AMD disclosed that its popular Ryzen Master software utility, which enables CPU monitoring and overclocking capabilities for its lineup of consumer processors, has a new vulnerability, ranked 7.2 (High), that could allow an attacker to assume complete control of the system. AMD has posted a new updated version of Ryzen Master for Windows 10 and Windows 11 that corrects the issue.
AMD notes the issue stems from not validating the privilege level of a user during the Ryzen Master installation process, which "may allow an attacker with low privileges to modify files potentially leading to privilege escalation and code execution by the lower privileged user."
This means a user with a low privilege level on a computer could use an older version of Ryzen Master to gain administrator access, and, ultimately, full control of the system by altering important system files. However, it remains unclear if a user without administrator access could use the older install utility to facilitate an attack.
AMD Ryzen Master also provides several capabilities that enable fine-grained control of the system, like access to changing voltages and clock rates in real time. It's unclear if those features, if accessible to a low-level user, could be used for clock and voltage timing attacks in the same vein as Hertzbleed and Plundervolt. We're following up with AMD for further clarification.
AMD patched a previous issue with Ryzen Master, discovered by HP back in 2020, that also allowed privilege escalation (CVE-2020-12928). The company recently patched an error that allowed its graphics card drivers to auto-overclock the CPU without permission, and also unveiled 31 newly-discovered vulnerabilities last month.
AMD recommends updating to at least version 18.104.22.1687 to bring the software up to date and patch the vulnerability. The new version has a few other notable improvements over the existing version, including adding support for setting a maximum operating temperature, which would slow the processor once it exceeds an assigned temperature. Ryzen Master also now allows you to assign a voltage higher than 5.2V, which is far beyond the normal operating voltage (don't do this unless you know what you're doing). Naturally, most users won't need that capability for the existing chips, but it is useful for extreme overclockers and might come in handy with future models. Notably, not all features are supported on older processors.
The new vulnerability is assigned the CVE-2022-27677 identifier and was released in a coordinated vulnerability disclosure with Conor McNamara.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Paul Alcorn is the Deputy Managing Editor for Tom's Hardware US. He writes news and reviews on CPUs, storage and enterprise hardware.
So in this case, the hacker needs low level access to even contemplate this? Which in my world, means, zero likelihood of such a use case occurring.Reply
I don't really use Ryzen master but it is installed I removed the previous version and updated it anyways just in case.Reply
It affects stand alone version of Ryzen Master, right? Adrenaline has some modules integrated, but there is no mention of it being affected or not.Reply
On a side note, Microsoft should dump all the advanced privileged settings for home users. It adds unnecessary complexity and vectors of attack.
I don't think you quite understood what the article is saying.Roland Of Gilead said:So in this case, the hacker needs low level access to even contemplate this? Which in my world, means, zero likelihood of such a use case occurring.
The default access is "low-permissions", which is the more secure way to run code. The severity of this is so high BECAUSE it does not require higher permissions to execute.
I understand the article just fine, thanks!Reply
The point I was making is that if it needs physical access to the host PC to execute, or if it can be done remotely.