📄 الوصف (الإنجليزية)
A DLL hijacking vulnerability in the AMD Cleanup Utility could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution.
🤖 ملخص AI
CVE-2024-36333 is a DLL hijacking vulnerability in AMD Cleanup Utility affecting AMD Radeon Pro software that could enable privilege escalation and arbitrary code execution. With a CVSS score of 7.8 and no patch currently available, this poses a significant risk to organizations using AMD professional graphics solutions. The vulnerability requires local access but could allow attackers to execute code with elevated privileges on affected systems.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: May 20, 2026 07:01
🇸🇦 التأثير على المملكة العربية السعودية
Saudi organizations most at risk include: (1) Government agencies and NCA-regulated entities using AMD Radeon Pro workstations for design/engineering; (2) Banking sector (SAMA-regulated) utilizing professional graphics for data visualization and risk modeling; (3) Energy sector (ARAMCO and affiliates) employing AMD Pro GPUs for simulation and modeling; (4) Telecommunications (STC, Mobily) using professional workstations; (5) Healthcare institutions with medical imaging and research departments; (6) Large enterprises in construction, architecture, and engineering sectors. The vulnerability's local access requirement limits exposure but poses significant risk in shared workstation environments common in Saudi corporate settings.
🏢 القطاعات السعودية المتأثرة
Government
Banking and Financial Services
Energy and Utilities
Telecommunications
Healthcare
Engineering and Architecture
Construction
Manufacturing
Research and Development
🎯 تقنيات MITRE ATT&CK
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1053.005 - Scheduled Task/Job: Scheduled Task
T1204.001 - User Execution: Malicious Link
T1204.002 - User Execution: Malicious File
⚖️ درجة المخاطر السعودية (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all systems running AMD Cleanup Utility version 25.20.00.00 and AMD Radeon Pro software
2. Restrict local access to affected workstations to authorized personnel only
3. Disable or remove AMD Cleanup Utility if not actively required
4. Implement application whitelisting to prevent unauthorized DLL loading
Compensating Controls:
1. Apply principle of least privilege - ensure users do not run with administrative rights unnecessarily
2. Monitor and log DLL loading activities using Windows Event Viewer (Event ID 7 in Sysmon)
3. Implement AppLocker or Windows Defender Application Control (WDAC) policies to restrict DLL execution from suspicious locations
4. Use endpoint detection and response (EDR) solutions to detect DLL hijacking attempts
5. Restrict write permissions to system directories and application installation folders
Detection Rules:
1. Monitor for unsigned or suspicious DLL files in AMD installation directories
2. Alert on DLL loading from %TEMP%, %APPDATA%, or user-writable directories by AMD processes
3. Track process creation with elevated privileges initiated by AMD Cleanup Utility
4. Monitor registry modifications related to DLL search paths
Patching:
1. Check AMD's security advisories regularly for patch availability
2. Subscribe to AMD security notifications at amd.com/security
3. When patch becomes available, test in non-production environment before deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع الأنظمة التي تعمل بأداة تنظيف AMD الإصدار 25.20.00.00 وبرنامج AMD Radeon Pro
2. تقييد الوصول المحلي إلى محطات العمل المتأثرة للموظفين المصرح لهم فقط
3. تعطيل أو إزالة أداة تنظيف AMD إذا لم تكن مطلوبة بنشاط
4. تطبيق قائمة بيضاء للتطبيقات لمنع تحميل DLL غير المصرح به
الضوابط التعويضية:
1. تطبيق مبدأ أقل امتياز - تأكد من عدم تشغيل المستخدمين بحقوق إدارية غير ضرورية
2. مراقبة وتسجيل أنشطة تحميل DLL باستخدام عارض أحداث Windows (معرف الحدث 7 في Sysmon)
3. تطبيق سياسات AppLocker أو Windows Defender Application Control (WDAC) لتقييد تنفيذ DLL من مواقع مريبة
4. استخدام حلول الكشف والاستجابة للنقاط النهائية (EDR) للكشف عن محاولات اختطاف DLL
5. تقييد أذونات الكتابة إلى مجلدات النظام ومجلدات تثبيت التطبيقات
قواعد الكشف:
1. مراقبة ملفات DLL غير الموقعة أو المريبة في مجلدات تثبيت AMD
2. تنبيه عند تحميل DLL من %TEMP% أو %APPDATA% أو مجلدات قابلة للكتابة من قبل عمليات AMD
3. تتبع إنشاء العمليات برامتيازات مرتفعة التي تبدأ بواسطة أداة تنظيف AMD
4. مراقبة تعديلات السجل المتعلقة بمسارات البحث عن DLL
التصحيح:
1. تحقق من نشرات أمان AMD بانتظام لتوفر التصحيحات
2. اشترك في إخطارات أمان AMD على amd.com/security
3. عند توفر التصحيح، اختبره في بيئة غير الإنتاج قبل النشر
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.5.2.1 - User access management
A.5.2.3 - Management of privileged access rights
A.5.3.1 - Password management
A.8.1.1 - User endpoint devices
A.8.2.1 - Privileged access rights
A.8.2.3 - Information access restriction
A.8.3.1 - Cryptography
A.8.3.2 - Cryptographic key management
🔵 SAMA CSF
ID.AM-2 - Software platforms and applications are inventoried
PR.AC-1 - Identities and credentials are issued and managed securely
PR.AC-3 - Access is managed through least privilege principles
PR.AC-4 - Access rights and privileges are managed
PR.DS-5 - Protections against data leakage are implemented
DE.CM-1 - The network is monitored to detect potential cybersecurity events
DE.CM-7 - Monitoring for unauthorized personnel, connections, devices, and software is performed
🟡 ISO 27001:2022
5.3 - Segregation of duties
6.5.1 - Information security in supplier relationships
8.1.1 - User endpoint devices
8.2.1 - User registration and de-registration
8.2.3 - Management of privileged access rights
8.3.1 - Information access control
8.3.2 - Access to networks and network services
8.3.4 - Restriction of information access
8.6.1 - Application security
8.7.1 - Cryptographic controls
📦 المنتجات المتأثرة 3 منتج
amd:radeon_software
amd:radeon_software
amd:cleanup_utility:25.20.00.00