Spectre/Meltdown Part Two? Research Firm Audit Reveals Critical Flaws, Backdoors In Four AMD Processors

Four AMD processors have critical security vulnerabilities and manufacturer backdoors that put organizations at greater risk of cyberattacks, according to an audit from CTS Labs.

The Tel Aviv, Israel-based cybersecurity research firm said Tuesday that 13 security flaws and manufacturer backdoors have been discovered in Santa Clara, Calif.-based AMD's latest Epyc, Ryzen, Ryzen Pro and Ryzen Mobile processors. The vulnerabilities affect any consumer or organization purchasing AMD servers, workstations and laptops, according to CTS Labs.

"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise," the company said in a statement Tuesday morning. "We are investigating this report, which we just received, to understand the methodology and merit of the findings."

[Related: AMD Backtracks On 'Near Zero Risk' Processor Claims, Now Must Issue Updates To Combat Spectre]

CTS Labs said it has shared this information with AMD, Microsoft, HP, Dell and select security vendors so that they can work on developing mitigations and patches, as well as examine other potential vulnerabilities in their company. The research firm said it also has shared this information with relevant U.S. regulators.

This disclosure comes just two months after it was revealed that design flaws have left a gigantic portion of the world's computer processors vulnerable to major exploits called Spectre and Meltdown. Concerns around Spectre and Meltdown have centered primarily around AMD competitor Intel, although chips from other vendors such as IBM and ARM have been affected as well.  

Public disclosure of the AMD security flaws doesn't put users at risk since all of the technical details that could have been used to reproduce the vulnerabilities have been redacted, according to CTS Labs. The research firm said it created a website to inform the public about the flaws and call upon AMD and others to fix the vulnerable products.   

AMD Secure Processor – which maintains security within Epyc and Ryzen processors – is currently being shipped with critical vulnerabilities that allow malicious actors to install malware inside the chip, CTS Labs found. The vulnerabilities may allow malicious actors to proliferate through corporate networks using stolen credentials since the Windows Credential Guard can be bypassed, according to CTS Labs.

Secure encrypted virtualization can be defeated as soon as attackers obtain malicious code execution on the Epyc secure processor, according to CTS Labs, with malicious actors potentially gaining full access to the compromised system, its physical memory, peripherals, and the secrets stored inside.

The Ryzen chipset, meanwhile, is being shipped with exploitable backdoors that could let attackers inject malicious code into the chip, providing them with a safe haven to operate from, CTS Labs said. This backdoor exists on virtually all Ryzen and Ryzen Pro workstations on the market today, according to CTS Labs.

Worth Davis, vice president and chief technology officer at Houston-based Computex, one of the top managed security service providers in the country, said the Computex Cyber-Security team is already investigating the AMD vulnerability.

"Our team is already working on this for our managed security service customers," he said. "We had the Spectre and Meltdown vulnerabilities a few months ago and now we have these AMD issues. What we are seeing is a  much greater range of vulnerabilities today than years ago. It is all over the place, throughout the hardware and software stack. There are many more attack vectors."

Davis, a 20-year CIO veteran and a former director of IT for $77 billion energy conglomerate Engie,  said he sees the AMD vulnerability as just one more reason businesses need to take advantage of managed security services from trusted security experts like Computex.

"We strongly urge business executives not to take on these security issues on their own," he said. "There is just no way for customers today to keep up with the massive number of vulnerabilities and exploits that are coming out each and every day without help from someone like Computex. These vulnerabilities are increasingly difficult to manage. This is not just about patching Windows. This is serious stuff. What a managed security service does is allow a customer to focus on running their business rather than worrying about complex security vulnerabilities and issues."

Davis said it is critical that customers take steps to avoid becoming the next big security breach headline-maker. "As everybody knows, the most common way to see a change in executive leadership is a security breach," he said.

CTS Labs classified the vulnerabilities it found on the AMD processors into four categories: Ryzenfall, Fallout, Chimera and Masterkey.

Firmware vulnerabilities such as Masterkey, Ryzenfall and Fallout can be fixed in several months, CTS Labs said, while hardware vulnerabilities like Chimera cannot be fixed and require a workaround. That workaround could be difficult and cause undesired side effects, according to CTS Labs.

CTS Labs said it is concerned about Chimera being exploited in the wild. The research firm urges organizations to pay closer attention to the security of AMD devices before allowing them on mission-critical systems.  

Ryzenfall allows malicious code to take complete control over the AMD secure processor, CTS Labs said. As a result, secure processor privileges could be leveraged to read and write protected memory areas.

CTS Labs said attackers can use Ryzenfall to bypass Windows Credential Guard, steal network credentials, and even potentially spread through highly secure Windows corporate networks. By combining Ryzenfall and Masterkey, attackers could install persistent malware on the secure processor, exposing customers to the risk of covert and long-term industrial espionage.

The second vulnerability, called Fallout, allows attackers to read and write from protected memory areas. Attackers can leverage Fallout to steal network credentials protected by Windows Credential Guard, as well as bypass BIOS flashing protections that are implemented in SMM.

The backdoors implemented into the firmware and hardware were named Chimera by CTS Labs and allow malicious code to be injected into the AMD Ryzen chipset. An attacker could leverage the chipset's middleman position to launch sophisticated attacks, according to CTS Labs.

Malware running on the chipset could leverage the latter's Direct Memory Access engine to attack the operating system, CTS Labs said. Chipset-based malware can also evade all endpoint security offerings on the market today, according to CTS Labs.

Finally, Masterkey allows attackers to infiltrate the AMD Secure Processor and tamper with the company's firmware-based security features such as Secure Encrypted Virtualization and Firmware Trusted Platform Module, CTS Labs found. This enables stealthy and persistent malware resilient against virtually all security offerings on the market today, according to CTS Labs.

Masterkey facilitates network credential theft by allowing Windows Credential Guard to be bypassed, CTS Labs said. And physical damage and bricking of hardware could be used by attackers in hardware-based ransomware scenarios, according to CTS Labs.    

STEVEN BURKE contributed to this story. 

Read more articles on: