13 Security Vulnerabilities and Manufacturer Backdoors Exposed In AMD Ryzen Processors

Published by

teaser

(Updated) A self-proclaimed Israel based security company called CTS-Labs launched a website where they discuss a total of thirteen security vulnerabilities affecting AMD "Zen" CPU microarchitecture. According to the researchers, these are the comparable level of "Meltdown" and "Spectre", which could let attackers install malware on highly guarded portions of the processor.



The scope of the new vulnerabilities would be broad and diverse, the security audit revealed multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors. According to the researchers these vulnerabilities have the potential to put organizations at significantly increased risk of cyber-attacks. 

The researchers apparently gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing this report.

CTS Labs has produced a white paper report further detailing these vulnerabilities available at amdflaws.com. Honestly, with all the naming like amdflaws, Ryzenfall etc you'd figure a certain 'other' company would be behind CST Labs, or this to be some #fakenews (which is very possible). While possible, that does seem very far-fetched, but the way information was managed and released is rather 'smelly'. The entire disclosure of all this content seems and feels like a marketing campaign, with a video on a fresh youtube video of a guy in front of a green screen with added backgrounds, with the YT channel made just for this announcement, the amdflaws website created merely late February. It all feels ...very weird. Also according to security experts, CTS greatly exaggerates the impact of the vulnerabilities.

Anyway we'll post and follow up, but please take some skepticism in mind, the self-profclaimed researchers have now shared this information with AMD, Microsoft, HP, Dell, and select security companies, in order that they may work on developing mitigations and patches, and examine and research these and any other potential vulnerabilities at the Company. The exploits involve all ZEN based architectures, so these include Ryzen, Threadripper, and EPYC as well.  According to experts, firmware vulnerabilities such as MASTERKEY, RYZENFALL, and FALLOUT will take several months to fix. Hardware vulnerabilities such as CHIMERA cannot be fixed and require a workaround.

It is a lot to digest, you can check up on it all here, we'll update this news-item later on with more info. The thirteen exploits have been grouped into four segments.

  • Masterkey
  • Ryzenfall
  • Fallout
  • Chimera

Bothersome is the fact that several of the vulnerabilities are found in the secure part of the processors, typically where your device stores sensitive data like passwords and encryption keys. Let's run through them.

Master Key

Typically when a device starts up, it passes through a "Secure Boot." In this process, your processor is used to check that nothing on your computer has been tampered with, and only launches trusted programs. The Master Key vulnerability gets around this start-up check by installing malware on the computer's BIOS, part of the computer's system that controls how it starts up. Once it's infected, Master Key allows an attacker to install malware on the Secure Processor itself, meaning they would have complete control of what programs are allowed to run during the start-up process. From there, the vulnerability also allows attackers to disable security features on the processor.

Ryzenfall

AMD's Ryzen processors are the ones affected here specifically,  potentially allowing malware to completely take over the secure processor, including access protected data, like encryption keys and passwords. These segments on the processor normally can not be reached by a regular attacker, according to the researchers. If an attacker can bypass the Windows Defender Credential Guard, it would mean they could use the stolen data to spread across to other computers within that network. Credential Guard is a feature for Windows 10 Enterprise, which stores your sensitive data in a protected section of the operating system that normally can't be accessed. "The Windows Credentials Guard is very effective at protecting passwords on a machine and not allowing them to spread around," Luk-Zilberman said. "The attack makes spreading through the network much easier."

Fallout

Similar to Ryzenfall, Fallout will allow attackers to access protected data sections, including Credential Guard. But this vulnerability only affects devices using AMD's EPYC secure processor. These chips are used for data centers and cloud servers, connecting computers used by industries around the world. If an attacker used the vulnerabilities described in Fallout, they could use it to steal all the credentials stored and spread across the network.

"These network credentials are stored in a segregated virtual machine where it can't be accessed by standard hacking tools," said CTS-Labs CEO Ido Li On. "What happens with Fallout, is that this segregation between virtual machines is broken." Segregated virtual machines are portions of your computer's memory split off from the rest of the device. Researchers use it to test out malware without infecting the rest of their computer. Think of it like a virtual computer inside your computer. On Credential Guard, the sensitive data is stored there, and protected so that if your computer were infected with normal malware, it wouldn't be able to access it.

Chimera

Chimera then, this exploit is based on two vulnerabilities, one resides in firmware and one in hardware. The Ryzen chipset itself allow for malware to run on it. Because WiFi, network and Bluetooth traffic flows through the chipset, an attacker could use that to infect your device, the researchers said. In a proof-of-concept demonstration, the researchers said it was possible to install a keylogger through the chipset. Keyloggers would allow an attacker to see everything typed on an infected computer. The chipset's firmware issues mean that an attack can install malware onto the processor itself.

What now?

It's not known how long it will take to address and fix these issues if some of them can be fixed at all. CTS-Labs said it hasn't heard back from AMD, but considering they gave AMD 24 hours to digest this all, that makes sense. The researchers said it could take several months to fix. Some of the exploits in hardware can't be fixed, they add.

We say testing & verification is required. Should you be worried? Well, from what we've read, all four levels of vulnerabilities require actual administrative access towards your PC. This means you'd need to hand out full access to your PC, that would read as alleviated privileges. And yeah, anything and anyone you hand out admin rights would be at risk or compromized anyway.

At the time of writing, I (Hilbert) am looking at the vulnerability announcements with a healthy amount of skepticism, and so should you. I'd advise we all await what AMD has to say about this, once they have had a chance to digest all information and accusations.

There are many things that bother me:

  • The 24-hour disclosure opposed to the industry standard 90/180 day is just wrong
  • Domain records for "amdflaws.com" has been created on Feb, 22, 2018.
  • Company is listed only since 2017, linked-in shows very poor company info.
  • Domain registered not directly but through "domainsbyproxy.com".
  • Domain is registered at GoDaddy, privately. No contact information of the domain is public.
  • Their official Youtube Channel with that video, was created March this year. That would be the official company YT channel.
  • Video looks marketed, too well produced.
  • Names like Ryzenfall sounds like somebody from marketing made that up?
  • Precisely 13 flaws? An unlucky number?
  • Whitepaper shows no specific technical detail.
  • Earlier today when the news broke and info was released I did some Google searches on CTS-Labs, it revealed very little, for a proclaimed established security agency.
  • Parts of www.cts-labs.com website are copied from public PDF documents
  • As a security firm, cts-labs website does not even have an SSL certificate active? Thus no https available as an option?
  • cts-labs does not disclose address on website.
All things combined raise so many red flags, now we can also add this:

Currently, there is speculation that this information release is an attempt to manipulate the stock price of AMD. short seller Viceroy Research would possibly play a role in this. That company published relatively quickly after CTS the claim that the 'revelations' would be the death blow for AMD. the timing of this is weird, hours after the info got out they already have a 32-page document ready on this.

In the end, this all could be a hoax or plot to damage AMD or for self-benefit (manipulating stock exchange), and as more time passes it seems to be the case that all this is just that, a hoax to create some sort of effect. We'll have to wait and see what AMD makes of this and what their actions will be.

Initial AMD Statement

We've reached out to AMD for a statement, here is the latest updated reaction:

"We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops,".


13 Security Vulnerabilities and Manufacturer Backdoors Exposed In AMD Ryzen Processors

Share this content
Twitter Facebook Reddit WhatsApp Email Print