CVE-2023-20598
AMD chipset driver, information disclosure via MMIO register access
Summary
| Field | Value |
|---|---|
| Driver | AMD chipset driver |
| Vendor | AMD |
| Vulnerability Class | Information Disclosure / MMIO Access |
| Abused Version | Versions prior to AMD chipset driver 6.05.28.016 |
| Status | Patched — updated driver restricts MMIO access |
| Exploited ITW | No |
The Story
Not every vulnerable driver gives you arbitrary kernel read/write. CVE-2023-20598 is an information disclosure in AMD's chipset driver, where certain IOCTLs allow reading MMIO (Memory-Mapped I/O) registers with user-controlled offset parameters. The driver provides low-level chipset management for AMD motherboard platforms, and the vulnerable IOCTLs expose chipset configuration data that should not be accessible to unprivileged processes.
AMD documented the vulnerability in security bulletin AMD-SB-6009 and released an updated chipset driver (version 6.05.28.016) that restricts MMIO register access to authorized ranges.
While this is a lower-severity finding compared to the full read/write drivers in the KernelSight corpus, information disclosure vulnerabilities in chipset drivers can be valuable building blocks in exploitation chains. Leaked physical address information, hardware configuration details, or chipset-specific data can help an attacker bypass KASLR or target specific memory regions in a subsequent exploitation step.
BYOVD Context
- Driver signing: Authenticode-signed by Advanced Micro Devices with valid certificate
- Vulnerable Driver Blocklist: Older versions may be included in Microsoft's recommended driver block rules
- HVCI behavior: Not specifically blocked
- KDU integration: Not integrated
- LOLDrivers: Not listed
Affected IOCTLs
- MMIO register read with user-controlled register offset
- Chipset configuration access
What the Leak Reveals
The information disclosure primitive can reveal chipset configuration data showing hardware layout, MMIO register values that may leak physical address information, and platform-specific data useful for further exploitation. On its own, this is not a privilege escalation vector. But as part of a multi-step attack, MMIO register reads can provide the address information needed to make a separate arbitrary write reliable.
Detection
YARA Rule
rule CVE_2023_20598_AMD_Chipset {
meta:
description = "Detects vulnerable AMD chipset driver"
cve = "CVE-2023-20598"
author = "KernelSight"
severity = "medium"
strings:
$mz = { 4D 5A }
$amd = "Advanced Micro Devices" wide ascii
$chipset = "AMD Chipset" wide ascii nocase
condition:
$mz at 0 and $amd and $chipset
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of AMD chipset driver |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
Behavioral Indicators
- MMIO register read IOCTLs from non-AMD management processes
- Repeated chipset register queries from processes that don't typically interact with chipset drivers
Broader Significance
CVE-2023-20598 is a reminder that the BYOVD landscape includes more than just full read/write primitives. Information disclosure drivers can serve as the reconnaissance phase of a multi-stage attack, leaking the physical address and hardware configuration data needed to make a subsequent exploitation step reliable. For comprehensive BYOVD defense, blocklists should cover not only the obvious read/write drivers but also the information disclosure variants that enable them.