AMD Ryzen and Epyc platforms at risk: More than a dozen critical security flaws discovered

Shawn Knight

Shawn Knight

Posts: 15,646   +199
Staff member

Israeli-based security company CTS-Labs on Tuesday said it has discovered 13 critical security vulnerabilities and exploitable manufacturer backdoors impacting AMD’s latest Epyc, Ryzen, Ryzen Pro and Ryzen Mobile lines of processors.

CTS has classified the vulnerabilities, which it found over the course of a six-month investigation, into four categories they’re calling Ryzenfall, Masterkey, Fallout and Chimera.

Full details on each vulnerability can be found in CTS’ 20-page whitepaper (our brief summary can be read below, too). Fortunately, specific technical details that could be used to exploit the vulnerabilities have been omitted. It’s also worth noting that AMD has been made aware of the issues, as have “select security companies” that could help mitigate the fallout and US regulators.

An AMD spokesperson told CNET it is investigating the report, which they “just received.” According to the publication, CTS gave AMD less than 24 hours notice before going public with their findings. Standard practice in the industry is to give 90 days notice prior to publicly announcing a vulnerability. "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," that's AMD's statement we received via email today.

The flaws, which impact the AMD Secure Processor, can reportedly allow an attacker to take control over Ryzen and Epyc processors as well as Ryzen chipsets. CTS also says a bad actor could infect chips with malware, steal credentials on high-security enterprise networks and cause physical damage to hardware, all while remaining virtually undetectable by most security solutions.

Who is the source?

While we await for AMD's official response on the reported flaws -- after all, they were barely given any notice -- and we can't comment on the merit of the actual flaws since the technical details have been purposely omitted for security reasons, we can mention the obvious: this all looks a bit too well coordinated.

Intel's now infamous Meltdown and Spectre CPU flaws were discovered by Google’s Project Zero team last year, and when the information leaked a tad early last January, Intel and many other parties involved had already months to prepare on how to inform the public and for the patching rollout. Whether they did a poor job or not, that's entirely a different conversation.

In this scenario, now hitting AMD CPUs exclusively (that we know so far), the source of the flaws is Israel-based CTS-Labs, a security firm formed in 2017. The company claims they've been investigating these AMD chip issues for six months, but their website went live in June 2017, so perhaps the sole purpose of this enterprise has been to look into AMD chip flaws that can stand next to Meltdown and Spectre. And who is to benefit from this? Surely the public and AMD customers, but there is another obvious answer to that question.

The informational website, AMDflaws.com, maintained by CTS-Labs, notes “this site is to inform the public about the vulnerabilities and call upon AMD and the security community to fix the vulnerable products,” however in the legal footnotes of the aforementioned whitepaper you will find a more telling remark: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

A brief summary of the four flaws as discovered by CTS-Labs follows below.

Masterkey

Masterkey is a set of three vulnerabilities that collectively allow malicious actors to install malware inside the secure processor. From here, the researchers say malware could bypass secure boot and inject code directly into a computer’s BIOS or operating system and disable firmware-based security features within the secure processor like Secure Encrypted Virtualization (SEV) or Firmware Trusted Platform Module (fTPM).

Because most Epyc and Ryzen motherboards on the market use a BIOS from American Megatrends that allows reflashing from within the OS using a command-line utility, CTS says Masterkey can often be exploited remotely.

Ryzenfall

CTS describes the four Ryzenfall vulnerabilities as a set of design and implementation flaws within AMD Secure OS, the operating system in charge of the secure processor on Ryzen, Ryzen Pro and Ryzen Mobile chips. At their worse, Ryzenfall can be exploited by malware to allow for the secure processor to be completely taken over.

Ryzenfall can also be exploited to allow access to protected memory regions that are otherwise sealed off by hardware including Windows Isolated User Mode and Isolated Kernel Mode (VTL1), Secure Management RAM (SMRAM) and AMD Secure Processor Fenced DRAM. Breaking this “hardware security seal” could have multiple security implications, CTS says.

