CVE-2019-7247 – This vulnerability in AMD OverDrive's AODDriver... (How to Fix)

Q: What is the severity of CVE-2019-7247?

CVE-2019-7247 has a CVSS score of 9.8 (CRITICAL). This vulnerability in AMD OverDrive's AODDriver2.sys driver allows attackers to write arbitrary values to Model Specific Registers (MSRs) through an IOCTL interface. This can lead to kernel-level code execution and privilege escalation from user mode to Ring-0. Users of AMD OverDrive software on Windows systems are affected.

📋 TL;DR

This vulnerability in AMD OverDrive's AODDriver2.sys driver allows attackers to write arbitrary values to Model Specific Registers (MSRs) through an IOCTL interface. This can lead to kernel-level code execution and privilege escalation from user mode to Ring-0. Users of AMD OverDrive software on Windows systems are affected.

💻 Affected Systems

Products:

AMD OverDrive

Versions: Versions prior to the fix (specific version unknown)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the system; driver is typically installed with AMD OverDrive utility for CPU overclocking.

📦 What is this software?

Overdrive by Amd

View all CVEs affecting Overdrive →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level code execution, allowing attackers to install persistent malware, bypass security controls, and access all system resources.

🟠

Likely Case

Local privilege escalation where a standard user gains SYSTEM/administrator privileges, enabling lateral movement and persistence establishment.

🟢

If Mitigated

Limited impact with proper driver signing enforcement, application whitelisting, and least privilege user accounts preventing exploitation.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is straightforward once access is obtained; FireEye published technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version - check AMD advisories

Vendor Advisory: https://www.amd.com/en/corporate/product-security

Restart Required: Yes

Instructions:

1. Check AMD security advisories for specific patch version. 2. Update AMD OverDrive to latest version. 3. Restart system to load patched driver.

🔧 Temporary Workarounds

Remove vulnerable driver

windows

Uninstall AMD OverDrive software to remove the vulnerable AODDriver2.sys driver

Control Panel > Programs > Uninstall AMD OverDrive

Block driver loading

windows

Use Windows Group Policy to block loading of the vulnerable driver

gpedit.msc > Computer Configuration > Windows Settings > Security Settings > System Services > Find AODDriver2 service > Set to Disabled

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of AMD OverDrive
Enforce least privilege principles to limit local user access

🔍 How to Verify

Check if Vulnerable:

Check if AODDriver2.sys driver exists in system32\drivers and check driver version

Check Version:

driverquery /v | findstr AODDriver2

Verify Fix Applied:

Verify AODDriver2.sys driver version matches patched version from AMD advisory

📡 Detection & Monitoring

Log Indicators:

Driver load events for AODDriver2.sys
Process creation events for AMD OverDrive executables
IOCTL calls to vulnerable driver

Network Indicators:

No network indicators - local privilege escalation only

SIEM Query:

EventID=7045 AND ServiceName="AODDriver" OR ProcessName="amdoverdrive.exe"

📊 Metadata

CVE ID: CVE-2019-7247

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: May 18, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2019-0014/FEYE-2019-0014.md Third Party Advisory
https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2019-0014/FEYE-2019-0014.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON