Security Flaw in AMD's Secure Chip-On-Chip Processor Disclosed Online (remote code execution)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor.

This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME).

Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.

AMD-PSP.png
Click to expand...

RCE found in AMD PSP TPM module
Cfir Cohen, a security researcher with the Google Cloud Security Team, says he discovered a vulnerability in the Trusted Platform Module (TPM) of the AMD Secure Processor.

The TPM is a component to store critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores.

"Through manual static analysis, we’ve found a stack-based overflow in the function EkCheckCurrentCert," Cohen says. The researcher claims that an attacker could use specially-crafted EK certificates to get remote code execution rights on the AMD Secure Processor, allowing him to compromise its security.

Cohen said that some basic mitigation techniques such as "stack cookies, NX stack, ASLR" were not implemented in AMD's Secure Processor, making exploitation trivial.

Intel ME uses a similar TPM module, but Cohen did not say if it was affected.
Click to expand...

Vulnerability reported to AMD
The Google researcher reported the flaw to AMD in September, and AMD told the researcher in December that they've developed a patch and were preparing to roll it out.

Coincidentally, on Reddit [1, 2], some users reported seeing a new option to disable AMD PSP support, but it's unclear if this new option is related to the patches AMD was preparing to roll out for Cohen's findings.

AMD-PSP.jpg

Image credit: repo_code, 1that_guy1
Bleeping Computer has reached out to AMD for more information on these patches, if they're already out, when were they rolled out, and what they consist of.
Click to expand...
 
  • Like
Reactions: Solarquest, harlan4096, bribon77 and 3 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Security hole in AMD CPUs' hidden secure processor revealed ahead of patches

Cfir Cohen, a security researcher from Google's cloud security team, on Wednesday disclosed a vulnerability in the fTMP of AMD's Platform Security Processor (PSP), which resides on its 64-bit x86 processors and provides administrative functions similar to the Management Engine in Intel chipsets.

This sounds bad. It's not as bad as you think.

The fTMP is a firmware implementation of the Trusted Platform Module, a security-oriented microcontroller specification. Cohen said he reported the flaw to AMD in late September last year, and the biz apparently had a fix ready by December 7. Now that the 90-day disclosure window has passed seemingly without any action by AMD, details about the flaw have been made public.

A firmware update emerged for some AMD chips in mid-December, with an option to at least partially disable the PSP. However, a spokesperson for the tech giant said on Friday this week that the above fTMP issue will be addressed in an update due out this month, January 2018.
....
....
Cohen's post described the vulnerability as remote code execution flaw. However, physical access is a prerequisite.

In an email to The Register, Dino Dai Zovi, cofounder and CTO of security biz Capsule8, said the vulnerability isn't quite subject to remote execution "since the crafted certificate that exploits the vulnerability needs to be written to NVRAM, the attacker must already have privileged access to the host or physical access. It would let an attacker bypass secure/trusted boot, which is performed by the TPM."

An AMD spokesperson told The Register that an attacker would first have to gain access to the motherboard and then modify SPI-Flash before the issue could be exploited. But given those conditions, the attacker would have access to the information protected by the TPM, such as cryptographic keys.

AMD's spokesperson said the chipmaker plans to address the vulnerability for a limited number of firmware versions. BIOS updates from OEMs are supposed to be made available later this month.
 
  • Like
Reactions: harlan4096, LASER_oneXM and Azure
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • Applause
AMD Earnings: 7x Increase in AI Engagements, MI300A and MI300X GPU on Track
Replies
0
Views
415
News Archive
silversurfer
silversurfer
silversurfer
    • +Reputation
    • Like
New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk
Replies
1
Views
1,155
News Archive
JustInTime
JustInTime
vtqhtr413
    • Applause
Hot Take Asus ROG Strix Scar X3D review: AMD’s new chip is a game-changer
Replies
0
Views
406
Hardware Discussions
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top