AMD has officially confirmed the validity of the RyzenFall, MasterKey, Fallout, and Chimera vulnerabilities that came to light on March 12, and said it would be releasing patches in "the coming weeks."
The company's assessment of the four flaws is consistent with the original whitepaper published by Israeli security firm CTS Labs, and with third-party audits by Trail of Bits, Check Point, and Crowdstrike's Alex Ionescu.
Because of the non-standard vulnerability disclosure process, many security experts believed the original CTS Labs report was an attempt to manipulate AMD stock, and hence, containing false or misleading bugs.
AMD officially confirms products are affected
AMD CTO Mark Papermaster effectively confirmed today that the flaws are real and, indeed, affect AMD Ryzen and EPYC processor series.
More specifically, three of the flaws —MasterKey, Fallout, RyzenFall— affect the AMD Platform Security Processor (PSP), a secure chip-on-chip processor, similar to the Intel Managment Engine (ME), that is separated from the rest of the AMD processor at the hardware level and usually deals with secure data such as passwords, encryption keys, etc..
The last —Chimera— affects the AMD chipset (motherboard component) that manages communication between the processor, memory, and peripherals, allowing attackers to execute code and relay false information to other components.
AMD says it had only one day to look at original report
The reason why AMD took a whole week to assess these flaws was because CTS Labs gave AMD only a day to read its report before going public with its findings.
AMD also dismissed the original severity of these flaws by pointing out —similar to the third-party investigators— that these flaws need administrative access to be exploited. The Meltdown and Spectre flaws did not need elevated privileges during exploitation.
Below is a table with AMD's assessment of the MasterKey, Fallout, RyzenFall, and Chimera vulnerabilities and its plan of action. AMD promised more in-depth details about the patching process in the coming weeks.
Vulnerability Groups |
Problem Description & Method of Exploitation |
Potential Impact |
Planned AMD Mitigation |
MASTERKEY and PSP Privilege Escalation (AMD Secure Processor or “PSP” firmware) |
Issue: Attacker who already has compromised the security of a system updates flash to corrupt its contents. AMD Secure Processor (PSP) checks do not detect the corruption.
Method: Attacker requires Administrative access |
Attacker can circumvent platform security controls. These changes are persistent following a system reboot. |
Firmware patch release through BIOS update. No performance impact is expected.
AMD is working on PSP firmware updates that we plan to release in the coming weeks. |
RYZENFALL and FALLOUT
(AMD Secure Processor firmware) |
Issue: Attacker who already has compromised the security of a system writes to AMD Secure Processor registers to exploit vulnerabilities in the interface between x86 and AMD Secure Processor (PSP).
Method: Attacker requires Administrative access. |
Attacker can circumvent platform security controls but is not persistent across reboots.
Attacker may install difficult to detect malware in SMM (x86). |
Firmware patch release through BIOS update. No performance impact is expected.
AMD is working on PSP firmware updates that we plan to release in the coming weeks. |
“Promotory” |
|||
CHIMERA “Promontory” chipset used in many socket AM4 desktop and socket TR4 high-end desktop (HEDT) platforms. AMD EPYC server platforms, EPYC and Ryzen Embedded platforms, and AMD Ryzen Mobile FP5 platforms do not use the “Promontory” chipset. |
Issue: Attacker who already has compromised the security of a system installs a malicious driver that exposes certain Promontory functions.
Method: Attacker requires Administrative access. |
Attacker accesses physical memory through the chipset.
Attacker installs difficult to detect malware in the chipset but is not persistent across reboots. |
Mitigating patches released through BIOS update. No performance impact is expected.
AMD is working with the third-party provider that designed and manufactured the “Promontory” chipset on appropriate mitigations. |
Comments
_LC_ - 6 years ago
That's what you make of AMD's response - seriously?
MadmanRB - 6 years ago
AMD's fast response is a good thing however, and when patches come all the better.
_LC_ - 6 years ago
I'm aware that Intel pays for trips to events. Intel also gives away free samples.
Nonetheless, real journalists still exist. They have dignity. They cannot be bought that easily.
As a reader, I owe them respect. This means that I will now delete "bleepingcomputer.com" from my bookmarks. Furthermore, I will try to remember the name "Catalin Cimpanu", for whenever it comes up I will ditch his excretions and inform others about his easily corruptible nature.
That's it for me on this place. Goodbye!
campuscodi - 6 years ago
What in the hell are you talking about? What does Intel have to do with anything?