AMD Processors And Chipsets Reportedly Riddled With New Ryzenfall, Chimera And Fallout Security Flaw

[cruelsister]

Given that industry-wide panic that was unleashed following the disclosure of the and Spectre processor vulnerabilities (with Intel taking the brunt of the heat), many are on edge about the potential for similar exploits to be discovered in other products. Unfortunately, for those that are running AMD's current Zen-based processor architecture, researchers have discovered over a dozen new critical security flaws that affect Ryzen and EPYC processor families.

(The article is long, so please continue at the link above)

But also, from the original Whitepaper to be found here:

https://safefirmware.com/amdflaws_whitepaper.pdf

Can be found this jewel:

"The Ryzen chipset, a core system component that AMD outsourced to a Taiwanese chip manufacturer,
ASMedia, is currently being shipped with exploitable manufacturer backdoors inside.

These backdoors could allow attackers to inject malicious code into the chip. The chipset is a central
component on the motherboard, responsible for linking the Ryzen processor with hardware devices
such as WiFi and network cards, making it an ideal target for attackers. We note with concern that AMD’s outsource partner,ASMedia, is a subsidiary of ASUSTeK Computer, a company that has recently been penalized by the Federal Trade Commission for neglecting security vulnerabilities and put under mandatory external security audits for the next 20 years.

 

[mekelek]

Some great talk on reddit about that.

Some background information on the new AMD security vulnerabilities: • r/hardware

I guess Intel wanted some counter PR on AMD so they dug dirt out.

 

[darko999]

I will put this because op didn't bother to or either missed to put official response.


AMDs Statement via AnandTech:

At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings

Second AMD Statement via AMD IR:

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.

I have to add that we need time to see what from the list was actually true, as far as I can see, it was not even tested on linux. They put a 24h cap to AMD to fix it, even when they first released the list to the press and not to AMD. Remember that usually there is more than 24h.

 

[Deleted member 65228]

It was only a matter of time, nothing is full-proof.

If it turns out that the vulnerabilities are genuine and can be exploited, then it is what it is. However, my opinion is that the publishers are just trying to whore attention; why would you disclose something like this so soon after only just contacting the affected vendor? If it's genuine and adds up right, this isn't something that could be fixed overnight.

I get it, people deserve the right to know... Although I think they should have at-least waited for AMD to finish investigation and provide a proper response prior to making this public. It's standard and well-known that waiting around 90 days to give the vendor time is responsible and fair.

I find it intriguing that security researchers exploiting hardware features are in-capable of using their brain to think about whether something is a responsible decision or not. Everyone has their own opinions regarding what is or is not responsible but it doesn't take an expert to realise that something on this scale, especially given it being multiple vulnerabilities, would be a bad idea to disclose prior to proper and official investigation.

For now, I would ignore it and all and wait for AMD to finish investigations... Could be nothing but a stupid attention seeking attempt.

 

[upnorth]

Now this was an eye-opener! Thanks for the share.

 

[cruelsister]

Fun Fact- for the past week or so there has been unusual activity in AMD stock and options. When this report was released this morning AMD stock tanked a bit to 11.20/share. Soon after some Big Buys came in and the stock subsequently rose to 12.00, when those same buys were sold.

Someone (or Something) made a killing on this report.

 

[ForgottenSeer 58943]

Some great talk on reddit about that.

Some background information on the new AMD security vulnerabilities: • r/hardware

Nice find, it smelled like fake news but I guess we will see.. So who setup what appears to be a shell company to disclose this? Also, why are Israeli names plastered all over this? Remember, Intel is largely an Israeli company so I find all of this incredibly suspicious. (and not surprising given the history of that country and it's shenanigans)

I'm shocked people think they can get away with these shenanigans in the modern area..

 

[codswollip]

I guess Intel wanted some counter PR on AMD so they dug dirt out.

An Intel smear job to redirect attention from their complicit deception and incompetence? And fakey green-screened video? Is it April 1 yet in China?

 

[darko999]

I like these ones:
"Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update."
"Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed."
If you ask me, they described it like it was pure fire. I know there will be always flaws, but this time I think they over reacted. Maybe they needed attention so bad that they didn't bother to just throw a pile of information to the press, with not caring about how irresponsable that is.

