CVE-2024-36321
📋 TL;DR
This vulnerability in AMD's AIM-T Manageability Service allows local attackers to escalate privileges by exploiting an unquoted search path. Attackers can place malicious executables in locations the service searches, leading to arbitrary code execution with SYSTEM privileges. This affects systems running vulnerable versions of AMD's manageability software.
💻 Affected Systems
- AMD AIM-T Manageability Service
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege escalation leading to complete system compromise, persistence establishment, and lateral movement capabilities.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, or access sensitive system resources.
If Mitigated
Limited impact if proper access controls prevent local users from writing to vulnerable directories.
🎯 Exploit Status
Exploitation requires local access and ability to write to directories in the search path. The technique is well-known for unquoted service paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to AMD advisory for specific patched versions
Vendor Advisory: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-9015.html
Restart Required: Yes
Instructions:
1. Review AMD advisory SB-9015. 2. Download and install the updated AMD manageability software. 3. Restart the system to ensure the service runs with patched binaries.
🔧 Temporary Workarounds
Restrict directory permissions
windowsModify permissions on directories in the service's search path to prevent unauthorized users from writing executable files.
icacls "C:\Program Files\AMD\" /deny Users:(OI)(CI)W
Quote service paths
windowsModify the service configuration to use quoted paths in the service executable path.
sc config "AMD Manageability Service" binPath= "\"C:\Program Files\AMD\service.exe\""
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from writing to directories in the service's search path.
- Monitor for unauthorized file creation in AMD program directories and service-related locations.
🔍 How to Verify
Check if Vulnerable:
Check if AMD AIM-T Manageability Service is installed and review the service path for unquoted spaces. Use: sc qc "AMD Manageability Service"Check Version:
Check program files directory or registry for AMD manageability software version.Verify Fix Applied:
Verify the service path is properly quoted and check installed version against AMD's patched version list.📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts
- File creation events in AMD program directories
- Process creation from unusual locations
Network Indicators:
- Unusual outbound connections from SYSTEM context following local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName contains "amd" AND SubjectUserName!=SYSTEM