Researchers claim AMD's Ryzen, Epyc security co-processor and chipset have major flaws
- 14 March, 2018 09:29
A little-known security firm claims that AMD's Ryzen and Epyc architectures are subject to major exploitable flaws. AMD said it hasn't had time to confirm or deny the claims.
Researchers say they’ve discovered serious potential vulnerabilities within AMD’s Ryzen and Epyc chip architectures. AMD said it’s taking the reports seriously, though it wasn’t provided sufficient time to investigate or confirm them before their disclosure.
CTS-Labs, a security research company which says it specializes in vulnerabilities within ASICs and other chips, has said it’s discovered four potential attacks, code-named Masterkey, Ryzenfall, Fallout, and Chimera. All would require a program running with local access and administrator privileges to exploit them.
AMD confirmed it’s been made aware of the potential vulnerabilities. However, the statement AMD provided to PCWorld implied that the company wasn’t given the usual amount of time to investigate the vulnerabilities internally, which is typically about 90 days.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise,” AMD’s statement said. “We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
It’s important to note that these claimed vulnerabilities remain unconfirmed, though they’re potentially serious. CTS-Labs claims it's been able to exploit the vulnerabilities it found on several Ryzen chips, but no potential attack has been seen in the wild. Expect more follow-ups in the days ahead.
What are Ryzenfall, Masterkey, Fallout, and Chimera?
Hardware vulnerabilities have come to the forefront with the rise of Spectre and Meltdown, which attack the speculative execution processes used by Intel and other vendors. AMD and ARM are also potentially affected by Spectre and Meltdown, though Intel has been the public face of both vulnerabilities.
The four new AMD-specific vulnerabilities largely attack the AMD Secure Processor, logic which creates a protected environment for executing sensitive tasks. In a whitepaper, CTS-Labs criticized the processor as a “black box” that remains poorly understood. The whitepaper painted AMD as irresponsible, claiming that the Ryzen and Ryzen Pro chipsets “could not have passed even the most rudimentary white-box security review.” It also urged the security community to study the effects on mission-critical systems “that could potentially put lives at risk.”
According to CTS-Labs, there are three derivatives of Masterkey, all of which have been proven on Epyc and Ryzen. There are four derivatives of Ryzenfall, three of Fallout, and two Chimera attacks. Ryzenfall and Fallout have been tested on Ryzen, Ryzen Pro, and Epyc; Ryzen Mobile chips are not affected. Chimera has been tested on Ryzen and Ryzen Pro, CTS-Labs claimed.
Masterkey, according to CTS-Labs, allows the injection of persistent malware into the Secure Processor, among other attacks. Ryzenfall threatens the secure OS running on top of the Secure Processor, potentially bypassing virtualization and injecting malware. It allows an attacker to break into the “fenced DRAM” the OS creates.
Fallout exposes the bootloader within the Epyc Secure Processor, allowing access to protected memory regions, CTS-Labs claims. Finally, the firm claimed the Chimera attack could access “an array of hidden manufacturer backdoors” inside AMD’s Promontory chipsets. CTS-Labs blamed ASMedia, a third-party chipmaker that supplied the USB host controller and SATA controller within AMD’s Ryzen chipset, for these vulnerabilities, which were then introduced into the Ryzen chipsets.
CTS-Labs is not the only security organization to discover an issue with AMD’s Secure Processor. Last September, Google researchers found and reported a stack overflow vulnerability, which AMD said it patched. AMD’s BIOS now allows users to disable PSP support. PSP, or the Platform Security Processor, is the former name of AMD’s Secure Processor.
This article first appeared on PC World (US)