Cisco Talos Experts warnthat vulnerabilities in some AMD ATI Radeon graphics cards allow remote execution of arbitrary code or provoke a denial of service.
In total, experts identified four vulnerabilities, all related to the operation of the ATIDXX64.DLL driver. Three errors are related to out-of-bounds type of bugs, and another problem is a type confusion bug. Currently, all four problems have already been fixed by AMD developers.
The first three vulnerabilities have identifiers CVE-2019-5124, CVE-2019-5147 and CVE-2019-5146, and scored 8.6 points on the CVSS vulnerability rating scale. To exploit these shortcomings, an attacker will need to provide the victim with a specially crafted malicious pixel shader. A similar attack can be launched from under the guest usermode VMware to provoke out-of-bounds reading vmware-vmx.exe on the host, or, in theory, an attack is possible via WEBGL and a remote site.
Researchers checked and confirmed the existence of vulnerabilities in ATIDXX64.DLL version 26.20.13025.10004, running on Radeon RX 550/550 graphics cards, on VMware Workstation 15 with Windows 10 x64 as a guest virtual machine.
As for the fourth vulnerability, it also affects the ATIDXX64.DLL driver (versions 26.20.13031.10003, 26.20.13031.15006 and 26.20.13031.18002) and is a threat to the same series of video cards and platforms. You can also exploit the type confusion problem through a specially created pixel shader, which can lead to code execution.