A new class of hardware vulnerabilities has been discovered, and now it’s time for AMD to sweat bullets. A report by CTS-Labs details a total of thirteen new flaws in AMD CPUs that potentially rival Spectre/Meltdown in terms of severity.
The currently unpatched vulnerabilities are categorized into four classes—RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY—and threaten wide-range of servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors.
The issues themselves encompass multiple different types. All of the vulnerabilities defeat AMD’s Secure Encrypted Virtualization (SEV) technology and could allow attackers to bypass Microsoft Windows Credential Guard to steal network credentials or other data.
Here’s a quick rundown of how each vulnerability works and what targets they hit.
RYZENFALL vulnerabilities allow unauthorized code execution on the Ryzen Secure Processor, eventually letting attackers access protected memory regions, inject malware into the processor itself, and disable SMM protections against unauthorized BIOS reflashing.
MASTERKEY attacks are very similar to RYZENFALL, targeting many of the same platforms with similar vulnerabilities. In some ways these two vulnerability classes could be considered pretty much the same.
FALLOUT attacks work against the bootloader component of EPYC secure processor and allow attackers to read from and write to protected memory areas, such as SMRAM and Windows Credential Guard isolated memory. FALLOUT attacks affect servers using AMD’s EPYC processors and could be exploited to inject persistent malware into VTL1, where the Secure Kernel and Isolated User Mode (IUM) code is based.
CHIMERA attacks are actually targeted against built-in backdoors inside AMD’s Promontory chipsets that are part of all Ryzen and Ryzen Pro workstations. These are particularly dangerous because malicious code can piggy-back on pretty much any data to be passed through the chipset. So a MITM (man-in-the-middle) WiFi attack could potentially be used to exploit these backdoors, and then run arbitrary code on the chipset. The example given by researchers is one of a keylogger being installed that records any data passed via USB to the chipset. And because the backdoors are manufacturer-installed, a direct fix may not be possible without a hardware recall.
All of these issues can open up users to a variety of new attacks including: hardware-based ransomware, theft of system critical data, industrial espionage and more.
However, AMD is aware of the issue and is currently investigating:
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,”
For more detailed information about the vulnerabilities, you can head on to this paper [PDF] titled, “Severe Security Advisory on AMD Processors,” published by CTS-Lab. Let’s just hope that AMD can fix these vulnerabilities quickly while avoiding the major performance headaches reported after the Spectre/Meltdown fiasco.
