Cyber Resilience

CVE-2023-20562

High

Published: 08 August 2023

Published
08 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1082 93.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20562 is a high-severity an unspecified weakness vulnerability in Amd Amd Uprof. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

AMD uProf contains a vulnerability stemming from insufficient validation of the IOCTL input buffer. This flaw affects the AMD uProf performance profiling tool and carries a CVSS 3.1 base score of 7.8, reflecting local attack vector, low complexity, and low privileges required.

An authenticated local user can supply a crafted IOCTL buffer to load an unsigned driver, resulting in arbitrary kernel-mode code execution with full control over confidentiality, integrity, and availability of the system.

AMD has published mitigation guidance in security bulletin AMD-SB-7003, which addresses the issue for affected versions of uProf. The EPSS score has remained flat at 0.1082 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD uProf may allow an authenticated user to load an unsigned driver potentially leading to arbitrary kernel execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

amd
amd uprof
≤ 4.1.396 · ≤ 4.1-424

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References