Security Flaw in AMD's Secure Chip-On-Chip Processor Disclosed Online (remote code execution)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor.

This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME).

Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.

AMD-PSP.png

RCE found in AMD PSP TPM module
Cfir Cohen, a security researcher with the Google Cloud Security Team, says he discovered a vulnerability in the Trusted Platform Module (TPM) of the AMD Secure Processor.

The TPM is a component to store critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores.

"Through manual static analysis, we’ve found a stack-based overflow in the function EkCheckCurrentCert," Cohen says. The researcher claims that an attacker could use specially-crafted EK certificates to get remote code execution rights on the AMD Secure Processor, allowing him to compromise its security.

Cohen said that some basic mitigation techniques such as "stack cookies, NX stack, ASLR" were not implemented in AMD's Secure Processor, making exploitation trivial.

Intel ME uses a similar TPM module, but Cohen did not say if it was affected.

Vulnerability reported to AMD
The Google researcher reported the flaw to AMD in September, and AMD told the researcher in December that they've developed a patch and were preparing to roll it out.

Coincidentally, on Reddit [1, 2], some users reported seeing a new option to disable AMD PSP support, but it's unclear if this new option is related to the patches AMD was preparing to roll out for Cohen's findings.

AMD-PSP.jpg

Image credit: repo_code, 1that_guy1
Bleeping Computer has reached out to AMD for more information on these patches, if they're already out, when were they rolled out, and what they consist of.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Security hole in AMD CPUs' hidden secure processor revealed ahead of patches

Cfir Cohen, a security researcher from Google's cloud security team, on Wednesday disclosed a vulnerability in the fTMP of AMD's Platform Security Processor (PSP), which resides on its 64-bit x86 processors and provides administrative functions similar to the Management Engine in Intel chipsets.

This sounds bad. It's not as bad as you think.

The fTMP is a firmware implementation of the Trusted Platform Module, a security-oriented microcontroller specification. Cohen said he reported the flaw to AMD in late September last year, and the biz apparently had a fix ready by December 7. Now that the 90-day disclosure window has passed seemingly without any action by AMD, details about the flaw have been made public.

A firmware update emerged for some AMD chips in mid-December, with an option to at least partially disable the PSP. However, a spokesperson for the tech giant said on Friday this week that the above fTMP issue will be addressed in an update due out this month, January 2018.
....
....
Cohen's post described the vulnerability as remote code execution flaw. However, physical access is a prerequisite.

In an email to The Register, Dino Dai Zovi, cofounder and CTO of security biz Capsule8, said the vulnerability isn't quite subject to remote execution "since the crafted certificate that exploits the vulnerability needs to be written to NVRAM, the attacker must already have privileged access to the host or physical access. It would let an attacker bypass secure/trusted boot, which is performed by the TPM."

An AMD spokesperson told The Register that an attacker would first have to gain access to the motherboard and then modify SPI-Flash before the issue could be exploited. But given those conditions, the attacker would have access to the information protected by the TPM, such as cryptographic keys.

AMD's spokesperson said the chipmaker plans to address the vulnerability for a limited number of firmware versions. BIOS updates from OEMs are supposed to be made available later this month.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top