The RCE that AMD wouldn't fix
6 hours ago
- #RCE Vulnerability
- #Bug Bounty
- #AMD
- AMD's AutoUpdate software had a trivial RCE vulnerability due to downloading executables over HTTP without validation.
- The bug bounty program initially rejected the report as out of scope for MITM attacks, but AMD later issued a CVE and promised a fix.
- AMD requested the researcher take down a blog post and imposed an embargo longer than the industry standard of 90 days.
- The vulnerability was eventually patched after 124 days by switching to HTTPS and adding a CRC-32 check, but claims of signature verification were false.
- The AutoUpdater was also broken due to a redirection issue, rendering the vulnerability temporarily unexploitable.