1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

AMD Ryzen and EPYC platforms at risk: More than a dozen critical security flaws discovered

By Shawn Knight · 69 replies
Mar 13, 2018
Post New Reply
  1. Israeli-based security company CTS-Labs on Tuesday said it has discovered 13 critical security vulnerabilities and exploitable manufacturer backdoors impacting AMD’s latest EPYC, Ryzen, Ryzen Pro and Ryzen Mobile lines of processors.

    CTS has classified the vulnerabilities, which it found over the course of a six-month investigation, into four categories they’re calling Ryzenfall, Masterkey, Fallout and Chimera.

    Full details on each vulnerability can be found in CTS’ 20-page whitepaper (our brief summary can be read below, too). Fortunately, specific technical details that could be used to exploit the vulnerabilities have been omitted. It’s also worth noting that AMD has been made aware of the issues, as have “select security companies” that could help mitigate the fallout and US regulators.

    An AMD spokesperson told CNET it is investigating the report, which they “just received.” According to the publication, CTS gave AMD less than 24 hours notice before going public with their findings. Standard practice in the industry is to give 90 days notice prior to publicly announcing a vulnerability. "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," that's AMD's statement we received via email today.

    The flaws, which impact the AMD Secure Processor, can reportedly allow an attacker to take control over Ryzen and EPYC processors as well as Ryzen chipsets. CTS also says a bad actor could infect chips with malware, steal credentials on high-security enterprise networks and cause physical damage to hardware, all while remaining virtually undetectable by most security solutions.

    Who is the source?

    While we await for AMD's official response on the reported flaws -- after all, they were barely given any notice -- and we can't comment on the merit of the actual flaws since the technical details have been purposely omitted for security reasons, we can mention the obvious: this all looks a bit too well coordinated.

    Intel's now infamous Meltdown and Spectre CPU flaws were discovered by Google’s Project Zero team last year, and when the information leaked a tad early last January, Intel and many other parties involved had already months to prepare on how to inform the public and for the patching rollout. Whether they did a poor job or not, that's entirely a different conversation.

    In this scenario, now hitting AMD CPUs exclusively (that we know so far), the source of the flaws is Israel-based CTS-Labs, a security firm formed in 2017. The company claims they've been investigating these AMD chip issues for six months, but their website went live in June 2017, so perhaps the sole purpose of this enterprise has been to look into AMD chip flaws that can stand next to Meltdown and Spectre. And who is to benefit from this? Surely the public and AMD customers, but there is another obvious answer to that question.

    The informational website, AMDflaws.com, maintained by CTS-Labs, notes “this site is to inform the public about the vulnerabilities and call upon AMD and the security community to fix the vulnerable products,” however in the legal footnotes of the aforementioned whitepaper you will find a more telling remark: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

    A brief summary of the four flaws as discovered by CTS-Labs follows below.

    Masterkey

    Masterkey is a set of three vulnerabilities that collectively allow malicious actors to install malware inside the secure processor. From here, the researchers say malware could bypass secure boot and inject code directly into a computer’s BIOS or operating system and disable firmware-based security features within the secure processor like Secure Encrypted Virtualization (SEV) or Firmware Trusted Platform Module (fTPM).

    Because most EPYC and Ryzen motherboards on the market use a BIOS from American Megatrends that allows reflashing from within the OS using a command-line utility, CTS says Masterkey can often be exploited remotely.

    Ryzenfall

    CTS describes the four Ryzenfall vulnerabilities as a set of design and implementation flaws within AMD Secure OS, the operating system in charge of the secure processor on Ryzen, Ryzen Pro and Ryzen Mobile chips. At their worse, Ryzenfall can be exploited by malware to allow for the secure processor to be completely taken over.

    Ryzenfall can also be exploited to allow access to protected memory regions that are otherwise sealed off by hardware including Windows Isolated User Mode and Isolated Kernel Mode (VTL1), Secure Management RAM (SMRAM) and AMD Secure Processor Fenced DRAM. Breaking this “hardware security seal” could have multiple security implications, CTS says.

