Close on the heels on AMD’s Pinnacle Ridge launch, an Israel-based security firm CTS Labs, on Tuesday published a whitepaper detailing four classes of flaws in AMD’s CPU lineup. The firm claims that these flaws are at the same level as the Meltdown and Spectre flaws that were revealed earlier this year. In all, there are reportedly 13 flaws that affect AMD’s Ryzen, EPYC, Ryzen Pro and Ryzen Mobile lineup of CPUs. A key observation was that the firm only gave AMD a 24-hour notice. Standard vulnerability disclosure in the security domain is issued for a minimum of 90-days. CTS Labs did not provide any reasons for the reduced notice period.
Given the reduced notice period, all that we got from AMD is as follows:
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
AMD also has put up a post on their website as of now stating the following:
“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.”
CTS Labs’ whitepaper
The categories for the flaws are named MasterKey, Chimera, Ryzenfall and Fallout. It would appear that security firms have developed a taste for picking overwhelming titles for maximum effect. Let’s take a look at these flaws.
There are three exploits within this category labelled Masterkey 1, 2 and 3. MasterKey allows for any arbitrary code to be executed within the secure processor of the CPU. The exploit relies on bypassing AMD’s Hardware Validated Boot to allow the attacker to gain control over the system and disable security features such as Firmware Trusted Platform Module and Secure Encrypted Virtualization.
It should be noted that in order to execute this exploit, the attacker has to gain physical access to the system in order to re-flash the motherboard BIOS. Newer motherboards also allow remote flashing so physical access is not always necessary. Also, if an attacker does gain physical or remote access to a system, then the CPU hardly matters.
MasterKey has been successfully demonstrated on EPYC and Ryzen CPUs. CTS Labs claims that Ryzen Pro and Ryzen Mobile might also be vulnerable based on their observations of the code across the entire lineup.
Chimera revolves around the motherboard chipset or the Promontory Chipset. The Promontory chipset controls peripherals connected to the system such as the USB ports, SATA ports, etc. Chimera is made possible because certain portions of the promontory chipset’s design are based on an older ASMedia chipset and this flaw has basically trickled down to the current AMD Promontory chipsets.
A successful exploit will allow malware to be installed onto the system via anything controlled by the Promontory chipset. So if you were to plug in a USB flash drive with the payload, then you can gain access to the system.
In the Whitepaper, CTS Labs mentions that they achieved this by gaining ‘Elevated Administrator Privileges’. Again, the demonstration relies on an already compromised system. This is the same as giving someone admin access to your computer just so they can install a key-logger on the system.
This exploit pertains to the Secure Processor on the chip. Ryzenfall allows the attacker to access protected memory regions such as Windows Isolated User Mode, Secure Management RAM, AMD Secure Processor Fenced DRAM and Isolated Kernel Mode.
Ryzenfall was demonstrated in a similar was as Chimera after gaining elevated administrator privileges and a vendor supplied driver on the target computer. Ryzenfall only affects Ryzen CPUs with certain variants not affecting Ryzen Pro and Ryzen Mobile. EPYC processors remain safe.
Fallout is the same as Ryzenfall but it only affects EPYC CPUs. Like Ryzenfall, Fallout requires elevated administrator privileges and a vendor signed driver. When executed, it too allows access to protected memory regions of the CPU. However, these flaws are based in a different category because they can also bypass Microsoft Virtualization based security.
Who are CTS Labs
Much is being spoken about the fledgling security firm which was only registered about eight months ago on 25th June 2017. Even their website seems to have been registered on 22nd February 2018.
They also have a disclaimer in which two statements stand out from the rest.
1.“Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have either directly or indirectly, an economic interest in the performance of securities of the companies whose products are the subjects of our reports.”
2. “The reports and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable.”
It appears that most security researchers do not know about this new security firm, including AMD. However, this should not discredit their findings. We will know more about these flaws as more security firms investigate their claims.
All aboard the hype train
All the flaws mentioned in the CTS Labs whitepaper require physical access or elevated administrator privileges to be granted in order to be effective. This effectively makes the vulnerabilities second stage vulnerabilities. However, the language used in the whitepaper is severely hyped. The same can be said of the ways the vulnerabilities have been named.
As of now, there is no information whatsoever on whether patches will be issued to mitigate these flaws. A 1-day notice in the world of security is quite unethical since both hardware and software companies cannot investigate and prepare patches. Since these flaws rely on elevated administrator privileges, you should have no reason to worry in the short term.