AMD Patches for Newly Disclosed Processor 13 Critical Vulnerabilities
AMD has finally acknowledged there's a problem with its Platform Security Processor. Earlier this month Israel-based CTS labs found 13 critical vulnerabilities (including RyzenFall, MasterKey, Fallout and Chimera) with AMD's product, which could allow attackers to access sensitive data, install malware and gain complete access to compromised machines (although doing so would require admin access). Today, AMD has published a statement that largely underplays the threat, but claims that patches will be coming soon.According to CTS-Labs researchers, critical vulnerabilities that affect AMD's Platform Security Processor (PSP) could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
Although exploiting AMD vulnerabilities require admin access, it could help attackers defeat important security features like Windows Credential Guard, TPMs, and virtualization that are responsible for preventing access to the sensitive data from even an admin or root account.
Official Statement from Mark Papermaster
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
The security issues identified can be grouped into three major categories. The table below describes the categories, the AMD assessment of impact, and planned actions.
Vulnerability Groups Problem Description & Method of Exploitation Potential Impact Planned AMD Mitigation MASTERKEY
and
PSP Privilege Escalation
(AMD Secure Processor or “PSP” firmware)Issue: Attacker who already has compromised the security of a system updates flash to corrupt its contents. AMD Secure Processor (PSP) checks do not detect the corruption.
Method: Attacker requires Administrative accessAttacker can circumvent platform security controls. These changes are persistent following a system reboot. Firmware patch release through BIOS update. No performance impact is expected.
AMD is working on PSP firmware updates that we plan to release in the coming weeks.
(AMD Secure Processor firmware)
Method: Attacker requires Administrative access.
Attacker may install difficult to detect malware in SMM (x86).
AMD is working on PSP firmware updates that we plan to release in the coming weeks.“Promontory”
ChipsetCHIMERA
“Promontory” chipset used in many socket AM4 desktop and socket TR4 high-end desktop (HEDT) platforms.
AMD EPYC server platforms, EPYC and Ryzen Embedded platforms, and AMD Ryzen Mobile FP5 platforms do not use the “Promontory” chipset.Issue: Attacker who already has compromised the security of a system installs a malicious driver that exposes certain Promontory functions.
Method: Attacker requires Administrative access.Attacker accesses physical memory through the chipset.
Attacker installs difficult to detect malware in the chipset but is not persistent across reboots.Mitigating patches released through BIOS update. No performance impact is expected.
AMD is working with the third-party provider that designed and manufactured the “Promontory” chipset on appropriate mitigations.AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
CTS Labs maintains it did the right thing, claiming that they didn't think AMD would be able to fix the problem for "many, many months, or even a year" anyway. CTS Labs' CTO Ilia Luk-Zilberman has also posted a letter on the AMDflaws site in which he explains his gripe with the 90-day response window and why he believes revealing vulnerabilities to everyone at once (consumers and media, as well as the companies in question), puts pressure on the relevant parties to get things fixed.
That certainly appears to be the case with AMD, which says that patch updates can be expected through BIOS updates (without affecting performance) in the coming weeks -- a fair response having been caught so off guard. The issue now, however, would be other security research companies similarly doing away with the 90-day 'rule'. If vulnerabilities were made public the moment they were discovered, they'd never be out of the news, and it would be a real challenge for everyone concerned to know where the risks really were.
That certainly appears to be the case with AMD, which says that patch updates can be expected through BIOS updates (without affecting performance) in the coming weeks -- a fair response having been caught so off guard. The issue now, however, would be other security research companies similarly doing away with the 90-day 'rule'. If vulnerabilities were made public the moment they were discovered, they'd never be out of the news, and it would be a real challenge for everyone concerned to know where the risks really were.
This comment has been removed by a blog administrator.
ReplyDelete