Israel based CTS-Labs just launched a website where they discuss a total of thirteen security vulnerabilities affecting AMD “Zen” CPU microarchitecture. According to the researchers, these are the comparable level of “Meltdown” and “Spectre”, which could let attackers install malware on highly guarded portions of the processor.
The scope of the new vulnerabilities are broad and diverse, the security audit revealed multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors. According to the researchers these vulnerabilities have the potential to put organizations at significantly increased risk of cyber-attacks.
The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing this report.
CTS Labs has produced a white paper report further detailing these vulnerabilities available at amdflaws.com. Honestly, with all the naming like amdflaws, Ryzenfall etc you’d figure a certain ‘other’ company would be behind CST Labs, or this to be some #fakenews. While possible, that does seem too far-fetched though, but the way information was managed and released is rather ‘smelly’. The entire disclosure of all this content seems and feels like a marketing campaign, with a video on a fresh youtube video of a guy in front of a green screen, with the YT channel made just for this announcement, the amdflaws website created merely late February. It all feels …very weird.
Anyway we’ll post and follow, but please take some skepticism in mind, the self-profclaimed researchers have now shared this information with AMD, Microsoft, HP, Dell, and select security companies, in order that they may work on developing mitigations and patches, and examine and research these and any other potential vulnerabilities at the Company. The exploits involve all ZEN based architectures, so these include Ryzen, Threadripper, and EPYC as well. According to experts, firmware vulnerabilities such as MASTERKEY, RYZENFALL, and FALLOUT will take several months to fix. Hardware vulnerabilities such as CHIMERA cannot be fixed and require a workaround.
It is a lot to digest, you can check up on it all here, we’ll update this news-item later on with more info. The thirteen exploits have been grouped into four segments.
- Masterkey
- Ryzenfall
- Fallout
- Chimera
Bothersome is the fact that several of the vulnerabilities are found in the secure part of the processors, typically where your device stores sensitive data like passwords and encryption keys. Let’s run through them.
Master Key
Typically when a device starts up, it passes through a “Secure Boot.” In this process, your processor is used to check that nothing on your computer has been tampered with, and only launches trusted programs. The Master Key vulnerability gets around this start-up check by installing malware on the computer’s BIOS, part of the computer’s system that controls how it starts up. Once it’s infected, Master Key allows an attacker to install malware on the Secure Processor itself, meaning they would have complete control of what programs are allowed to run during the start-up process. From there, the vulnerability also allows attackers to disable security features on the processor.
Ryzenfall
AMD’s Ryzen processors are the ones affected here specifically, potentially allowing malware to completely take over the secure processor, including access protected data, like encryption keys and passwords. These segments on the processor normally can not be reached by a regular attacker, according to the researchers. If an attacker can bypass the Windows Defender Credential Guard, it would mean they could use the stolen data to spread across to other computers within that network. Credential Guard is a feature for Windows 10 Enterprise, which stores your sensitive data in a protected section of the operating system that normally can’t be accessed. “The Windows Credentials Guard is very effective at protecting passwords on a machine and not allowing them to spread around,” Luk-Zilberman said. “The attack makes spreading through the network much easier.”
Fallout
Similar to Ryzenfall, Fallout will allow attackers to access protected data sections, including Credential Guard. But this vulnerability only affects devices using AMD’s EPYC secure processor. These chips are used for data centers and cloud servers, connecting computers used by industries around the world. If an attacker used the vulnerabilities described in Fallout, they could use it to steal all the credentials stored and spread across the network.
“These network credentials are stored in a segregated virtual machine where it can’t be accessed by standard hacking tools,” said CTS-Labs CEO Ido Li On. “What happens with Fallout, is that this segregation between virtual machines is broken.” Segregated virtual machines are portions of your computer’s memory split off from the rest of the device. Researchers use it to test out malware without infecting the rest of their computer. Think of it like a virtual computer inside your computer. On Credential Guard, the sensitive data is stored there, and protected so that if your computer were infected with normal malware, it wouldn’t be able to access it.
Chimera
Chimera then, this exploit is based on two vulnerabilities, one resides in firmware and one in hardware. The Ryzen chipset itself allow for malware to run on it. Because WiFi, network and Bluetooth traffic flows through the chipset, an attacker could use that to infect your device, the researchers said. In a proof-of-concept demonstration, the researchers said it was possible to install a keylogger through the chipset. Keyloggers would allow an attacker to see everything typed on an infected computer. The chipset’s firmware issues mean that an attack can install malware onto the processor itself.
What now?
It’s not known how long it will take to address and fix these issues if some of them can be fixed at all. CTS-Labs said it hasn’t heard back from AMD, but considering they gave AMD 24 hours to digest this all, that makes sense. The researchers said it could take several months to fix. Some of the exploits in hardware can’t be fixed, they add.
We say testing & verification is required. Should you be worried? Well, from what we’ve read, all four levels of vulnerabilities require actual administrative access towards your PC. This means you’d need to hand out full access to your PC, that would read as alleviated privileges. And yeah, anything and anyone you hand out admin rights would be at risk anyway.
At the time of writing, I (Hilbert) am looking at the vulnerability announcements with a healthy amount of skepticism, and so should you. I’d advise we all await what AMD has to say about this, once they have had a chance to digest all information and accusations.
AMD Statement
We’ve just reached out to AMD for a statement, here is the first reaction:
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,”.
