AMD has now said this:
This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.
Israel based CTS-Labs just launched a website where they discuss a total of thirteen security vulnerabilities affecting AMD “Zen” CPU microarchitecture.
AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.
At present, AMD’s official line is:
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
CTS-Labs have set up the website AMDFlaws.com
The thirteen exploits have been grouped into four segments.
- RYZENFALL allows malicious code to take complete control over the AMD Secure Processor.
- Secure Processor privileges could be leveraged to read and write protected memory areas, such as SMRAM and the Windows Credential Guard isolated memory.
- Attackers could use RYZENFALL to bypass Windows Credential Guard, steal network credentials, and then potentially spread through even highly secure Windows corporate networks.
- Attackers could use RYZENFALL in conjunction with MASTERKEY to install persistent malware on the Secure Processor, exposing customers to the risk of covert and long-term industrial espionage.
- The vulnerabilities allow attackers to read from and write to protected memory areas, such as SMRAM and Windows Credential Guard isolated memory (VTL-1).
- An attacker could leverage these vulnerabilities to steal network credentials protected by Windows Credential Guard.
- An attacker could leverage these vulnerabilities to bypass BIOS flashing protections that are implemented in SMM.
- Two sets of manufacturer backdoors discovered: One implemented in firmware, the other in hardware (ASIC). The backdoors allow malicious code to be injected into the AMD Ryzen chipset.
- The chipset links the CPU to USB, SATA, and PCI-E devices. Network, WiFi and Bluetooth traffic often flows through the chipset as well. An attacker could leverage the chipset’s middleman position to launch sophisticated attacks.
- Chipset-based malware could evade virtually all endpoint security solutions on the market.
- Malware running on the chipset could leverage the latter’s Direct Memory Access (DMA) engine to attack the operating system. This kind of attack has been demonstrated.
- Multiple vulnerabilities in AMD Secure Processor firmware allow attackers to infiltrate the Secure Processor.
- Enables stealthy and persistent malware, resilient against virtually all security solutions on the market.
- Allows tampering with AMD’s firmware-based security features such as Secure Encrypted Virtualization (SEV) and Firmware Trusted Platform Module (fTPM).
- Facilitates network credential theft by allowing Windows Credential Guard to be bypassed.
- Physical damage and bricking of hardware. Could be used by attackers in hardware-based “ransomware” scenarios.