AMD disclosed that its popular Ryzen Master software utility, which enables CPU monitoring and overclocking capabilities for its lineup of consumer processors, has a new vulnerability, ranked 7.2 (High), that could allow an attacker to assume complete control of the system. AMD has posted a new updated version of Ryzen Master for Windows 10 and Windows 11 that corrects the issue.
AMD notes the issue stems from not validating the privilege level of a user during the Ryzen Master installation process, which "may allow an attacker with low privileges to modify files potentially leading to privilege escalation and code execution by the lower privileged user."
This means a user with a low privilege level on a computer could use an older version of Ryzen Master to gain administrator access, and, ultimately, full control of the system by altering important system files. However, it remains unclear if a user without administrator access could use the older install utility to facilitate an attack.
AMD Ryzen Master also provides several capabilities that enable fine-grained control of the system, like access to changing voltages and clock rates in real time. It's unclear if those features, if accessible to a low-level user, could be used for clock and voltage timing attacks in the same vein as Hertzbleed and Plundervolt. We're following up with AMD for further clarification.
AMD patched a previous issue with Ryzen Master, discovered by HP back in 2020, that also allowed privilege escalation (CVE-2020-12928). The company recently patched an error that allowed its graphics card drivers to auto-overclock the CPU without permission, and also unveiled 31 newly-discovered vulnerabilities last month.
AMD recommends updating to at least version 2.10.1.2287 to bring the software up to date and patch the vulnerability. The new version has a few other notable improvements over the existing version, including adding support for setting a maximum operating temperature, which would slow the processor once it exceeds an assigned temperature. Ryzen Master also now allows you to assign a voltage higher than 5.2V, which is far beyond the normal operating voltage (don't do this unless you know what you're doing). Naturally, most users won't need that capability for the existing chips, but it is useful for extreme overclockers and might come in handy with future models. Notably, not all features are supported on older processors.
The new vulnerability is assigned the CVE-2022-27677 identifier and was released in a coordinated vulnerability disclosure with Conor McNamara.
