CVE-2023-20561 — Exposed IOCTL with Insufficient Access Control in AMD Prof

CWE-782 — Exposed IOCTL with Insufficient Access Control4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 86.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

AMD Prof AMD Uprof

Timeline

PublishedAug 8

Description

Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD μProf may allow an authenticated user to send an arbitrary address potentially resulting in a Windows crash leading to denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5amd/profvarious — 4.1.396+1

▶NVDamd/amd_uprof< 4.1.396+1

Patches

Patch: www.amd.com ↗Patch: www.amd.com ↗

🔴Vulnerability Details

GHSA

GHSA-4mp8-95wg-7xm4: Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD ?Prof may allow an authenticated user to send an arbitrary address pot↗2023-08-08

▶

CVEList

CVE-2023-20561: Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD μProf may allow an authenticated user to send an arbitrary address pot↗2023-08-08

▶

📋Vendor Advisories

Red Hat

hw: amd: uProf allow user to send arbitrary address leading to dos↗2023-08-08

▶