Pierluigi Paganini March 14, 2018

Security researchers at Israel-based CTS-Labs have discovered 13 critical vulnerabilities and exploitable backdoors in various AMD chips.

The flaws could be potentially exploited to steal sensitive data, install malicious code on AMD-based systems, and gain full access to the compromised systems. The flaws expose servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors to attacks.

CTS-Labs promptly reported the flaws to AMD, Microsoft and “a small number of companies that could produce patches and mitigations.”

“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings.” reads a statement published by AMD.

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”

This analysis conducted by the experts revealed four classes (RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY) of vulnerabilities affecting the AMD Zen architecture processors and chipsets that usually contain sensitive information such as passwords and encryption keys.

The researchers also discovered two exploitable manufacturer backdoors inside Ryzen chipset that could be exploited to inject malicious code into the chip.

The number of total products affected (Successfully Exploited) is 21, but the researchers believe that 11 more products are also vulnerable.

Dan Guido, the founder of security firm Trail of Bits, who was informed of the flaws before their public disclosure confirmed that existence of all 13 AMD vulnerabilities.

Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.

— Dan Guido (@dguido) March 13, 2018

The vulnerabilities enable attackers to bypass security measures like Microsoft’s latest Credential Guard technology or EPYC Secure Processor’s Secure Encrypted Virtualization security feature.

Let’s see in detail the vulnerabilities:

• Chimera is a flaw in Ryzen workstation and Ryzen Pro, it includes two sets of manufacturer backdoor flaws that allow malicious code to be injected into the Ryzen chipsets. The exploitation of Chimera issued could allow attackers to install malware to leverage the Direct Memory Access engine to attack the operating system.

“Chipset-based malware could evade virtually all endpoint security solutions on the market.” reads the analysis.

“Malware running on the chipset could leverage the latter’s Direct Memory Access (DMA) engine to attack the operating system. This kind of attack has been demonstrated.”

• The Ryzenfall impacts AMD’s Ryzen workstation, Pro and mobile lineups, it could allow attackers to inject a malicious code to take complete control over the AMD Secure Processor and leverage the technology’s privileges to read and write protected memory areas (including SMRAM and the Windows Credential Guard isolated memory).

Attackers could use RYZENFALL to bypass Windows Credential Guard, steal network credentials, and then potentially spread through even highly secure Windows corporate networks.” continues the analysis.

“Attackers could use RYZENFALL in conjunction with MASTERKEY to install persistent malware on the Secure Processor, exposing customers to the risk of covert and long-term industrial espionage.”

• Fallout vulnerabilities impact AMD’s EPYC server chips and could be exploited to read from and write to protected memory areas including SMRAM and Windows Credential Guard isolated memory (VTL-1).

“An attacker could leverage these vulnerabilities to bypass BIOS flashing protections that are implemented in SMM.”

• Masterkey flaw breaks down into three separate vulnerabilities found in AMD’s Secure Processor firmware, they can be exploited to infiltrate the Secure Processor in EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile chips.

“The flaw facilitates network credential theft by allowing Windows Credential Guard to be bypassed.” states the report. “Physical damage and bricking of hardware. Could be used by attackers in hardware-based “ransomware” scenarios.”

Many of the flaws are firmware vulnerabilities and it could take much time to address them, while the Chimera hardware vulnerabilities cannot be fixed.

It is still unclear if the flaws are currently being exploited in the wild.

Pierluigi Paganini

(Security Affairs – AMD vulnerabilities, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]