Hacking

13 Critical flaws and exploitable backdoors found in various AMD chips

Security researchers at Israel-based CTS-Labs have discovered 13 critical vulnerabilities and exploitable backdoors in various AMD chips.

The flaws could be potentially exploited to steal sensitive data, install malicious code on AMD-based systems, and gain full access to the compromised systems. The flaws expose servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors to attacks.

CTS-Labs promptly reported the flaws to AMD, Microsoft and “a small number of companies that could produce patches and mitigations.”

“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings.” reads a statement published by AMD.

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”

This analysis conducted by the experts revealed four classes (RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY) of vulnerabilities affecting the AMD Zen architecture processors and chipsets that usually contain sensitive information such as passwords and encryption keys.

The flaw could allow to bypass AMD’s Secure Encrypted Virtualization (SEV) technology and also Microsoft Windows Credential Guard.

“The AMD Secure Processor, the gatekeeper responsible for the security of AMD processors, contains critical vulnerabilities. This integral part of most of AMD’s products, including workstations and servers, is currently being shipped with multiple security vulnerabilities that could allow malicious actors (“attackers”) to permanently install malicious code inside the Secure Processor itself.” reads the report published by the experts.

“These vulnerabilities could expose AMD customers to industrial espionage that is virtually undetectable by most security solutions”

The researchers also discovered two exploitable manufacturer backdoors inside Ryzen chipset that could be exploited to inject malicious code into the chip.

The number of total products affected (Successfully Exploited) is 21, but the researchers believe that 11 more products are also vulnerable.

Dan Guido, the founder of security firm Trail of Bits, who was informed of the flaws before their public disclosure confirmed that existence of all 13 AMD vulnerabilities.

The vulnerabilities enable attackers to bypass security measures like Microsoft’s latest Credential Guard technology or EPYC Secure Processor’s Secure Encrypted Virtualization security feature.

Let’s see in detail the vulnerabilities:

  • Chimera is a flaw in Ryzen workstation and Ryzen Pro, it includes two sets of manufacturer backdoor flaws that allow malicious code to be injected into the Ryzen chipsets. The exploitation of Chimera issued could allow attackers to install malware to leverage the Direct Memory Access engine to attack the operating system.

“Chipset-based malware could evade virtually all endpoint security solutions on the market.” reads the analysis.

“Malware running on the chipset could leverage the latter’s Direct Memory Access (DMA) engine to attack the operating system. This kind of attack has been demonstrated.”

  • The Ryzenfall impacts AMD’s Ryzen workstation, Pro and mobile lineups, it could allow attackers to inject a malicious code to take complete control over the AMD Secure Processor and leverage the technology’s privileges to read and write protected memory areas (including SMRAM and the Windows Credential Guard isolated memory).

Attackers could use RYZENFALL to bypass Windows Credential Guard, steal network credentials, and then potentially spread through even highly secure Windows corporate networks.” continues the analysis.

“Attackers could use RYZENFALL in conjunction with MASTERKEY to install persistent malware on the Secure Processor, exposing customers to the risk of covert and long-term industrial espionage.”

  • Fallout vulnerabilities impact AMD’s EPYC server chips and could be exploited to read from and write to protected memory areas including SMRAM and Windows Credential Guard isolated memory (VTL-1).

“An attacker could leverage these vulnerabilities to bypass BIOS flashing protections that are implemented in SMM.”

  • Masterkey flaw breaks down into three separate vulnerabilities found in AMD’s Secure Processor firmware, they can be exploited to infiltrate the Secure Processor in EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile chips.

“The flaw facilitates network credential theft by allowing Windows Credential Guard to be bypassed.” states the report. “Physical damage and bricking of hardware. Could be used by attackers in hardware-based “ransomware” scenarios.”

Many of the flaws are firmware vulnerabilities and it could take much time to address them, while the Chimera hardware vulnerabilities cannot be fixed.

It is still unclear if the flaws are currently being exploited in the wild.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – AMD vulnerabilities, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

58 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.