    Fallout

    The Fallout class is a set of three design-flaw vulnerabilities that CTS says are found inside the boot loader of EPYC’s secure processor. Like Ryzenfall, they can be exploited to allow access to Windows Isolated User Mode and Isolated Kernel Mode (VTL1) and Secure Management RAM (SMRAM), areas that should be completely inaccessible to user programs and kernel drivers running inside the operating system.

    CTS says malicious hackers could exploit Fallout vulnerabilities to disable protections against unauthorized BIOS reflashing within system management mode, inject malware into VTL1 and bypass Microsoft Virtualization-based security, the latter of which could be used to steal network credentials – behavior CTS says is often a precursor to lateral network movement as part of a remote attack.

    Chimera

    Chimera is a class of vulnerabilities that encompass an “array of hidden manufacturer backdoors” within AMD’s Promontory chipsets, a key part of all Ryzen and Ryzen Pro workstations.

    Specifically, there are two sets of backdoors – one that is implemented within firmware running on the chip and another inside the chip’s ASIC hardware. Since the latter has been manufactured into the chip, CTS concedes that it may not be possible to fix it, adding that AMD may have to resort to a recall or some other sort of workaround.

    A system’s chipset is connected to all sorts of functionality and features, from USB, SATA and PCIe ports to a computer’s Wi-Fi, LAN and Bluetooth systems. As such, running malware here could have numerous consequences on a system’s security.

    In testing, CTS claims it has been able to execute its own code within the chipset and leverage the Direct Memory Access (DMA) engine to manipulate the operating system running on the main processor. Given additional time to investigate the matter, CTS believes it may also be possible for a hacker to install a key logger, leverage the chipset for a man-in-the-middle attack and access protected memory areas. The latter has been verified to work on a small collection of desktop motherboards, CTS says.

    Permalink to story.

     
    Last edited by a moderator: Mar 13, 2018
  2. atari1980

    atari1980 TS Rookie

    Let me guess: CTS-Labs is/was financed by intel? :p
     
  3. Cycloid Torus

    Cycloid Torus Stone age computing. Posts: 3,555   +947

    Did CTS handle this properly? Looks rather like a marketing event to me.
     
  4. noel24

    noel24 TS Evangelist Posts: 418   +296

    Googled it. It looks fishy. Pretty slides, preped by pros, that warn You of ever using AMD products. And this 24hour grace period, instead of 90days. For me it looks more like a smear campaign from a big competitor that might itself have been recently hit by accusations of negligence toward its consumers.
     
  5. gpdx1

    gpdx1 TS Rookie

    So this is directly from the "AMDFLAWS.com" web site, made by CTS-Labs in the last day or so, which is highly suspect to say the least:

    "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

    Then there is the fact that lots of the flaws in the report can only happen if someone is locally at the computer with a ryzen chip. AKA- you have to be sitting right at the computer, you can not remotely exploit these flaws.

    This along with the 24hrs notice vs. 90days, the fact that CTS-Labs didn't seem to exist until a few days ago and all the other oddities make me think this is highly suspect.

    I mean, they used domainsbyproxy.com to register the site! You only do this because you don't want anybody knowing who you are, and not always for legit reasons. If you're CTS-Labs, and into providing security solutions for real, why use such a registry?

    One problem with these kinds of reports is that nobody is doing good journalism anymore in the sense that sources are not checked BEFORE posting the report. Everything is just re-posted without asking questions first. This could effect a bunch of people losing their jobs at AMD and possibly for no real good reason.

    24hrs is highly irresponsible for CTS-Labs. 90days is the minimum. Meltdown and similar issues were known by google for nearly half a year before reports were made. Even if CTS-Labs was legit, and the report well done, this 24hr notice alone is very troubling and suspect.

    Some journalist is probably going to do the real work though and track down who CTS-Labs really is and find the story within this flaky story. I suspect it's very interesting.
     
    Last edited: Mar 13, 2018
  6. Kenrick

    Kenrick TS Evangelist Posts: 629   +403

    Popcorn anyone
     
  7. Burty117

    Burty117 TechSpot Chancellor Posts: 3,322   +1,094

    Yeah, this looks shady. I'll wait for a response from AMD or another third party to chime in on the flaws.
     
    drjekelmrhyde likes this.
  8. seeprime

    seeprime TS Maniac Posts: 238   +222

    Maybe a Cyrix 300 is more secure these days.
     
