AMD flaws

AMD is investigating a report published today by an Israeli security firm disclosing the presence of 13 security flaws affecting AMD Ryzen and EPYC processors.

The 13 vulnerabilities are organized across four vulnerability classes named RyzenFall, MasterKey, Fallout, and Chimera.

CTS Labs, the security firm who discovered these flaws, claims they can provide attackers with full control over a system, but also allow attackers to extract data from secure areas of AMD CPUs, similar to the now-infamous Meltdown and Spectre flaws.

Security firm notified AMD only yesterday

Patches are not available, as AMD is still investigating the report. According to reports, CTS Labs allegedly notified AMD of the flaws only yesterday, and AMD hasn't even confirmed that the report contains valid findings.

CTS Labs claims to have discovered the flaws when it analyzed a modern AMD CPU and spotted what appeared to be the backdoor code it previously discovered in old ASMedia firmware. This sparked a more in-depth investigation that later unearthed 13 security bugs.

These flaws and the processors they affect are detailed in the image below. CTS Labs says some flaws could affect more AMD processor series, as they have not attempted to create proof-of-concept exploit code for all CPU series.

AMD flaws

The affected AMD CPUs are deployed in desktops, notebooks, smartphones, and servers alike. CTS Labs claims to have notified AMD, Microsoft, and a small number of OEMs, so they could get started on creating patches.

What are these vulnerabilities?

Below is a description of what CTS Labs researchers claim the vulnerabilities allow an attacker to perform. Just bear in mind, AMD has not confirmed any of these just yet.

MasterKey 1, 2, 3

⏺  Persistent malware running inside AMD Secure Processor
⏺  Bypass firmware-based security features such as Secure Encrypted Virtualization (SEV) and Firmware Trusted Platform Module (fTPM)
⏺  Network credential theft. Bypass Microsoft Virtualization-based Security (VBS), including Windows Credential Guard
⏺  Physical damage to hardware (SPI flash wear-out, etc.)
⏺  Affects: EPYC, Ryzen, Ryzen Pro, Ryzen Mobile. Successfully exploited on EPYC and Ryzen.

RyzenFall 1 and Fallout 1

⏺  Write to protected memory areas, including: (1) Windows Isolated User Mode and Isolated Kernel Mode (VTL1) and (2) AMD Secure Processor Fenced DRAM [Allows direct tampering with trusted code running on AMD Secure Processor. Only applicable to select Ryzen motherboards]
⏺  Network credential theft. Bypass Microsoft Virtualization-based Security (VBS) including Windows Credential Guard
⏺  Enables memory-resident VTL1 malware that is  resilient against most endpoint security solutions
⏺  Affects: EPYC, Ryzen, Ryzen Pro, Ryzen Mobile. Successfully  exploited on EPYC, Ryzen, Ryzen Pro and Ryzen Mobile.

RyzenFall 2 and Fallout 2

⏺  Disable Secure Management RAM (SMRAM) read/write protection
⏺  Enables memory-resident SMM malware, resilient against most endpoint security solutions
⏺  Affects: EPYC, Ryzen, Ryzen Pro. Successfully exploited on EPYC, Ryzen, Ryzen Pro. Ryzen Mobile is not affected.

RyzenFall 3 and Fallout 3

⏺  Read from protected memory areas, including: (1) Windows Isolated User Mode and Isolated Kernel Mode (VTL1) (2) Secure Management RAM (SMRAM) (3) AMD Secure Processor Fenced DRAM. Only applicable to select Ryzen motherboards
⏺  Network credential theft. Bypass Windows Credential Guard by reading secrets from VTL1 memory
⏺  Affects: EPYC, Ryzen, Ryzen Pro. Successfully exploited on EPYC, Ryzen, Ryzen Pro. Ryzen Mobile is not affected.

RyzenFall 4

⏺  Arbitrary code execution on AMD Secure Processor
⏺  Bypass firmware-based security features such as Firmware Trusted Platform Module (fTPM)
⏺  Network credential theft. Bypass Microsoft Virtualization-based Security (VBS), including Windows Credential Guard
⏺  Physical damage to hardware (SPI flash wear-out, etc.)
⏺  Affects: Ryzen, Ryzen Pro. Successfully exploited on Ryzen, Ryzen Pro.

Chimera (Firmware, Hardware versions)

⏺  Two sets of manufacturer backdoors: One implemented in firmware, the other in hardware (ASIC)
⏺  Allows malware to inject itself into the chipset’s internal 8051 architecture processor
⏺  The chipset links the CPU to USB, SATA, and PCI-E devices. Network, WiFi and Bluetooth traffic often flows through the chipset as well
⏺  Malware running inside the chipset could take advantage of the chipset’s unique position as a middleman for hardware peripherals
⏺  Affects: Ryzen, Ryzen Pro. Successfully exploited on Ryzen and Ryzen Pro.

 CTS Labs facing criticism

The CTS Labs team has put considerable efforts into marketing these security flaws, with the creation of a dedicated website and the release of professionally-shot YouTube videos.

The infosec community is more than displeased with the company's decision to give AMD only one day to address these flaws and with the fact they did not share any technical write-up to prove their research's validity. Furthermore, some experts also pointed out that the company is overhyping the vulnerabilities, all of which require admin-level access for successful exploitation.

Some security researchers also pointed to a particular section of the CTS Labs website's legal disclaimer, shortly after it became evident that AMD stock took a 2% price tumble.

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

CTS Labs states that it did not put users at risk by disclosing these flaws without giving AMD a chance to confirm and issue patches. The company claims that only it and AMD have the technical details needed to exploit these vulnerabilities and that users are still secure.

UPDATE [March 13, 17:00 ET]: AMD has issued an official statement on CST's findings, revealing it is still investigating the incident. In addition, a CTS Labs spokesperson confirmed to Bleeping Computer that Trail of Bits CEO Dan Guido had reviewed their findings for accuracy. Guido confirmed today that the security flaws are real, albeit not as severe as they might sound, as they do require admin-level access to exploit.

Related Articles:

Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs

The Intel Microcode Boot Loader Protects Older CPUs From Spectre

New PortSmash Hyper-Threading CPU Vuln Can Steal Decryption Keys

Intel 2018 Desktop Launch Tomorrow, 9th Gen CPUs Expected

Intel Says They Can Keep Up With PC Growth Demand