Endpoint Security , Governance & Risk Management , Incident & Breach Response

Chipmaker AMD Confirms 13 Chipset Flaws, Preps Fixes

Firmware Updates Coming for Embedded Security Control Processor
Chipmaker AMD Confirms 13 Chipset Flaws, Preps Fixes

Multinational semiconductor company Advanced Micro Devices has confirmed that there are 13 flaws in some of its CPUs that could be exploited to manipulate chip firmware for malicious purposes.

See Also: Building a Secure Foundation to Reduce Cyber Risk

The flaws were first publicized on March 13 by CTS Labs, an Israeli cybersecurity startup that launched a website and released a white paper to announce the flaws. The company's moves, and a statement saying that it may have an economic interest in the performance of AMD's stock, had led some to dismiss the firm's actions as a PR stunt (see AMD Chipset Flaws Are Real, But Experts Question Disclosure).

AMD, based in Santa Clara, California, says it first learned of the flaws less than 24 hours before CTS Labs publicly released the information. CTS said the 13 flaws fell into four sets, which it's called Masterkey, Ryzenfall, Fallout and Chimera, the latter being an alleged backdoor.

Seven days after the vulnerabilities became public knowledge, AMD confirmed the flaws, which exist in the embedded security control processor - called AMD Secure Processor - built into some of its CPUs. Also at risk are the chipsets in two types of microprocessor socket platforms - the AM4 and TR4 - used by AMD's CPUs. The AM4 is part of AMD's Zen and Excavator microarchitectures, while the TR4 is part of its Zen-based Ryzen Threadripper desktop processors.

Fixes Underway

Fix development is underway. "AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations," Mark Papermaster, AMD's chief technology officer, says in a Tuesday blog post.

AMD says the flaws can be grouped into three major categories:

  • Masterkey and Platform Security Processor Privilege Escalation: An attacker could circumvent platform security controls - in a manner that survives rebooting - by flashing the firmware "to corrupt its contents," which the AMD Secure Processor would not detect.
  • Ryzenfall and Fallout: An attacker could circumvent platform security controls - but not in a manner that survives across reboots - by abusing the PSP APIs to execute arbitrary code.
  • Chimera: An attacker could install a malicious driver in the "Promontory" chipset used in many socket AM4 desktop and socket TR4 high-end desktop platforms.

For the first two groups, AMD says it plans a "firmware patch release" for its PSP firmware, which will be installed via a BIOS update. For the third set of flaws, "AMD is working with the third-party provider that designed and manufactured the 'Promontory' chipset on appropriate mitigations," it says.

AMD adds that it expects the fixes to have "no performance impact."

Admin Access Required

An attacker would require administrative access to a system to exploit any of the flaws. Still, a successful attack would likely leave few traces, meaning that exploiting these flaws could be of great interest to intelligence agencies or sophisticated crime cartels.

Papermaster says that would-be attackers would face significant obstacles, including having to gain in-person or remote administrative access to a system. "All modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues," he says.

"There is no immediate risk of exploitation of these vulnerabilities for most users."
—Dan Guido, Trail of Bits

None of the flaws are connected in any way to the trio of speculative execution vulnerabilities known as Spectre and Meltdown that first came to light publicly in January, AMD says. Millions of processors built by Intel, AMD and ARM are vulnerable to variant 1 or variant 2 of the flaws, known as Spectre. Many Intel processors, as well as some built by ARM, are also vulnerable to variant 3, known as Meltdown (see Microsoft Offers Payouts for New Spectre, Meltdown Flaws).

13 Flaws: Little Immediate Risk

AMD has yet to release a timeline of when it expects to release fixes for the 13 flaws. But Papermaster says more technical analysis and mitigation plan information will be released "in the coming weeks."

Dan Guido, CEO of Trail of Bits - an information security consultancy that says it was contacted and later paid by CTS Labs to review its research before it was publicly released - says the 13 flaws publicized by CTS Labs pose little immediate risk.

"There is no immediate risk of exploitation of these vulnerabilities for most users," Guido says in a blog post. "Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers."

Guido says these types of vulnerabilities are widespread and that chipmakers should be doing a better job of finding and fixing them before independent security researchers discover them.

"These types of vulnerabilities should not surprise any security researchers; similar flaws have been found in other embedded systems that have attempted to implement security features," he says. "They are the result of simple programming flaws, unclear security boundaries and insufficient security testing. In contrast, the recent Meltdown and Spectre flaws required previously unknown techniques and novel research advances to discover and exploit."

Coordinated Disclosure

Many researchers and organizations, including Google, have chosen to pursue "coordinated disclosure" programs that give organizations up to 90 days to mitigate or warn of bugs in their products before publicly releasing bug information. Some organizations also run bug bounty programs that pay researchers for their efforts, often in exchange for their agreeing to certain terms and conditions. But otherwise, researchers have no legal obligation to provide 90 days' notice (see Google's Psychological Patch Warfare).

But in the case of the Spectre and Meltdown flaws, Google agreed to a seven-month delay before publicizing the flaws, owing both to the dangers they posed as well as the difficulty that chipmakers Intel, AMD and ARM would face when attempting to coordinate, distribute and see their microcode updates for mitigating the problems to be patched in part via operating system updates.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.