AMD may have its own Spectre-like security flaws to deal with
AMD may have its own Spectre-like security flaws to deal with
Updated on 21 March 2018: Added links to additional clarification from CTS-Labs and AMD's official response.
Originally published on 19 March 2018:
AMD has its own security concerns
A group of researchers have allegedly found 13 critical security vulnerabilities affecting AMD’s Ryzen and EPYC processors. These are serious flaws that could allow attackers to access data stores on these chips, in addition to installing malware on them.
AMD’s Ryzen processors are found in consumer desktops and laptops, while the EPYC chips are reserved for servers.
The vulnerabilities were disclosed by CTS-Labs, an Israel-based security firm, and published on the website amdflaws.com. There are a number of things about this disclosure that seem highly suspect, such as its source and the way it was communicated to AMD and the press, but I’ll get to that later.
The fact remains that if the flaws exist, AMD needs to fix them immediately. According to CTS-Labs, it discovered the vulnerabilities while studying the impact of what it refers to as known backdoors in ASMedia chipsets, which it claims have existed for as long as six years.
What’s the vulnerability here?
AMD uses ASMedia as its third-party chipset supplier, which is how it was supposedly exposed.
What’s concerning about these flaws is that they lie in what was specifically designed to be the secure part of the processors, or what AMD calls the Platform Secure Processor (PSP), or AMD Secure Processor.
This is where devices typically store sensitive information like encryption keys and passwords, but the flaws reportedly allow hackers to inject malicious code directly into the PSP.
However, all the disclosed vulnerabilities require administrative access, so an attacker would first need to gain control of your machine somehow, such as by tricking you into running a malicious app via a phishing attack.
This means they're "second stage" vulnerabilities, and effectively allow attackers to jump from one computer to another inside a certain network, or even install malware inside a processor that eludes security software.
How do they work?
The flaws have been broken down into four categories, codenamed Master Key, Ryzenfall, Fallout, and Chimera.
Master Key interferes with the “secure boot” process, where your processor checks that your PC hasn’t been tampered with. This vulnerability allows attackers to install malware on the PC’s BIOS, which would then enable malware to be installed on the secure processor itself. Ultimately, this gives attackers control over what programs can run during the startup process and lets them disable any processor security features.
It also facilitates network credential theft by allowing Windows Credential Guard to be bypassed. This is a Windows 10 Enterprise feature that stores sensitive data in a protection section of the OS that usually cannot be accessed.
On the other hand, Ryzenfall is specific to Ryzen chips and allows malware to take complete control of the secure processor. This affords access to previously protected data via Secure Processor privileges, including passwords.
And if hackers can bypass the Windows Defender Credential Guard, they’ll be able to use the stolen network credentials and spread through a corporate network. Furthermore, Ryzenfall can be exploited together with Masterkey to install persistent malware on the Secure Processor.
Fallout works similarly to Ryzenfall, but only affects AMD’s EPYC processors. EPYC chips are used in data centers and cloud servers and could potentially expose all their stored network credentials to malicious actors. These credentials are usually stored on a segregated virtual machine, but what supposedly happens is that this segregation is broken, thus exposing the data.
Finally, Chimera comprises both a firmware and hardware vulnerability. CTS-Labs says the Ryzen chipset lets malware run on it, and because the chipset links the CPU to USB, SATA, and PCIe devices, someone could use its position as a middleman to launch further attacks.
Furthermore, Wi-Fi and Bluetooth traffic pass through the chipset, so an attacker has plenty of avenues to leverage.
CTS-Labs has also updated its website with additional clarifications on the vulnerabilities. This text wasn't present when it first launched amdflaws.com.
What’s different about this particular disclosure?
As it turns out, CTS-Labs researchers gave AMD less than 24 hours to go over the vulnerabilities and respond before publishing its report. In comparison, standard vulnerability disclosure practices usually give companies at least 90 days notice so they have time to properly address the flaws.
The main reason for this is that going public without a fix available is practically an invitation to attackers to try to take advantage of the exploit, which is pretty irresponsible. One good example is with the Spectre and Meltdown flaws, where Google gave Intel six months to fix the issues.
Furthermore, under a section on its website that asks “How long until a fix is available?”, the company states the following:
We don't know. CTS has been in touch with industry experts to try and answer this question. According to experts, firmware vulnerabilities such as MASTERKEY, RYZENFALL and FALLOUT take several months to fix. Hardware vulnerabilities such as CHIMERA cannot be fixed and require a workaround. Producing a workaround may be difficult and cause undesired side-effects.
This is questionable, first and foremost because if you want to know how long a security flaw will take to be fixed, you typically ask the affected company. After all, they’re the ones doing the actual fixing.
On top of that, the CTS-Labs website and whitepaper are lacking the same form of in-depth technical discussions that Google provided on Meltdown and Spectre. Instead, CTS-Labs has substituted that with a bunch of infographics and concept designs.
To make matters worse, the less than 24 hours notice that AMD was given was so short that the chipmaker couldn’t even confirm if the flaws were valid or not.
The best part is that there’s a disclaimer on the amdflaws.com website itself that suggests a possible conflict of interest:
Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.
The company has since said that it has no investment in Intel or AMD, but it still doesn’t bode well for the objectivity and intentions of the whole report, even if they are legitimate.
I should also point out that CTS-Labs is a previously unheard of firm that currently has just six employees (it acknowledged as much to Reuters) and has clients who pay the firm for proprietary research on vulnerabilities in computer hardware.
What’s AMD’s response to this?
Unsurprisingly, AMD needed more time to get to the bottom of this. Its official statement is below:
We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.
On 20 March, AMD confirmed that the vulnerabilities are real. It is currently working on a fix, and patches should arrive via AMD's ODM and OEM partners within the next 90 days. It also stressed that for the vulnerabilities to be exploited, one would need admin access. Furthermore, system security would have had to be compromised already.
You can check out AMD's response in full here.
So what should you do?
Unfortunately, there’s not much you can do at this point, since there are no patches available. Furthermore, AMD hasn’t even confirmed the validity of these disclosures, so it’s probably best to wait for the official word on this. That said, if the flaws turn out to be real, they could cause serious problems for AMD, in the same manner that Meltdown and Spectre have proved tricky to resolve for Intel. But despite the wave of criticism that has hit CTS-Labs, you shouldn't let that overshadow the very real risks of the vulnerabilities it has outlined. Right now, the consensus also seems to be that the bugs are probably real, and it's only CTS-Labs methods that are being called into question.
Dan Guido, an independent security research and CEO of security firm Trail of Bits, has supposedly seen a more detailed technical report describing the flaws and gone on record saying that he believes the threats are real.
As a result, the questionable nature of the disclosure aside, there’s no reason not to take this news seriously and follow up with any fixes should they become available.
Update 1: Now that AMD has confirmed the validity of these findings, it's just a simple matter of waiting for the patches to roll out. The vulnerabilities have to do with the firmware and chipset, and not the x86 architecture, so they won't require the hardware redesigns that Spectre calls for.
Instead, the patches will come in the form of BIOS and firmware updates (no microcode updates are needed). There is not expected to be any negative performance impact.