    Amet Monegro and Julio Franco like this.
  9. Avenger001

    Avenger001 TS Booster Posts: 46   +37

    Going to wait until AMD confirms this
     
  10. pawel04

    pawel04 TS Booster Posts: 73   +89

    Been reading about this on multiple forums and it seems prety sketchy whats happening here. Multiple theories which make Intel (or someone else who wants AMD out of the market) a plausible instigator of all this.

    Whatever the intentions though, if the vulnerabilities turn out to be real then theyve done us all a favour by finding them, but at the same time, a huge disfavour by releasing them for exploitation before AMD or whoever can make fixes/patches..
     
    drjekelmrhyde and meric like this.
  11. davislane1

    davislane1 TS Grand Inquisitor Posts: 5,222   +4,354

    Amdflaws.com --> fully functional website

    intelflaws.com --> domain for sale

    nvidiaflaws.com --> returns 404

    I'm sure Dyson had nothing to do with this video at all.
     
    Impudicus, JaredTheDragon and meric like this.
  12. Julio Franco

    Julio Franco TechSpot Editor Posts: 7,945   +1,128

    Our latest revision of this story is now online, we did incorporate some of your concerns in our write up...
     
    Puiu likes this.
  13. ZackL04

    ZackL04 TS Maniac Posts: 386   +187

    Lol, I knew Intel wasnt the only one
     
  14. Kotters

    Kotters TS Maniac Posts: 328   +222

    https://twitter.com/cynicalsecurity/status/973599549745979392

     
  15. meric

    meric TS Addict Posts: 143   +69

    This CTS Labs or whatever they are called is another reason for why my next system will definitely be AMD
     
  16. regiq

    regiq TS Addict Posts: 203   +76

    NoBsPls likes this.
  17. atari1980

    atari1980 TS Rookie

    Same for me, time to try something new. Plus I love the Wraith cooler. Sick of the Intel BS where you need to buy a new motherboard every new cpu.
     
    Jules Mark and Amet Monegro like this.
  18. clspie

    clspie TS Rookie

    Intel is hacking AMD now?
     
    Amet Monegro likes this.
  19. Puiu

    Puiu TS Evangelist Posts: 3,066   +1,484

    We already knew that AMD had some of their own flaws (there are plenty of whitepapers), it's normal. it would have been really weird to not find some in a completely new architecture.

    But these ones look really shady. I'll wait for confirmation from third party investigators.
     
  20. nnguy2

    nnguy2 TS Member Posts: 20   +15

  21. ThrakazogZ

    ThrakazogZ TS Rookie

    The problem is tech smart people (like the ones who read Techspot) suspect this is a smear campaign, but the general public will just see some headline on CNN or BBC about AMD flaws and believe it 100%. Even if these flaws are (likely) proven to be false, unless the news has a major headline about CTS making false accusations to affect the market, the damage will be done.
     
    senketsu, Jamlad, Puiu and 1 other person like this.
  22. ManuelV

    ManuelV TS Addict Posts: 111   +52

    It is good that this company investigate amd security flaws, but giving so little time is bad for millions of users. Is like they are working for the people that use this flaws for bad reasons. If they work for intel they are agains the users.
     
  23. This is insane at the moment, released just before Zen+ release no time to respond.

    Things are getting real dirty in the CPU realm....... in saying that seems weird Intel would pay for this with all the latest partnerships they have had with AMD but it is a dirty business.
     
    Amet Monegro, NoBsPls and regiq like this.
  24. Kotters

    Kotters TS Maniac Posts: 328   +222

    https://imgur.com/OkWlIxA
     
    seeprime likes this.
  25. Lionvibez

    Lionvibez TS Evangelist Posts: 1,399   +557

    Seems bought and paid for by intel.

    When there is actual competition they play dirty not really surprising.
     
    Amet Monegro and seeprime like this.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...