Fallout

The Fallout class is a set of three design-flaw vulnerabilities that CTS says are found inside the boot loader of Epyc’s secure processor. Like Ryzenfall, they can be exploited to allow access to Windows Isolated User Mode and Isolated Kernel Mode (VTL1) and Secure Management RAM (SMRAM), areas that should be completely inaccessible to user programs and kernel drivers running inside the operating system.

CTS says malicious hackers could exploit Fallout vulnerabilities to disable protections against unauthorized BIOS reflashing within system management mode, inject malware into VTL1 and bypass Microsoft Virtualization-based security, the latter of which could be used to steal network credentials – behavior CTS says is often a precursor to lateral network movement as part of a remote attack.

Chimera

Chimera is a class of vulnerabilities that encompass an “array of hidden manufacturer backdoors” within AMD’s Promontory chipsets, a key part of all Ryzen and Ryzen Pro workstations.

Specifically, there are two sets of backdoors – one that is implemented within firmware running on the chip and another inside the chip’s ASIC hardware. Since the latter has been manufactured into the chip, CTS concedes that it may not be possible to fix it, adding that AMD may have to resort to a recall or some other sort of workaround.

A system’s chipset is connected to all sorts of functionality and features, from USB, SATA and PCIe ports to a computer’s Wi-Fi, LAN and Bluetooth systems. As such, running malware here could have numerous consequences on a system’s security.

In testing, CTS claims it has been able to execute its own code within the chipset and leverage the Direct Memory Access (DMA) engine to manipulate the operating system running on the main processor. Given additional time to investigate the matter, CTS believes it may also be possible for a hacker to install a key logger, leverage the chipset for a man-in-the-middle attack and access protected memory areas. The latter has been verified to work on a small collection of desktop motherboards, CTS says.

Permalink to story.

https://www.techspot.com/news/73692-amd-ryzen-epyc-platforms-risk-more-than-dozen.html

 
Googled it. It looks fishy. Pretty slides, preped by pros, that warn You of ever using AMD products. And this 24hour grace period, instead of 90days. For me it looks more like a smear campaign from a big competitor that might itself have been recently hit by accusations of negligence toward its consumers.
 
  • Like
Reactions: Impudicus, orondf, Amet Monegro and 11 others
So this is directly from the "AMDFLAWS.com" web site, made by CTS-Labs in the last day or so, which is highly suspect to say the least:

"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

Then there is the fact that lots of the flaws in the report can only happen if someone is locally at the computer with a ryzen chip. AKA- you have to be sitting right at the computer, you can not remotely exploit these flaws.

This along with the 24hrs notice vs. 90days, the fact that CTS-Labs didn't seem to exist until a few days ago and all the other oddities make me think this is highly suspect.

I mean, they used domainsbyproxy.com to register the site! You only do this because you don't want anybody knowing who you are, and not always for legit reasons. If you're CTS-Labs, and into providing security solutions for real, why use such a registry?

One problem with these kinds of reports is that nobody is doing good journalism anymore in the sense that sources are not checked BEFORE posting the report. Everything is just re-posted without asking questions first. This could effect a bunch of people losing their jobs at AMD and possibly for no real good reason.

24hrs is highly irresponsible for CTS-Labs. 90days is the minimum. Meltdown and similar issues were known by google for nearly half a year before reports were made. Even if CTS-Labs was legit, and the report well done, this 24hr notice alone is very troubling and suspect.

Some journalist is probably going to do the real work though and track down who CTS-Labs really is and find the story within this flaky story. I suspect it's very interesting.
 
Last edited:
  • Like
Reactions: Impudicus, orondf, Amet Monegro and 7 others
Been reading about this on multiple forums and it seems prety sketchy whats happening here. Multiple theories which make Intel (or someone else who wants AMD out of the market) a plausible instigator of all this.

Whatever the intentions though, if the vulnerabilities turn out to be real then theyve done us all a favour by finding them, but at the same time, a huge disfavour by releasing them for exploitation before AMD or whoever can make fixes/patches..
 
  • Like
Reactions: drjekelmrhyde and meric
Our latest revision of this story is now online, we did incorporate some of your concerns in our write up...
 
