AMD processors impacted by 13 serious flaws, says CTS Labs

by Mark Tyson on 13 March 2018, 17:44

Tags: AMD (NYSE:AMD)

Quick Link: HEXUS.net/qadroo

Add to My Vault: x

Israel-based cyber-security research firm and consultancy, CTS Labs, today published a press release and other materials concerning multiple critical security vulnerabilities in AMD's 'Zen' core processor family. The firm issued its 'Severe Security Advisory' for AMD processors, backed up with a dedicated microsite called amdflaws.com, and an explainer video to sum up the reported issues and their scope.

According to CTS Labs there are thirteen critical security vulnerabilities and manufacturer backdoors distributed throughout the AMD Ryzen & EPYC product line. Yes, Ryzen Workstation, Ryzen Mobile, Ryzen Pro, and EPYC server processors all fall foul of one or more of the flaws discovered. The 13 serious flaws have been sorted into four categories by CTS Labs. A chart makes it very clear what processors are affected by what class of vulnerability, see below.

Three of four vulnerability classes require local admin access

Below I have shared key descriptive points concerning the four classes of flaws with notes on the prerequisites for exploitation. You will notice that three of the four vulnerability classes can only be taken advantage of if an admin runs some malware on the local system. Only Masterkey can be exploited initially as part of a remote cyber-attack, thinks CTS Labs.

  • Masterkey (x3) vulnerabilities allow attackers to infiltrate the Secure Processor due to multiple vulnerabilities in the firmware. Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.
  • Ryzenfall (x4) allows malicious code to take complete control over the AMD Secure Processor. Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.
  • Fallout (x3) allows attackers to read from and write to protected memory areas, such as SMRAM and Windows Credential Guard isolated memory (VTL-1). Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges
  • Chimera (x2) consists of two sets of manufacturer backdoors; one in firmware and another in hardware. Malicious code can be injected via these backdoors. Prerequisites for Exploitation are: a program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

"Third-Party Chip Design Plagued with Hidden Backdoors" - root cause of Chimera flaws.

Unlike the other flaws, CTS Labs says that Chimera cannot be fixed by vendor updates and requires a workaround to prevent it potentially being exploited. CTS has already notified AMD and partners like Microsoft, HP, Dell, and ASMedia - plus select security companies - so that they can work on patches and mitigations. "To ensure public safety, all technical details that could be used to reproduce the vulnerabilities have been redacted" from the CTS Labs White Paper (PDF) which provides the greatest detail depth about the vulnerabilities.

I expect to get several emails from AMD and various security firms overnight. At the time of writing I think everyone is still digesting the dedicated amdflaws site and the white paper. Due to the limited possibilities of these vulnerabilities being exploited remotely and no evidence of associated malware in the wild one shouldn't worry too much at this time. Looking at AMD's share price, as I write, it is actually 1.8 per cent up on the day so far. It looks like this news caused a rather sharp downturn around 10.30am US time (news published at 10am US time), but it has more than recovered now.

UPDATE: AMD Responds

In a brief official statement on its investor relations page AMD has promised further updates on related security matters in the follow up to the CTS Labs news release.

"We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops."


HEXUS Forums :: 100 Comments

Login with Forum Account

Don't have an account? Register today!
So, if I understood this correctly, you either need local admin rights or physical access (and a possible BIOS passphrase?) to be able to take advantage of these vulnerabilities? Or does Chimera only require the signed driver to be loaded?

If so, these are nothing like as bad as Specter and Meltdown, thankfully.

Also, it sounds like most of these can be fixed with firmware updates.
Coincidentally this has been released just before AMD is about to release the new Ryzen 2 chips.
afiretruck
So, if I understood this correctly, you either need local admin rights or physical access (and a possible BIOS passphrase?) to be able to take advantage of these vulnerabilities? Or does Chimera only require the signed driver to be loaded?

If so, these are nothing like as bad as Specter and Meltdown, thankfully.

Also, it sounds like most of these can be fixed with firmware updates.

I wonder if Intel has employed the services of CTS? A dedicated microsite called “amdflaws”?! This after AMD processors aren't hit as badly by the Spectre/Meltdown issues and get better publicity over it.

Fishy.
Ummm… all these “exploits” require an admin to run or install something. This is beyond silly. I also think that this is an Intel-sponsored thing.
From what I've read I have to agree - a bit of hyperbole to frighten investors who won't bother to understand what it actually is. And an impossibly short notice period is just a joke - something is obviously malicious about it. Even the language used is strange, they're making wild assumptions and implying things they simply cannot know, and acting like security flaws are unheard of.