or nvidia, they'd be the first ones to cry foul.

Steevo
Also, the difference here isn't a unsecure chip, but a function of a Browser viewing a webpage with OpenGL accelerated code that exposed a vulnerability due to how a driver handles that code. And it's been fixed without a BIOS update and performance drop. So nothing like Intel.
It is yet to be determined whether there's a performance penalty or not. For example, the original Zen CPUs had software mitigation in place, that had very little impact on the performance but the problem was there. They addressed it at a hardware level with Zen+ so that the software mitigation was no longer necessary.

$ReaPeR$
why would any company advertise their problems?! and since they already fixed it this is a non-issue.
That's probably the most intelligent response I have yet to come across in this thread. Yeah, why does AMD even bother to include a release note or a changelog to begin with, they should totally do away with that.
Posted on Reply
#23
R-T-B
Romulus2K4
It is yet to be determined whether there's a performance penalty or not.
This is a software shader compiler bug, no gpu hardware is involved. Hence no penalty.
Posted on Reply
#24
r.h.p
windwhirl
The vulnerabilities were disclosed during October, so it is safe to assume that drivers from that date are vulnerable too.

I think AMD should have issued a warning, not just add a line in the release notes, since this is a potential problem specially for users of WHQL versions, who tend to stay longer on a specific release before updating again.
honestly these last few driver updates havnt worked out for my machine , usually the updates do nothing but these ones are actually crashing programes , lol its funny i reckon.
i have to turn off free3sync to get smooth flicker free gamin on cheap games from steam. maybe the hardware is too advanced for the software , I don't know god damn it (ellen ripley)
Posted on Reply
#25
sutyi
$ReaPeR$
right... and you are complaining about it in a thread that informs you about the fixed vulnerabilities while you have a 1060 in your system specs.. makes a lot of sense.. in some universe.
What has this anything to do fit the fact that I have a GTX 1060 in my rig?
Me owning a GeForce card makes my statement somehow less true?
If I were using an RX 580 then my opinion on the matter would turn magically valid? I'm confused. :confused:


Were there security holes? Yes.
Were they in the release notes? No.
Did they fix them? Yes.
Would you had known to update for security problems you didn't even know you had? Double No.

So it might not make a lot of sense to you, but for me it makes sense to get informed on security problems preferably directly from the HW vendors that I'm using and not trough an IT news portal sourcing a 3rd party source, that I might want to update drivers in the foreseeable future.
Posted on Reply
Add your own comment