AMD flaws

AMD has officially confirmed the validity of the RyzenFall, MasterKey, Fallout, and Chimera vulnerabilities that came to light on March 12, and said it would be releasing patches in "the coming weeks."

The company's assessment of the four flaws is consistent with the original whitepaper published by Israeli security firm CTS Labs, and with third-party audits by Trail of Bits, Check Point, and Crowdstrike's Alex Ionescu.

Because of the non-standard vulnerability disclosure process, many security experts believed the original CTS Labs report was an attempt to manipulate AMD stock, and hence, containing false or misleading bugs.

AMD officially confirms products are affected

AMD CTO Mark Papermaster effectively confirmed today that the flaws are real and, indeed, affect AMD Ryzen and EPYC processor series.

More specifically, three of the flaws —MasterKey, Fallout, RyzenFall— affect the AMD Platform Security Processor (PSP), a secure chip-on-chip processor, similar to the Intel Managment Engine (ME), that is separated from the rest of the AMD processor at the hardware level and usually deals with secure data such as passwords, encryption keys, etc..

The last —Chimera— affects the AMD chipset (motherboard component) that manages communication between the processor, memory, and peripherals, allowing attackers to execute code and relay false information to other components.

AMD says it had only one day to look at original report

The reason why AMD took a whole week to assess these flaws was because CTS Labs gave AMD only a day to read its report before going public with its findings.

AMD also dismissed the original severity of these flaws by pointing out —similar to the third-party investigators— that these flaws need administrative access to be exploited. The Meltdown and Spectre flaws did not need elevated privileges during exploitation.

Below is a table with AMD's assessment of the MasterKey, Fallout, RyzenFall, and Chimera vulnerabilities and its plan of action. AMD promised more in-depth details about the patching process in the coming weeks.

Vulnerability Groups

Problem Description & Method of Exploitation

Potential Impact

Planned AMD Mitigation

MASTERKEY

and

PSP Privilege Escalation

(AMD Secure Processor or “PSP” firmware)

Issue: Attacker who already has compromised the security of a system updates flash to corrupt its contents. AMD Secure Processor (PSP) checks do not detect the corruption.

 

Method: Attacker requires Administrative access

Attacker can circumvent platform security controls. These changes are persistent following a system reboot.

Firmware patch release through BIOS update. No performance impact is expected.

 

AMD is working on PSP firmware updates that we plan to release in the coming weeks.

 

RYZENFALL and FALLOUT

 

(AMD Secure Processor firmware)

 

Issue: Attacker who already has compromised the security of a system writes to AMD Secure Processor registers to exploit vulnerabilities in the interface between x86 and AMD Secure Processor (PSP).

 

Method: Attacker requires Administrative access.

 

Attacker can circumvent platform security controls but is not persistent across reboots.

 

Attacker may install difficult to detect malware in SMM (x86).

 

Firmware patch release through BIOS update. No performance impact is expected.

 

AMD is working on PSP firmware updates that we plan to release in the coming weeks.

“Promotory”
Chipset

     

CHIMERA

“Promontory” chipset used in many socket AM4 desktop and socket TR4 high-end desktop (HEDT) platforms.

AMD EPYC server platforms, EPYC and Ryzen Embedded platforms, and AMD Ryzen Mobile FP5 platforms do not use the “Promontory” chipset.

Issue: Attacker who already has compromised the security of a system installs a malicious driver that exposes certain Promontory functions.

 

Method: Attacker requires Administrative access.

Attacker accesses physical memory through the chipset.

 

Attacker installs difficult to detect malware in the chipset but is not persistent across reboots.

Mitigating patches released through BIOS update. No performance impact is expected.

 

AMD is working with the third-party provider that designed and manufactured the “Promontory” chipset on appropriate mitigations.

 

Related Articles:

Researchers Bypass AMD’s SEV Virtual Machine Encryption

Google and Microsoft Reveal New Spectre Attack

Microsoft Rolls Out Patches for "Lazy FP State Restore" Bug Affecting Intel CPUs

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed

Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless