CVE-2023-20598
AMD chipset driver — information disclosure via MMIO register access
Summary
| Field | Value |
|---|---|
| Driver | AMD chipset driver |
| Vendor | AMD |
| Vulnerability Class | Information Disclosure / MMIO Access |
| Abused Version | Versions prior to AMD chipset driver 6.05.28.016 |
| Status | Patched — updated driver restricts MMIO access |
| Exploited ITW | No |
BYOVD Context
- Driver signing: Authenticode-signed by Advanced Micro Devices with valid certificate
- Vulnerable Driver Blocklist: Older versions may be included in Microsoft's recommended driver block rules
- HVCI behavior: Not specifically blocked
- KDU integration: Not integrated
- LOLDrivers: Not listed
Affected IOCTLs
- MMIO register read with user-controlled register offset
- Chipset configuration access
Root Cause
The AMD chipset driver provides low-level chipset management for AMD motherboard platforms. Certain IOCTLs allow reading MMIO (Memory-Mapped I/O) registers with user-controlled offset parameters, potentially exposing chipset configuration data that could reveal system information useful for further attacks.
AMD documented the vulnerability in security bulletin AMD-SB-6009 and released an updated chipset driver that restricts MMIO register access to authorized ranges.
Exploitation
The information disclosure primitive is less powerful than arbitrary R/W but can reveal:
- Chipset configuration data useful for understanding the system's hardware layout
- MMIO register values that may leak physical address information
- Platform-specific data useful as building blocks for further exploitation
This vulnerability is primarily useful as an information leak rather than a direct privilege escalation vector.
Detection
YARA Rule
rule CVE_2023_20598_AMD_Chipset {
meta:
description = "Detects vulnerable AMD chipset driver"
cve = "CVE-2023-20598"
author = "KernelSight"
severity = "medium"
strings:
$mz = { 4D 5A }
$amd = "Advanced Micro Devices" wide ascii
$chipset = "AMD Chipset" wide ascii nocase
condition:
$mz at 0 and $amd and $chipset
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of AMD chipset driver |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
Behavioral Indicators
- MMIO register read IOCTLs from non-AMD management processes
- Repeated chipset register queries from processes that don't typically interact with chipset drivers