Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in Intel’s Graphics Accelerator Driver and in an AMD Radeon driver. The Intel driver was released in 2019 and is used in multiple Intel integrated and non-integrated GPUs. It is likely that an attacker could use these vulnerabilities to exploit users
remotely. The vulnerability could also be used to escape out of a Hyper-V virtual machine to access the host machine. Talos discovered the RemoteFX feature in Hyper-V affects both the Intel and AMD products and can be used to perform a Hyper-V guest-to-host escape. Microsoft disabled the RemoteFX feature as part of this month’s Patch Tuesday.
In accordance with our disclosure policy, Talos contacted Intel, AMD and Microsoft about these bugs. Microsoft elected to disable RemoteFX vGPU from Hyper-V to fix these issues on their side, with full removal of RemoteFX vGPU planned for a future date. More information is available here.
AMD has released its own set of patches. Intel has thus far declined to issue its own update to address these vulnerabilities, but we are still disclosing them per Cisco’s vulnerability disclosure policy.
These vulnerabilities are an example of what can go right, and wrong, when two different products are tied so closely together. Talos recommends a holistic approach to security where all products are regularly updated, regardless of which vendors are releasing updates for the vulnerabilities in question. However, this shows that when two vendors disagree on a security issue, it can leave some users vulnerable. An adversary could use any of these vulnerabilities to execute code remotely on affected products once they’ve supplied the victim with the appropriate exploit.
Note that the CVEs for the Intel vulnerabilities below only apply to Microsoft’s HyperV instance, as Intel has refused to issue CVEs for the issues.
Vulnerability details Intel IGC64.DLL Shader Functionality DCL_OUTPUT code execution vulnerability (TALOS-2020-0978/CVE-2020-1032 — Issued by Microsoft)
An exploitable memory corruption vulnerability exists in Intel's IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted vertex shader can cause an out-of-bounds write, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. We triggered this vulnerability from a Hyper-V guest using the RemoteFX feature, leading to executing the vulnerable code on the Hyper-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly).
Read the complete vulnerability advisory here for additional information.
Intel IGC64.DLL shader functionality ATOMIC_ADD code execution vulnerability (TALOS-2020-0979/CVE-2020-1036 — Issued my Microsoft)
An exploitable memory corruption vulnerability exists in Intel's IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted pixel shader can cause an out-of-bounds write, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. We triggered this vulnerability from a Hyper-V guest using the RemoteFX feature, leading to executing the vulnerable code on the Hyper-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could also be triggered from a web browser (using WebGL and WebAssembly).
Read the complete vulnerability advisory here for additional information.
Intel IGC64.DLL shader functionality DCL_INDEXABLETEMP code execution vulnerability (TALOS-2020-0980/CVE-2020-1040 — Issued by Microsoft)
An exploitable memory corruption vulnerability exists in Intel's IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted compute shader can cause an out-of-bounds write, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. We triggered this vulnerability from a Hyper-V guest using the RemoteFX feature, leading to executing the vulnerable code on the Hyper-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could also be triggered from a web browser (using WebGL and WebAssembly).
Read the complete vulnerability advisory here for additional information.
Intel IGC64.DLL shader functionality realloc code execution vulnerability (TALOS-2020-0981/CVE-2020-1041 — Issued by Microsoft)
An exploitable pointer corruption vulnerability exists in Intel's IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted pixel shader can corrupt a pointer, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. We triggered this vulnerability from a Hyper-V guest using the RemoteFX feature, leading to executing the vulnerable code on the Hyper-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly).
Read the complete vulnerability advisory here for additional information.
Intel IGC64.DLL Shader Functionality HeapReAlloc code execution vulnerability (TALOS-2020-0982/CVE-2020-1042 — Issued by Microsoft)
An exploitable double-free vulnerability exists in Intel's IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted geometry shader can cause a double-free vulnerability, leading to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. We triggered this vulnerability from a Hyper-V guest using the RemoteFX feature, leading to executing the vulnerable code on the Hyper-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly).
Read the complete vulnerability advisory here for additional information.
Intel IGC64.DLL Shader Functionality hull shader denial of service vulnerability (TALOS-2020-0983/CVE-2020-1043 — Issued by Microsoft)
An exploitable denial of service vulnerability exists in Intel IGC64.DLL graphics driver. A specially crafted hull shader can cause a NULL pointer dereference. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. We triggered this vulnerability from a Hyper-V guest using the RemoteFX feature, leading to executing the vulnerable code on the Hyper-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly).
Read the complete vulnerability advisory here for additional information.
AMD Radeon DirectX 11 Driver atidxx64.dll shader functionality MOV REG code execution vulnerability (TALOS-2020-1040/CVE-2020-6100)
An exploitable code execution vulnerability exists in the shader functionality of AMD Radeon DirectX 11, driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to execution of the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could be also triggered from web browser (using webGL and webassembly).
Read the complete vulnerability advisory here for additional information.
AMD Radeon DirectX 11 Driver atidxx64.dll shader functionality DCL_OUTPUT code execution vulnerability (TALOS-2020-1041/CVE-2020-6101)
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11, driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could be also triggered from a web browser (using webGL and webassembly).
Read the complete vulnerability advisory here for additional information.
AMD Radeon DirectX 11 Driver atidxx64.dll shader functionality RESOURCE code execution vulnerability (TALOS-2020-1042/CVE-2020-6102)
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could be also triggered from a web browser (using webGL and webassembly).
Read the complete vulnerability advisory here for additional information.
AMD Radeon DirectX 11 Driver atidxx64.dll shader functionality ROUND_NI code execution vulnerability (TALOS-2020-1043/CVE-2020-6103)
An exploitable code execution vulnerability exists in the shader functionality of AMD Radeon DirectX 11, driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically, this vulnerability could be also triggered from a web browser (using webGL and webassembly).
Read the complete vulnerability advisory here for additional information.
Versions tested Talos tested and confirmed that Intel IGC64.DLL — the Intel graphics shader compiler for IntelⓇ Graphics Accelerator — version 26.20.100.7584 is affected by TALOS-2020-0978 - 0983. The AMD Radeon DirectX 11, driver atidxx64.dll, version 26.20.15019.19000, is affected by TALOS-2020-1040 - 1043.
Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 52666 - 52669, 52818, 52819, 52842, 52843, 53545, 53546, 53549, 53550, 53553, 53554