AMD Processors And Chipsets Reportedly Riddled With New Ryzenfall, Chimera And Fallout Security Flaws (Updated)
According to CTS-Labs, a fledgling Israeli security firm that first reported on the chip flaws, vulnerabilities lie in both the AMD Secure Processor (which is included on-die in every Zen-based processor) and the complementary chipset used with Ryzen and Ryzen Pro workstations. There are allegedly four primary platform exploits, of which each have their own variants called: Ryzenfall, Fallout, Chimera, and Masterkey.
Ryzenfall leverages vulnerabilities in the Secure Processor, giving access to protected memory areas including SMRAM and the isolated memory for the Windows Credential Guard. With escalated privileges, malicious code can be injected to take full control of the Secure Processor, bypass the Windows Credential Guard, and gain access to passwords and even encryption keys. Critically, CTS-Labs says that Ryzenfall has the potential to "[expose] customer to the risk of covert and long-term industrial espionage." Ryzenfall affects Ryzen, Ryzen Pro and Ryzen Mobile.
Fallout has a similar attack pattern and threat vectors to Ryzenfall, including gaining access to SRAM and Windows Credential Guard. However, an added wrinkle is that it can bypass protections that are in place on certain systems to prevent the BIOS from being overwritten. Fallout is limited to EPYC servers.
Chimera takes advantage of two backdoors reportedly found in the supporting Ryzen chipset (one in hardware, one in firmware). Given that the chipset serves as the central staging area for Wi-Fi, Bluetooth, Network, PCI-E, and USB traffic (among others), attackers can install malware in the chipset to perform man-in-the-middle attacks with a keylogger. Chimera affects Ryzen and Ryzen Pro.
Masterkey allegedly leverages "multiple vulnerabilities" in the Secure Processor that can infiltrate AMD's Secure Encrypted Virtualization (SEV) and Firmware Trusted Platform Module (fTPM). Masterkey attacks could allow an attacker to permanently damage Zen-based hardware. Masterkey affect Ryzen, Ryzen Pro, Ryzen Mobile and EPYC.
We reached out to AMD for their take on this developing situation, and a spokesman provided us with the following response, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings."
CTS-Labs really takes AMD to task over these exploits, and specifically calls out the company's decision to outsource development of the Ryzen chipset (which is linked to Chimera) to ASUSTeK subsidiary ASMedia. The researchers allege that ASMedia has a "poor security track record" and has already come under fire from the FTC for its lapses in security.
"The vulnerabilities we have discovered allow bad actors who infiltrated the network to persist in it, surviving computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions," writes CTS-Labs in a white paper [PDF]. "This allows attackers to engage in persistent, virtually undetectable espionage, buried deep in the system and executed from AMD’s Secure Processor and chipset."
"In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD."
According to CTS-Labs, it has not disclosed any technical information that would allow malicious actors to create working attacks for Zen-based processors. In addition, it has already contacted AMD, Microsoft, and a handful of other companies to help implement patches for these vulnerabilities.
Patches for Ryzenfall, Fallout, and Masterkey could be available within "several months", while there is no potential fix for Chimera, which would require a workaround that could have "undesired side-effects". Again, CTS-Labs unloads on ASMedia saying that while it is unaware of any of vulnerabilities being exploited in the wild, "similar vulnerabilities in other ASMedia products have been known in hardware hacking circles for several years."
Update, 3/13/3018 2:33 PM EST - We will update this story as more information comes in and as AMD reports back to us with their findings. For now, though this news seems alarming, we'd suggest caution before drawing definitive conclusions, and allowing the dust to settle a bit here. These exploits, if they are real, require local administrator access to either install malicious software or modified BIOS / Firmware. It's also worth pointing out that the registered domain of CTS-Labs points to AMDFlaws.com and that seems a bit suspect in and of itself. That said, the whitepaper and report itself is detailed with a fair degree of effort put forth. We'll have to see how this unfolds.