TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II-III
Serial: TR-18-082-001
Countries: IN, CN
Report Date: 20180323
Critical Vulnerabilities found in AMD Processors
Security researchers have discovered 13 critical vulnerabilities, similar to Meltdown & Spectre, throughout AMD’s Ryzen and EPYC line of processors. These vulnerabilities could allow attackers to access to sensitive data, install backdoors/malware and gain full access to compromised systems.
Impact
These identified unpatched vulnerabilities defeat AMD's Secure Encrypted Virtualization (SEV) technology[1] and could allow attackers to bypass Microsoft Windows Credential Guard, in order to steal network credentials. All these vulnerabilities reside in the secure part of the AMD's Zen architecture processors and chipsets. The place where the device stores sensitive information is in the passwords and encryption keys. The vulnerabilities are categorized as: RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY which affect a wide range of workstations, servers and laptops.
Figure 1 – Affected categories
These vulnerabilities are successfully tested against 21 different AMD products and researchers believe 11 more products are also vulnerable.
RYZENFALL
RYZENFALL flaws reside in the AMD Secure OS and affect Ryzen secure processors (workstation/pro/mobile).
Figure 2 – RYZENFALL Attack
According to researchers, RYZENFALL vulnerabilities allow unauthorized code execution on the Ryzen Secure Processor, letting attackers access protected memory regions, inject malware into the processor, and disable SMM[2] protections against unauthorized BIOS flashing.
Attackers could also use RYZENFALL to bypass Windows Credential Guard and steal network credentials.
FALLOUT
FALLOUT vulnerabilities reside in the bootloader component of a EPYC secure processor and allow attackers to read from and write to protected memory areas, such as SMRAM and Windows Credential Guard isolated memory. FALLOUT attacks will only affect servers using AMD's EPYC secure processors and it could be exploited to inject persistent malware into VTL1; where the Secure Kernel and Isolated User Mode (IUM) execute code. This vulnerability also allows bypass BIOS flashing protections.
CHIMERA
CHIMERA vulnerabilities are hidden manufacturer backdoors inside AMD's chipsets, which are an integral part of all Ryzen and Ryzen Pro workstations.
One backdoor has been implemented in firmware running on the chip, while the other is in the chip's hardware (ASIC) and allow attackers to run arbitrary code inside the AMD Ryzen chipset, or to re-flash the chip with persistent malware. Since WiFi, network, and Bluetooth traffic flows through the chipset, an attacker could exploit the chipset's man-in-the-middle position to launch sophisticated attacks against devices.
MASTERKEY
MASTERKEY vulnerabilities in EPYC and Ryzen (workstation/pro/mobile) processors could allow attackers to bypass hardware validated boot to re-flash BIOS with a malicious update and infiltrate the Secure Processor to achieve arbitrary code execution. MASTERKEY vulnerabilities allow attackers to disable security features such as Firmware Trusted Platform Module (fTPM) and Secure Encrypted Virtualization (SEV). Proof of Concept (PoCs) of the vulnerabilities have also been presented.[3] A whitepaper on MASTERKEY has also been published and can be linked at: https://safefirmware.com/amdflaws_whitepaper.pdf
Mitigation and Prevention Strategies
AMD has acknowledged the vulnerabilities and published a press release at https://community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research
There are currently no patches and mitigations available.[4] Our customers are advised to keep updated regarding AMD patches.
Wapack Labs will continue to collect and analyze to further identify these vulnerabilities. If you would like further information regarding this issue, or require additional support – please contact: feedback@wapacklabs.com
[1] https://developer.amd.com/amd-secure-memory-encryption-sme-amd-secure-encrypted-virtualization-sev/
[2] https://en.wikipedia.org/wiki/System_Management_Mode
[4] https://thehackernews.com/2018/03/amd-processor-vulnerabilities.html
Comments