Chip maker AMD acknowledges it is looking into critical vulnerabilities and an exploitable backdoor in its latest line of processors after an Israel-based security firm ambushed the company with a report this week detailing more than a dozen serious security holes in its products.
The report and accompanying website—which went public on Tuesday–said the vulnerabilities affect AMD’s latest EPYC, Ryzen, Ryzen Pro and Ryzen Mobile lines of processors and “have the potential to put organizations at significantly increased risk of cyber-attacks,” potentially affecting anyone using a desktop, laptop or mobile device running these processors.
CTS-Labs said it privately shared the information with AMD, regulators in the United States and select security companies—including Microsoft, Dell, HP and Symantec–that can potentially develop software fixes. The company did not publish technical details that could be used to reproduce the vulnerabilities, for obvious reasons.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise,” the company said in a statement sent to Security Ledger. “We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
The company declined to provide further comment or details.
Four key variants of vulnerability
CTS-Labs researchers broke down their findings into four key variants—dubbed Ryzenfall, Masterkey, Fallout and Chimera. The first three target the AMD Secure Processor—a security gatekeeper and integral part of most of AMD’s products where devices store sensitive data including passwords and encryption keys.
Vulnerabilities in this component could allow hackers to “permanently install malicious code inside the Secure Processor itself and expose AMD customers to industrial espionage that is virtually undetectable by most security solutions,” researchers said.
Another set of vulnerabilities in the Secure Processor leaves devices open for attackers to steal network credentials and infiltrate otherwise secure data corporate networks, researchers said. This is true even for systems protected by Microsoft’s latest Credential Guard technology, a specific Windows feature that aims to isolate and harden key system and user secrets against against such compromise.
The fourth vulnerability—Chimera–targets the Ryzen processor in a particularly hostile way. Chimera can create a backdoor that exploits a vulnerability actually built into a chipset from the Taiwanese firm ASMedia that AMD uses in Ryzen to manage operation of peripherals, researchers said. The chipset is a central component on the motherboard, responsible for linking the Ryzen processor with hardware devices such as such as WiFi and network cards.
Exploiting Chimera, a hacker could gain administrative privileges on a machine and plant malware in obscure peripheral chips, potentially using them to read the computer’s memory or network data, researchers said. Moreover, because the backdoor is a fundamental flaw in the design of the ASMedia chipset, it can’t be fixed with a mere patch.
Overall, the report is a damning assessment of AMD’s security practices–or lack thereof–and researchers minced no words about what they think about how the company is handling the security of its processors.
“The vulnerabilities we have discovered allow bad actors who infiltrated the network to persist in it, surviving computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions,” they concluded. “In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles.”
Detailed report, full disclosure
Yaron Luk, co-founder of CTS-Labs, told Security Ledger that he’s proud of his team and the work they’ve done to identify critical flaws in processors that could put millions of consumers at risk. He also spoke to the validity of the serious claims researchers are making, about which some security researchers have doubts.
“We verified results carefully both internally and with a third-party validator, Trail of Bits,” before delivering a full technical description and proof of concept (PoC) of the vulnerabilities to select security companies, Luk said. “We are looking forward to AMD’s response to our findings,” he added.
Gadi Evron, founder and CEO of Israel-based security company Cymmetria, corroborated the validity of the report on his Facebook page, saying that he knows Luk and his fellow researchers and vouches for their technical capabilities, though he is not affiliated with their company.
“First, http://AMDflaws.com‘s findings are real,” he said. “I can confirm they have a PoC on everything. More specifically: 1. All vulnerabilities do not require physical access (need ability to run exe as admin) [and] 2. Fallout does not require reflash of the BIOS, you can just run it.”
[You might also like: Researchers Warn of Physics-Based Attacks on Sensors]
The reason for ambushing AMD with such a comprehensive report stems from the company’s belief in what they call “Public Interest Disclosure,” Evron said. In this type of disclosure, once researchers find a vulnerability, they disclose the impact to the public and only send technical details to the vendor and/or security companies that can help with mitigation, he said.
“Their philosophy?” he wrote. “The company believes the public has a right to know if a vendor they are using makes them vulnerable.”
However, one security expert told us he doesn’t think CTS-Labs did its credibility a service to basically ambush AMD with its findings the way it did.
“The disclosure process, including the timeline and manner of display, is questionable and doesn’t benefit a product user or the community of security researchers,” said Kasper Lindgaard, Senior Director of Research and Security at Flexera. “This can easily result in a higher backlash towards the researchers, instead of the vendor.”
That said, Lindgaard still believes AMD should take the disclosure of vulnerabilities seriously and take the necessary steps to remedy the situation and keep customers well informed.
“They should investigate potential fixes and mitigations; review design choices and processes; examine further detection capabilities to limit potential fallout should vulnerabilities come to pass; and communicate honestly with the customer base and public,” he said.
(*)Updated with new comments from Kasper Lindgaard regarding the nature of the vulnerabilities disclosure EAM 3/20/18