Video drivers may fail to support Address Space Layout Randomization (ASLR)

2012-06-06T00:00:00
ID VU:458153
Type cert
Reporter CERT
Modified 2012-07-23T20:51:00

Description

Overview

Some video drivers fail to support ASLR in Microsoft EMET "Always on" mode, which can limit the amount that such a system can be secured.

Description

ASLR, when combined with DEP (Data Execution Prevention) can be an effective mitigation against exploitation of vulnerabilities. For more information about DEP and ASLR on Microsoft Windows platforms, see the Microsoft Security Research & Defense blog entry: On the effectiveness of DEP and ASLR. Microsoft has released a tool called EMET (Exploit Mitigation Experience Toolkit) to enforce DEP, ASLR, and other exploit mitigation features for Windows systems on an application-specific and a system-wide basis. DEP and ASLR features are available on other operating systems as well.

Some video drivers are not compatible with the Microsoft EMET "Always on" mode for ASLR. Enabling "Always on" ASLR on a system with incompatible video drivers may result in a system crash (kernel panic, or BSOD).

Problems have also been reported using ATI drivers on Linux systems using PaX.


Impact

Systems with incompatible video drivers cannot be secured as well as those with ASLR-compatible drivers. Enabling system-wide DEP and ASLR can make exploitation of vulnerabilities more difficult.


Solution

Apply an update

AMD has released Catalyst drivers version 12.6 for supported Radeon hardware; these drivers are compatible with system-wide ASLR. If you are unable to obtain updated drivers, please consider the following workarounds.


Use standard VGA drivers

On systems where video performance is not a requirement (servers, for example), the use of standard VGA drivers can allow the use of EMET "Always on" ASLR.

Use a different video adapter

If the video adapter on your system is not compatible with EMET "Always on" ASLR, consider using a different video adapter that has ASLR compatible drivers.


Vendor Information

458153

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ AMD

Notified: February 16, 2012 Updated: June 29, 2012

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://support.amd.com/us/gpudownload/Pages/index.aspx>
  • <http://sites.amd.com/us/game/downloads/Pages/radeon_win7-64.aspx>
  • <http://sites.amd.com/us/game/downloads/Pages/radeon_win7-32.aspx>
  • <http://sites.amd.com/us/game/downloads/Pages/radeon_xp-32.aspx>
  • <http://blogs.amd.com/play/2012/06/28/our-driver-team-answers-the-call-once-again/>

Addendum

AMD has released Catalyst drivers version 12.6 for supported Radeon hardware; these drivers are compatible with system-wide ASLR. Attempting to use "Always on" ASLR on a system that uses incompatible ATI or AMD video drivers may result in a "BSOD" system crash upon trying to boot.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ ATI Technologies

Updated: June 05, 2012

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

AMD and ATI video drivers are incompatible with "Always on" ASLR. Attempting to use "Always on" ASLR on a system that uses ATI or AMD video drivers may result in a "BSOD" system crash upon trying to boot. Note that ATI Technologies has been acquired by AMD.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Intel Corporation

Notified: June 01, 2012 Updated: June 05, 2012

Status

__ Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ NVIDIA

Notified: June 01, 2012 Updated: June 05, 2012

Status

__ Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 0.0 | AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal | 0.0 | E:--/RL:OF/RC:C
Environmental | 0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • <http://support.microsoft.com/kb/2458544>
  • <http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx>
  • <https://social.technet.microsoft.com/Forums/en-US/emet/thread/1e70c72b-67b2-43c4-bd36-a0edd1857875>
  • <https://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx>
  • <https://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx>
  • <https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#ATI_Catalyst_.28fglrx.29_graphics_driver>
  • <http://support.amd.com/us/gpudownload/Pages/index.aspx>
  • <http://sites.amd.com/us/game/downloads/Pages/radeon_win7-64.aspx>
  • <http://sites.amd.com/us/game/downloads/Pages/radeon_win7-32.aspx>
  • <http://sites.amd.com/us/game/downloads/Pages/radeon_xp-32.aspx>
  • <http://blogs.amd.com/play/2012/06/28/our-driver-team-answers-the-call-once-again/>

Acknowledgements

This document was written by Will Dormann.

Other Information

CVE IDs: | None
---|---
Date Public: | 2010-09-02
Date First Published: | 2012-06-06
Date Last Updated: | 2012-07-23 20:51 UTC
Document Revision: | 57