Critical Vulnerabilities in AMD Chips
Security researchers at CTS-Labs, based out of Israel, disclosed 13 critical vulnerabilities and backdoors in certain AMD chips used in workstations, laptops and servers. Successful exploitation of these vulnerabilities could grant deep system access to attackers from which they could launch malware attacks undetected.
The vulnerabilities are four in name:
1 | Chimera – Two sets of backdoors in the AMD chipset, one of which resides in the firmware while the other is implemented into the chip’s logic gates. They would allow a sophisticated attacker to inject malicious code and take over the chipset.
2 | Masterkey – A set of vulnerabilities in the AMD Secure Processor in Ryzen Workstation and EPYCserver chips. The exploit involves reflashing the system’s BIOS with an injected BIOS to execute unsigned code, therefore compromising the Secure Processor.
3 & 4 | Ryzenfall/Fallout – Essentially the same exploit, but for Ryzen Pro/Workstation/Mobile chips (Ryzenfall) and EPYC server chips (Fallout). These vulnerabilities allow reading and/or manipulation of Windows Credential Guard to steal network credentials and move throughout a network. Certain versions can act as prerequisities to Masterkey, allowing an attacker to bypass BIOS signature authentication by executing malicious code inside the Secure Processor.
All of these exploits, as clarified by CTS-Labs, are “stage two” exploits. In other words, they require local admin privileges to be executed. An attacker would have to compromise a machine by other means first. Once they had, they could use the appropriate exploit to navigate the associated network and cause further infections.
Despite the revelations (and subsequent fallout) of last year’s Meltdown/Spectre vulnerabilities in Intel processors, AMD isn’t as concerned abot the vulnerabilities as CTS-Labs. Though AMD claims security is their top priority, CTS-Labs says that the nature of the vulnerabilities is evidence that AMD is disregarding fundamental security principles in their chip design.
What Should You Do?
As of now, neither AMD nor any of the other companies CTS-Labs shared the vulnerabilities with have released patches or updates. The good news is that because these are stage-two exploits, a system must have been compromised by other means before these vulnerabilities are a viable threat.
One of the most common ways for a system to become compromised (with administrative access) is via phishing attacks which prey on users instead of system flaws. If a machine utilizing any of the vulnerable AMD chips was to be compromised via phishing or another known exploit, the attacker could run the exploits with no resistance.
Following existing best practices in order to avoid an initial compromise of a machine is currently the best way to mitigate the AMD chip vulnerabilities. Without a stage one, there can be no stage two.
Further Reading and Assistance
Links to the security research papers detailing the intricacies of both vulnerabilities can be found below. If you need help with making sure your organization is doing all it can to mitigate the risks of these vulnerabilities or any other, you can leave us a comment below or contact us here.