 

[LASER_oneXM]

....another article about this vulnerabilities (bleepingcomputer.com): AMD Investigating RyzenFall, MasterKey, Fallout, and Chimera CPU Vulnerabilities

What are these vulnerabilities?
Below is a description of what CTS Labs researchers claim the vulnerabilities allow an attacker to perform. Just bear in mind, AMD has not confirmed any of these just yet.

MasterKey 1, 2, 3

⏺ Persistent malware running inside AMD Secure Processor
⏺ Bypass firmware-based security features such as Secure Encrypted Virtualization (SEV) and Firmware Trusted Platform Module (fTPM)
⏺ Network credential theft. Bypass Microsoft Virtualization-based Security (VBS), including Windows Credential Guard
⏺ Physical damage to hardware (SPI flash wear-out, etc.)
⏺ Affects: EPYC, Ryzen, Ryzen Pro, Ryzen Mobile. Successfully exploited on EPYC and Ryzen.
RyzenFall 1 and Fallout 1

⏺ Write to protected memory areas, including: (1) Windows Isolated User Mode and Isolated Kernel Mode (VTL1) and (2) AMD Secure Processor Fenced DRAM [Allows direct tampering with trusted code running on AMD Secure Processor. Only applicable to select Ryzen motherboards]
⏺ Network credential theft. Bypass Microsoft Virtualization-based Security (VBS) including Windows Credential Guard
⏺ Enables memory-resident VTL1 malware that is resilient against most endpoint security solutions
⏺ Affects: EPYC, Ryzen, Ryzen Pro, Ryzen Mobile. Successfully exploited on EPYC, Ryzen, Ryzen Pro and Ryzen Mobile.
RyzenFall 2 and Fallout 2

⏺ Disable Secure Management RAM (SMRAM) read/write protection
⏺ Enables memory-resident SMM malware, resilient against most endpoint security solutions
⏺ Affects: EPYC, Ryzen, Ryzen Pro. Successfully exploited on EPYC, Ryzen, Ryzen Pro. Ryzen Mobile is not affected.
RyzenFall 3 and Fallout 3

⏺ Read from protected memory areas, including: (1) Windows Isolated User Mode and Isolated Kernel Mode (VTL1) (2) Secure Management RAM (SMRAM) (3) AMD Secure Processor Fenced DRAM. Only applicable to select Ryzen motherboards
⏺ Network credential theft. Bypass Windows Credential Guard by reading secrets from VTL1 memory
⏺ Affects: EPYC, Ryzen, Ryzen Pro. Successfully exploited on EPYC, Ryzen, Ryzen Pro. Ryzen Mobile is not affected.
RyzenFall 4

⏺ Arbitrary code execution on AMD Secure Processor
⏺ Bypass firmware-based security features such as Firmware Trusted Platform Module (fTPM)
⏺ Network credential theft. Bypass Microsoft Virtualization-based Security (VBS), including Windows Credential Guard
⏺ Physical damage to hardware (SPI flash wear-out, etc.)
⏺ Affects: Ryzen, Ryzen Pro. Successfully exploited on Ryzen, Ryzen Pro.
Chimera (Firmware, Hardware versions)

⏺ Two sets of manufacturer backdoors: One implemented in firmware, the other in hardware (ASIC)
⏺ Allows malware to inject itself into the chipset’s internal 8051 architecture processor
⏺ The chipset links the CPU to USB, SATA, and PCI-E devices. Network, WiFi and Bluetooth traffic often flows through the chipset as well
⏺ Malware running inside the chipset could take advantage of the chipset’s unique position as a middleman for hardware peripherals
⏺ Affects: Ryzen, Ryzen Pro. Successfully exploited on Ryzen and Ryzen Pro.

CTS Labs facing criticism
The CTS Labs team has put considerable efforts into marketing these security flaws, with the creation of a dedicated website and the release of professionally-shot YouTube videos.





The infosec community is more than displeased with the company's decision to give AMD only one day to address these flaws and with the fact they did not share any technical write-up to prove their research's validity. Furthermore, some experts also pointed out that the company is overhyping the vulnerabilities, all of which require admin-level access for successful exploitation.

