CVE-2024-21939
📋 TL;DR
This vulnerability allows local attackers to escalate privileges by exploiting incorrect default permissions in the AMD Cloud Manageability Service (ACMS) installation directory. Attackers could potentially execute arbitrary code with elevated privileges. This affects systems running vulnerable versions of ACMS software.
💻 Affected Systems
- AMD Cloud Manageability Service (ACMS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing attackers to install persistent malware, steal sensitive data, or pivot to other systems.
Likely Case
Local privilege escalation leading to unauthorized access to system resources, configuration changes, or installation of additional malicious tools.
If Mitigated
Limited impact with proper access controls, monitoring, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability involves manipulating files in the ACMS installation directory due to overly permissive default permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ACMS version 1.0.0.4 or later
Vendor Advisory: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-9006.html
Restart Required: Yes
Instructions:
1. Download ACMS version 1.0.0.4 or later from AMD's official website. 2. Uninstall the current vulnerable version. 3. Install the updated version. 4. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict ACMS Directory Permissions
windowsManually adjust permissions on the ACMS installation directory to restrict write access to authorized users only.
icacls "C:\Program Files\AMD\ACMS" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Implement strict access controls and monitoring on systems with ACMS installed
- Isolate affected systems from critical network segments and apply principle of least privilege
🔍 How to Verify
Check if Vulnerable:
Check ACMS version in Control Panel > Programs and Features. If version is earlier than 1.0.0.4, the system is vulnerable.Check Version:
wmic product where name="AMD Cloud Manageability Service" get versionVerify Fix Applied:
Verify ACMS version is 1.0.0.4 or later and check directory permissions using: icacls "C:\Program Files\AMD\ACMS"📡 Detection & Monitoring
Log Indicators:
- Unusual file modifications in ACMS installation directory
- Unexpected privilege escalation events
- Suspicious process creation from ACMS directory
Network Indicators:
- Unusual outbound connections from systems with ACMS installed
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%ACMS%' OR NewProcessName LIKE '%ACMS%') AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')