Cisco Talos recently discovered multiple vulnerabilities in Intel’s Graphics Accelerator Driver and in an AMD Radeon driver. The Intel driver was released in 2019 and is used in multiple Intel integrated and non-integrated GPUs. It is likely that an attacker could use these vulnerabilities to exploit users remotely. The vulnerability could also be used to escape out of a Hyper-V virtual machine to access the host machine. Talos discovered the RemoteFX feature in Hyper-V affects both the Intel and AMD products and can be used to perform a Hyper-V guest-to-host escape. Microsoft disabled the RemoteFX feature as part of this month’s Patch Tuesday.
In accordance with our disclosure policy, Talos contacted Intel, AMD and Microsoft about these bugs. Microsoft elected to disable RemoteFX vGPU from Hyper-V to fix these issues on their side, with full removal of RemoteFX vGPU planned for a future date. More information is available
here.
AMD has
released its own set of patches. Intel has thus far declined to issue its own update to address these vulnerabilities, but we are still disclosing them per
Cisco’s vulnerability disclosure policy. These vulnerabilities are an example of what can go right, and wrong, when two different products are tied so closely together. Talos recommends a holistic approach to security where all products are regularly updated, regardless of which vendors are releasing updates for the vulnerabilities in question. However, this shows that when two vendors disagree on a security issue, it can leave some users vulnerable. An adversary could use any of these vulnerabilities to execute code remotely on affected products once they’ve supplied the victim with the appropriate exploit.
Note that the CVEs for the Intel vulnerabilities below only apply to Microsoft’s HyperV instance, as Intel has refused to issue CVEs for the issues.
blog.talosintelligence.com
