CVE-2023-20562
Published: 08 August 2023
Summary
CVE-2023-20562 is a high-severity an unspecified weakness vulnerability in Amd Amd Uprof. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
AMD uProf contains a vulnerability stemming from insufficient validation of the IOCTL input buffer. This flaw affects the AMD uProf performance profiling tool and carries a CVSS 3.1 base score of 7.8, reflecting local attack vector, low complexity, and low privileges required.
An authenticated local user can supply a crafted IOCTL buffer to load an unsigned driver, resulting in arbitrary kernel-mode code execution with full control over confidentiality, integrity, and availability of the system.
AMD has published mitigation guidance in security bulletin AMD-SB-7003, which addresses the issue for affected versions of uProf. The EPSS score has remained flat at 0.1082 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24741
Vulnerability details
Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD uProf may allow an authenticated user to load an unsigned driver potentially leading to arbitrary kernel execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.