AMD’S TOP CHIPS look to be in a spot of bother as researchers have found 13 vulnerabilities in its Epyc and Ryzen processors that look to be as critical as Spectre.
The flaws were uncovered by Israeli security firm CTS-Labs, which noted that the vulnerabilities affect the Secure Processor, a co-processor found on AMD’s CPUs where sensitive data such as encryption keys and passwords are stored.
The 13 vulnerabilities fall into four threat categories; Master Key, Ryzenfall, Fallout and Chimera.
Master Key allows for malware to bypass the Secure Processor firmware and allow for the processors to be infiltrated.
To get there, an attacker needs administrator access, either directly or remotely, in order to flash a computer’s motherboard BIOS. This then allows them to infect the secure boot process; a series of checks the chip carries out to ensure the computer hasn’t been tampered with and only allow trusted programs to be launched.
With an infection at the secure boot level, the Master Key threat allows attackers to take control of the programs allowed to run during a computer’s startup, as well as to disable other security features on the Secure Processor.
Ryzenfall is a threat that allows for malware to completely hijack a Secure Processor allowing access to secure data that would normally be out of the reach of attackers. This data could then be used to infect other computers on the same network as the vulnerabilities allow for the Windows Credential Guard to be bypassed.
Used in conjunction with Master Key, Ryzenfall could be used to install persistent threat malware on the Secure Processor to carry out long-term espionage.
Fallout also allows attackers to get access to protected data on AMD’s CPUs, but it only applies to the Epyc processors.
However, these chips are used in data centres and the vulnerability effectively breaks the virtualised segregation of network credentials from other parts of a server’s memory by allowing protected memory areas to be read and written upon.
As such, network credentials can be pilfered and allow for malware to spread to other connected servers; which could potentially wreak havoc with data centres supporting public clouds.
Finally, Chimera relates to backdoor vulnerabilities at a hardware and firmware level, which could allow hackers to inject malicious code into the Secure Processor. At this level, malware would evade pretty much all current endpoint security software and services, according to the researchers.
“The chipset links the CPU to USB, SATA, and PCI-E devices. Network, WiFi and Bluetooth traffic often flows through the chipset as well. An attacker could leverage the chipset’s middleman position to launch sophisticated attacks,” they said.
“Malware running on the chipset could leverage the latter’s Direct Memory Access (DMA) engine to attack the operating system. This kind of attack has been demonstrated.”
So in a nutshell, this suite of vulnerabilities looks to be pretty bad news for AMD. And CTS-Labs announced them immediately, rather than giving AMD the normal 90-day window to fix the flaws.
However, CTS-Labs noted no technical detail on the flaws were revealed so they haven’t opened a Pandora’s box for hackers; only AMD, Microsoft and select companies have the technical details so they can create patches and fixes for the vulnerabilities.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise,” AMD said in response to the research.
“We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
At the time of writing, CTS-Labs claim that if a computer is running a Ryzen, Ryzen Pro, Ryzen Mobile or Epyc chip, then it is at risk, along with machines on the same network, though no attacks have been seen out in the wild yet.
Nevertheless, CTS-Labs researchers don’t want the flaws to be brushed off lightly.
“We believe that these vulnerabilities put networks that contain AMD computers at a considerable risk. Several of them open the door to malware that may survive computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions,” they said.
“This can allow attackers to bury themselves deep within the computer system and to potentially engage in persistent, virtually undetectable espionage, executed from AMD’s Secure Processor and AMD’s chipset. It is our view that the existence of these vulnerabilities betrays disregard of fundamental security principles.”
While AMD’s chips were affected by the Spectre flaws, they weren’t affected by the more serious Meltdown bug that affected Intel chips, which AMD was rather smug about.
But with this wave of uncovered bugs in a core part of AMD’s CPUs, the chipmaker is not likely to be full of smiles and is likely working at full-pelt to find mitigations before hackers pry the security holes open. µ