CVE-2020-12891
📋 TL;DR
This vulnerability allows an unprivileged user to perform DLL hijacking by placing a malicious DLL in a directory listed in the system's PATH environment variable. AMD Radeon Software loads DLLs from PATH locations without proper validation, enabling privilege escalation or arbitrary code execution. All users running vulnerable AMD Radeon Software versions are affected.
💻 Affected Systems
- AMD Radeon Software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation to SYSTEM/root, allowing installation of persistent malware, data theft, or ransomware deployment.
Likely Case
Local privilege escalation allowing attackers to gain administrative privileges on the affected system, potentially leading to lateral movement within networks.
If Mitigated
Limited impact with proper user privilege restrictions and application whitelisting preventing unauthorized DLL execution.
🎯 Exploit Status
Exploitation requires local access and ability to write to PATH directories. DLL hijacking is a well-known technique with established attack patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AMD Radeon Software Adrenalin 2020 Edition 20.5.1 or later
Vendor Advisory: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1000
Restart Required: Yes
Instructions:
1. Download latest AMD Radeon Software from AMD website. 2. Run installer with administrative privileges. 3. Follow on-screen instructions. 4. Restart system when prompted.
🔧 Temporary Workarounds
Restrict PATH directory permissions
windowsRemove write permissions for standard users on directories in PATH environment variable
icacls "C:\Windows\System32" /deny Users:(WD)
Use application whitelisting
windowsImplement AppLocker or Windows Defender Application Control to restrict DLL loading
🧯 If You Can't Patch
- Implement least privilege principle - ensure users run with minimal necessary permissions
- Monitor for suspicious DLL loading events using Windows Event Log auditing
🔍 How to Verify
Check if Vulnerable:
Check AMD Radeon Software version in Settings > System > About. Versions before 20.5.1 are vulnerable.Check Version:
Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*Radeon*"} | Select-Object Name, VersionVerify Fix Applied:
Verify installed version is 20.5.1 or later and test PATH environment variable for writable directories.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 (Process Creation) showing DLL loading from unusual PATH locations
- Sysmon Event ID 7 (Image loaded) from non-standard directories
Network Indicators:
- Unusual outbound connections following local privilege escalation
SIEM Query:
source="WinEventLog:Security" EventID=4688 AND (Image="*\Radeon*.exe" OR ParentImage="*\Radeon*.exe") AND CommandLine="*dll*"