A critical security vulnerability, CVE-2024-21966, has been found in the AMD Ryzen Master Utility, a software tool used to optimize AMD Ryzen processors. This flaw, identified as DLL hijacking, enables attackers to execute arbitrary code and escalate privileges, potentially leading to a serious system compromise. The vulnerability arises because the utility does not properly validate dynamically loaded libraries, which can be exploited by malicious actors to inject harmful code into the system, gaining unauthorized access to sensitive data and compromising system operations.
The issue has been classified with a CVSS score of 7.3, reflecting its high severity. The Ryzen Master Utility, which is used for overclocking processors and monitoring system performance, inadvertently allows attackers to place a malicious DLL file in a directory accessed by the utility. Once this malicious DLL is loaded, it could execute arbitrary code with elevated privileges, resulting in significant system vulnerabilities and possible disruption to system functions.
The AMD security team credited Pwni, a group of security researchers, for identifying the vulnerability and disclosing it responsibly. AMD has released a security patch in version 2.14.0.3205 of the Ryzen Master Utility to address the issue. Users are advised to update their software to the latest version to mitigate the risk. Additionally, AMD recommends avoiding running applications from untrusted directories, regularly updating software and drivers, and ensuring that any malicious libraries are not executed.
The discovery of CVE-2024-21966 highlights the importance of secure library loading practices in software development. Similar vulnerabilities have been identified in other AMD products, such as the AMD Integrated Management Technology (AIM-T) and AMD μProf, stressing the need for stricter validation and security measures across the company’s software ecosystem. By addressing this DLL hijacking vulnerability, AMD aims to prevent future security breaches and enhance the protection of its users.