  • Like
Reactions: Puiu
https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond said:
At this point AMD has not confirmed any of the issues brought forth in the CTS-Labs whitepaper, so we cannot confirm in the findings are accurate. It has been brought to our attention that some press were pre-briefed on the issue, perhaps before AMD was notified, and that the website that CTS-Labs has setup for the issue was registered on February 22nd, several weeks ago. Given the level of graphics on the site, it does look like a planned ‘announcement’ has been in the works for a little while, seemingly with little regard for AMD’s response on the issue. This is compared to Meltdown and Spectre, which was shared among the affected companies several months before a planned public disclosure. CTS-Labs has also hired a PR firm to deal with incoming requests for information, which is also an interesting avenue to the story, as this is normally not the route these security companies take. CTS-Labs is a security focused research firm, but does not disclose its customers or research leading to this disclosure. CTS-Labs was started in 2017, and this is their first public report.

...

CTS-Labs is very forthright with its statement, having seemingly pre-briefed some press at the same time it was notifying AMD, and directs questions to its PR firm. The full whitepaper can be seen here, at safefirmware.com, a website registered on 6/9 with no home page and seemingly no link to CTS-Labs. Something doesn't quite add up here.
Click to expand...

CTS Labs, a security consultancy, don't even have HTTPS set up on their main site
Click to expand...

https://twitter.com/cynicalsecurity/status/973599549745979392

Yeah, there are no contact details, and the whois page is also fishy.
I suspect that this "consultancy" could be some unscrupulous firm thrown a few dollars by Intel.
The page only just appeared, too. There was no record of it before January on the wayback machine in its current state. Before that it was just a landing page.
Click to expand...

I love that one of the exploits requires a BIOS reflash, which for me is beyond even physical access in the realm of "if you can do this, can't you do whatever you want already?"
Click to expand...
 
  • Like
Reactions: NoBsPls
ZackL04 said:
Lol, I knew Intel wasnt the only one
Click to expand...
We already knew that AMD had some of their own flaws (there are plenty of whitepapers), it's normal. it would have been really weird to not find some in a completely new architecture.

But these ones look really shady. I'll wait for confirmation from third party investigators.
 
The problem is tech smart people (like the ones who read Techspot) suspect this is a smear campaign, but the general public will just see some headline on CNN or BBC about AMD flaws and believe it 100%. Even if these flaws are (likely) proven to be false, unless the news has a major headline about CTS making false accusations to affect the market, the damage will be done.
 
  • Like
Reactions: senketsu, Jamlad, Puiu and 1 other person
It is good that this company investigate amd security flaws, but giving so little time is bad for millions of users. Is like they are working for the people that use this flaws for bad reasons. If they work for intel they are agains the users.
 
This is insane at the moment, released just before Zen+ release no time to respond.

Things are getting real dirty in the CPU realm....... in saying that seems weird Intel would pay for this with all the latest partnerships they have had with AMD but it is a dirty business.
 
  • Like
Reactions: Amet Monegro, NoBsPls and regiq
I read the thing looking for any actual CVEs and the entire thing looks like a hatchet job designed to scare institutional investors away from AMD. Lots of bright, pretty graphics and scary sounding phrases, but no proof of concepts, actual expoits, or anything more than 'if yuo load code in the ring 0 management engine, bad things could happen!!!11!'. Which, to be fair, is true, but also completely retarded to list as an exploit/risk.
Click to expand...

https://imgur.com/OkWlIxA
 
  • Like
Reactions: seeprime
You must log in or register to reply here.

Similar threads

S
AMD confirms microcode vulnerability revealed in beta BIOS update
Replies
12
Views
462
ZedRM
ZedRM
S
AMD unveils 2nm Epyc Venice with 256 cores for next-gen AI and cloud workloads
Replies
6
Views
47
BadThad
BadThad
D
AMD unveils Ryzen AI Z2 Extreme and Z2 A chips powering Xbox gaming handhelds
Replies
11
Views
111
RaXelliX
R

Latest posts

Back