A high-severity vulnerability, identified as CVE-2024-21922, exists in AMD StoreMI™ software. This flaw allows a local attacker to elevate their privileges on a system, potentially leading to arbitrary code execution and full system compromise. Organizations using the affected AMD software should prioritize immediate remediation to prevent unauthorized access and control of their systems.

This vulnerability is a form of DLL (Dynamic-Link Library) hijacking. The AMD StoreMI™ application attempts to load a DLL without specifying its full, absolute path. An attacker with standard user permissions on the system can place a specially crafted, malicious DLL in a directory that the application searches before the legitimate DLL's location. When the vulnerable AMD software is launched, it will inadvertently load and execute the attacker's malicious code with the elevated privileges of the StoreMI application, leading to privilege escalation.

This vulnerability is rated as high severity with a CVSS score of 7.3. A successful exploit could grant an attacker full administrative or SYSTEM-level control over an affected workstation or server. This level of access could lead to severe business consequences, including the theft of sensitive corporate data, deployment of ransomware, installation of persistent malware for long-term espionage, and disruption of critical business operations. A compromised system could also be used as a pivot point to launch further attacks across the internal network.

Immediate Action:

• Identify all assets running the vulnerable versions of AMD StoreMI™ software.
• Apply the security patches provided by AMD immediately, prioritizing critical systems and servers.
• Review user permissions and access controls to enforce the principle of least privilege. This can limit an attacker's ability to place malicious files in sensitive locations on the file system.

Proactive Monitoring:

• Monitor system logs for unusual process creation originating from AMD StoreMI™ executables.
• Utilize endpoint security tools (like Sysmon) to monitor for unexpected DLLs being loaded by the StoreMI process (Event ID 7).
• Watch for suspicious file write operations in the application's directory or other locations within the standard DLL search path.

Compensating Controls:

• If immediate patching is not feasible, implement application whitelisting (e.g., AppLocker, Windows Defender Application Control) to restrict the execution of unauthorized DLLs.
• Harden file system permissions to prevent standard users from writing files to directories where the application resides or in system-wide paths like C:\Windows.
• Ensure Endpoint Detection and Response (EDR) solutions are deployed and configured to detect and block common DLL hijacking techniques.

Public Exploit Available: false

Given the high severity rating and the potential for complete system compromise, this vulnerability poses a significant risk. Although CVE-2024-21922 is not currently in the CISA KEV catalog, its nature as a privilege escalation flaw makes it an attractive target for post-exploitation activities. We strongly recommend that all affected systems are patched on a priority basis. Organizations should treat this vulnerability with urgency and adhere to their patching policies for high-risk flaws to mitigate the threat of a local attacker gaining full control of enterprise assets.