 

[Av Gurus]

Severe Security Advisory on AMD Processors | Hacker News

 

[ForgottenSeer 58943]

I like these ones:
"Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update."
"Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed."
If you ask me, they described it like it was pure fire. I know there will be always flaws, but this time I think they over reacted. Maybe they needed attention so bad that they didn't bother to just throw a pile of information to the press, with not caring about how irresponsable that is.

Oh, so L1 compromise? Awesome.. Doesn't count. Remember, if Layer 1 access is established then all bets are off for ALL pieces of hardware/software. Anything can be exploited with specialty crafted bios, elevated local admin privs etc. Remember, this isn't domain administrator either, it's local administrator on a disjoined domain machine rendering this even more unlikely.. The attacker might need an hour sitting at your box.

 

[Marko :)]

Assassination Attempt on AMD by Viceroy Research & CTS Labs, AMD "Should Be $0"

 

[darko999]

@Marko :) Thanks for the link. I'll put funny quote here, from the website www.amdflaws.com:

"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

I guess it talks by itself.

 

[ForgottenSeer 58943]

Wait wait wait! Hold on just a minute!!!! So what you are telling me is that if I were to gain access to your home, log into your PC as admin, insert a specifically crafted USB with modified BIOS for your motherboard BIOS , bypassed your BIOS password and installed the modified BIOS that you will be compromised?! I mean, I've never! That is such a horrid vulnerability! I mean you are telling me that you do not let unknown guests install BIOS updates to your PC?!!!

Although, one thing one must argue is that it's a nice intel agency exploit once they gain access to your house/corporation (but in that case all things are lost)...so yeah it does have some merit but damn it's blown out of proportion. It's not like a drive by infection that Intel let out.

I always assume once physical control is lost all bets are off. Which is why I will not send my phone out or leave my phone at a repair facility without controls in place. I dropped my phone off to be fixed, the guy said 'Looks like it's not setup', I explained that I wiped it and that when I get it back from him I will perform a low level wipe once again before anything happens.

Physical access to my home by any unauthorized source is relatively impossible. All vectors have been sealed off and redundant security in place. That STILL doesn't stop random 'Door Repair Company' vans pulling into my driveway while we're on vacation. (true story)

 

[ForgottenSeer 58943]

Bums are persistent though, I'll give them that. Like pitbulls.

Like those USB sticks I ordered from Amazon that were delayed several days and arrived with pre-installed toys. Sending individual ones off to a few malware research firms was a wonderful way to expose those toys. Now I pick up my sticks locally. The cryo technique attempted on my last set of custom door locks was interesting, especially the hair-line fractures.Those got sent to a locksmithing convention for analysis by over 400 locksmiths.

I replaced those deadbolts with $349 Bi-Locks that require my physical master key, 20 character master passcode and a rare bi-lock key making machine to dupe all shrouded in a tamper resistant housing.

Oh the stories I could tell. But I admit, it's exciting and keeps me feeling important when I am relatively unimportant. I suppose I would get bored otherwise. It certainly makes my home a WONDERFUL testbed of new techniques and technologies of which several firms partake in.

 

[ForgottenSeer 58943]

Why would they be going after you? That's a lot of resources aimed at a single person. Are you maybe just overly security sensitive?

Why not just enter through a window or porch? Why the front door?

Tough windows thanks to 3M SF. I wish it was over sensitivity, but then me and my friends might get bored.

 

[Deleted member 65228]

Why would they be going after you?

Every black-hat out there.

He puts on an 'The Reverse Flash' doppelganger suite at night and speeds around as the fastest man in the world into people's homes like Santa Claus and secures their systems and networks without their consent or knowledge of it.

[ Sorry I could not resist taking that opportunity to joke hahaha. On a serious note though, I hope that your house security will maintain sufficiency against whoever is doing what you mentioned... You should be able to feel safe in your home. What about CCTV to capture the license plates, etc? ]

 

[Deleted member 65228]

What about setting up a trap.

1. Bad person drives onto your drive-way to try and break into your house for the 3,918th time
2. Stealthy and non-noticeable CCTV catches everything on video including their face, clothes, car license plate, tools, etc
3. Now they find out it was actually a trap and that they are closed in on the drive-way because all the exits are blocked, the tires are flat and the car battery is gone and they are 10s away from being surrounded by police

 

[codswollip]

Too much information !!!