CVE-2020-6102 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2020-6102?

CVE-2020-6102 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows remote code execution through specially crafted shader files in AMD Radeon DirectX 11 drivers. Attackers can exploit this from Hyper-V guests via RemoteFX or potentially through web browsers using WebGL/WebAssembly. Affected systems include Windows hosts with vulnerable AMD graphics drivers and Hyper-V RemoteFX enabled.

📋 TL;DR

This vulnerability allows remote code execution through specially crafted shader files in AMD Radeon DirectX 11 drivers. Attackers can exploit this from Hyper-V guests via RemoteFX or potentially through web browsers using WebGL/WebAssembly. Affected systems include Windows hosts with vulnerable AMD graphics drivers and Hyper-V RemoteFX enabled.

💻 Affected Systems

Products:

AMD Radeon DirectX 11 Driver

Versions: atidxx64.dll version 26.20.15019.19000 (likely affects similar versions)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Hyper-V with RemoteFX enabled for guest-to-host exploitation. Web browser exploitation via WebGL/WebAssembly is theoretical.

📦 What is this software?

Radeon Directx 11 Driver Atidxx64.dll by Amd

View all CVEs affecting Radeon Directx 11 Driver Atidxx64.dll →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Hyper-V host from guest VM leading to complete host takeover and lateral movement across the network.

🟠

Likely Case

Privilege escalation from Hyper-V guest to host, allowing attacker to escape virtualization and access host resources.

🟢

If Mitigated

Limited to guest VM compromise if RemoteFX is disabled and web-based vectors are blocked.

🌐 Internet-Facing: MEDIUM - WebGL/WebAssembly vectors are theoretical but possible; primary risk requires local access or compromised guest VM.

🏢 Internal Only: HIGH - Hyper-V environments with RemoteFX enabled are highly vulnerable to guest-to-host escape attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires attacker to deliver malicious shader file to target system, either through guest VM compromise or potentially via web vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AMD driver updates after June 2020

Vendor Advisory: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1000.html

Restart Required: Yes

Instructions:

1. Update AMD Radeon graphics drivers to latest version. 2. Apply Windows updates for Hyper-V/RemoteFX patches. 3. Restart system after updates.

🔧 Temporary Workarounds

Disable Hyper-V RemoteFX

windows

Prevents guest-to-host exploitation by disabling vulnerable RemoteFX feature

Disable-VMRemoteFXPhysicalVideoAdapter -VMName * (PowerShell)
Remove RemoteFX 3D Video Adapter from VM settings

Block WebGL in browsers

windows

Mitigates theoretical web-based exploitation vectors

Browser settings: disable WebGL and WebAssembly
Group Policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow WebGL

🧯 If You Can't Patch

Disable Hyper-V RemoteFX on all hosts and remove from VMs
Isolate Hyper-V hosts from critical networks and implement strict network segmentation

🔍 How to Verify

Check if Vulnerable:

Check atidxx64.dll version in System32 folder: right-click file > Properties > Details tab

Check Version:

powershell Get-Item C:\Windows\System32\atidxx64.dll | Select-Object VersionInfo

Verify Fix Applied:

Verify driver version is newer than 26.20.15019.19000 and check Windows Update history for Hyper-V/RemoteFX patches

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from rdvgm.exe
Suspicious shader file loading in graphics driver logs
Hyper-V guest escape attempts

Network Indicators:

Unexpected network traffic from Hyper-V hosts
Anomalous WebGL/WebAssembly requests to internal systems

SIEM Query:

Process Creation where Parent Process Name contains 'rdvgm.exe' OR Image Loaded contains 'atidxx64.dll' AND Command Line contains suspicious shader parameters

📊 Metadata

CVE ID: CVE-2020-6102

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-787

Published: July 20, 2020

Last Updated: November 21, 2024

🔗 References

https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1042 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1042 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6102, you might also want to check these: