AMD Chip Vulnerabilities to be Addressed Through BIOS Updates – No Performance Impact Expected

After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips.

In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD attempted to downplay the risks, saying that any attacker gaining administrative access could have a wide range of attacks at their disposal “well beyond the exploits identified in this research.”

“Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues,” the notice continued.

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits added.

Check Point has also confirmed two of the RYZENFALL vulnerabilities following its own review.

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated last week.

Some have compared the recent AMD vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.

Company asking for investigation of unusual stock trading
All potential exploits to be fixed with software within weeks

Advanced Micro Devices Inc., Intel Corp.’s main rival in computer microprocessors, said a report earlier this month alleging that its chips have widespread, fundamental vulnerabilities greatly exaggerated the severity of the threat.

There are 13 potential exploits that will be fixed within weeks through software updates, the chipmaker said Tuesday in a statement. There’s no evidence that of any of those holes has been used for malevolent purposes, and it would be extremely difficult to use any of them to attack computers, the Sunnyvale, California-based company said. AMD saw reports of unusual trading activity in its stock about a week ago when an Israeli company called CTS Labs went public with a report on the flaws and has reported it to the relevant authorities.

Another cybersecurity firm has independently confirmed some of the AMD processor vulnerabilities discovered by Israel-based CTS Labs, but the controversial disclosure has not had a significant impact on the value of the chip giant’s stock.

CTS Labs last week published a brief description of 13 allegedly critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The company says the flaws can be exploited for arbitrary code execution, bypassing security features (e.g. Windows Defender Credential Guard, Secure Boot), stealing data, helping malware become resilient against security products, and damaging hardware.

The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine — physical access is not required. The security firm will not disclose technical details any time soon in order to prevent abuse.

CTS Labs, which no one heard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

Trail of Bits was the first to independently review the findings. The company, which has been paid for its services, has confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits said in a blog post.

“In our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present,” Check Point said in a blog post. “However, problematic phrasing aside, after inspecting the technical details of the above, we can indeed verify that these are valid vulnerabilities and the risks they pose should be taken under consideration.”

“AMD Flaws” Technical Summary
https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Technical Summary

The security architecture of modern computer systems is based on a defense in depth. Security features like Windows Credential Guard, TPMs, and virtualization can be used to prevent access to sensitive data from even an administrator or root.

The AMD Platform Security Processor (PSP) is a security coprocessor that resides inside AMD CPUs and is implemented as a separate ARM CPU. It is similar to Intel ME or the Apple Secure Enclave. It runs applications that provide security features like the TPM or Secure Encrypted Virtualization. The PSP has privileged access to the lowest level of the computer system.

The PSP firmware can be updated through a BIOS update, but it must be cryptographically signed by AMD. Physical access is usually not required to update the BIOS and this can be done with administrator access to the computer. The MASTERKEY vulnerability bypasses the PSP signature checks to update the PSP with the attacker’s firmware. Cfir Cohen on the Google Cloud Security Team discovered a similar issue in an adjacent area of the AMD PSP in September 2017.

The PSP also exposes an API to the host computer. The FALLOUT and RYZENFALL vulnerabilities exploit the PSP APIs to gain code execution in the PSP or the SMM.

The “chipset” is a component on the motherboard used to broker communication between the processor, memory, and peripherals. The chipset has full access to the system memory and devices. The CHIMERA vulnerability abuses exposed interfaces of the AMD Promontory chipset to gain code execution in the chipset processor.

Exploitation requirements

All exploits require the ability to run an executable as admin (no physical access is required)
MASTERKEY additionally requires issuing a BIOS update + reboot

As a result of massive backlash from the industry, Israel-based security firm CTS Labs has provided some clarifications about the recently disclosed AMD processor vulnerabilities and its disclosure method.

CTS Labs this week published a report providing a brief description of 13 critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The flaws can allegedly be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

The vulnerabilities affect AMD’s Secure Processor, an environment where critical tasks are executed in order to secure the storage and processing of sensitive data and applications. The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine.

AMD was only notified 24 hours before the vulnerabilities were disclosed, but no technical details have been published in order to prevent exploitation for malicious purposes.

CTS Labs was only launched recently and its founders’ work experience has raised some questions. This, combined with the lack of technical details in the report has made many people doubt that the vulnerabilities exist or that they are as critical as the company claims.

However, Dan Guido, CEO of Trail of Bits, and Alex Ionescu, a reputable researcher and Windows security expert, have confirmed CTS Labs’ findings after reviewing technical information provided by the company. Guido was paid to review the work, but Ionescu said he wasn’t.

CTS Labs has come under fire for not giving AMD time to release patches before its disclosure. A

In response to criticism, CTS Labs CTO Ilia Luk-Zilberman argued that the company’s approach to “responsible disclosure” is more beneficial for the public.

Luk-Zilberman admitted that CTS should have asked several third-parties to confirm its findings before going public in order to convince everyone that their claims are true.

While the CTO’s argument might make sense, many members of the industry are not convinced, particularly due to CTS’s disclaimer claiming that it may have, “either directly or indirectly, an economic interest in the performance of the securities [of AMD].” There is also the report from Viceroy, which attempts to persuade that “AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.”

In an update posted on its AMDflaws.com website, CTS claimed that exploitation of the vulnerabilities does not require physical access; executing a file with local admin privileges on the targeted machine is enough.

https://amdflaws.com/