AMD Flaws Pose No Immediate Risk of Exploitation, Says Independent Reviewer

A third-party company that was paid to review the validity of the recent AMD flaws —RyzenFall, MasterKey, Fallout, and Chimera— has confirmed that these vulnerabilities are real, but that regular users shouldn't panic for the time being.

The author of this review is Trail of Bits, a New York-based cyber-security company that CTS Labs, the company that discovered the AMD flaws, contracted and paid to review its findings.

AMD flaws aren't easy to exploit

"There is no immediate risk of exploitation of these vulnerabilities for most users," said Dan Guido, the CEO of Trail of Bits.

"Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers," he added.

Guido published his assessment in a report yesterday, in the aftermath of CTS Labs' controversial and polarizing public disclosure —notifying AMD only a day before going public with its findings.

Some security researchers questioned that the AMD flaws were even real, most believing this was a marketing stunt in an attempt to short AMD's stock.

Vulnerabilities are the result of simple programming flaws

But Guido has now confirmed that the bugs are real, work as advertised, and they were able to replicate them during the auditing and verification process.

He says the vulnerabilities "are the result of simple programming flaws, unclear security boundaries, and insufficient security testing," and at the theoretical level are inferior to the Meltdown and Spect bugs that "required previously unknown techniques and novel research advances to discover and exploit."

A simple explanation of the AMD flaws

Guido also posted a much simpler explanation of the AMD flaws that any computer user can understand, which we'll reproduce here.

Three of the bugs —MasterKey, Fallout, RyzenFall— affect the AMD Platform Security Processor (PSP), a secure chip-on-chip processor, similar to the Intel Managment Engine (ME), that is separated from the rest of the AMD processor at the hardware level and usually deals with secure data such as passwords, encryption keys, etc..

The AMD PSP can only be upgraded via a BIOS update that is cryptographically signed by an AMD key. The MasterKey vulnerability allows an attacker to bypass the key-signing requirement and install tainted BIOS updates that run malicious code.

The RyzenFall and Fallout vulnerabilities allow attackers to interact with an API inside the AMD PSP that gives hackers full control over an entire PC.

The Chimera vulnerability affects the AMD chipset (motherboard component) that manages communication between the processor, memory, and peripherals, allowing attackers to execute code and relay false information to other components.

Flaws don't need physical access, but require admin rights

An attacker does not need to be in front of a victim's computer to exploit any of these flaws. An attacker can take advantage of all these flaws if he tricks a user into running an EXE file as admin.

In some corporate networks this might be an issue, as users don't have access to admin accounts. But if an attacker can trick a user into running a malicious file, he can also leverage one of the many Windows Elevation of Privilege (EoP) bugs available today to gain admin rights before exploiting one of the AMD vulnerabilities.

In addition, we've seen before that most Windows users often utilize admin accounts as their primary profile.

Nonetheless, it's because of this multi-stage complex exploitation routine that Guido doesn't see any of these flaws to be a danger, even if the proof-of-concept code was to become public in the following days or weeks. Chaining exploits isn't as easy as some people think, and only a nation-state actor with time and financial resources would be able to use such hacks on a regular basis.

CTS Labs publishes additional "clarifications"

These bugs are dangerous when exploited, though, as they allow attackers to maintain a presence on infected systems even after installs or BIOS updates.

"Just imagine a conversation between a CISO who has discovered that tools exploiting these vulnerabilities were used in his organization and the CTO/CEO. Since you can't reformat, clean-install and get rid of the malware, what do you recommend? Throw out *all* AMD equipment?," Yaron Luk-Zilberman, CTO of CTS Labs wrote in an email to Bleeping Computer, before publishing an additional three-page document explaining the exploitation requirement and impact of each of the flaws on the AMDflaws.com website.

AMD has not yet responded to a request for comment from Bleeping Computer, or to any other news organization. The only AMD statement on these bugs has been published online two days ago when the company said it was still investigating the CTS Labs report.

It is yet unclear if the patches for these vulnerabilities will require software updates or new hardware-level protections. Intel said it will roll out new CPUs with hardware-level protections in the second half of 2018 for the Meltdown and Spectre patches.

As a side note, Guido also said that he advised CTS Labs to coordinate the public disclosure of these bugs through a CERT organization, advice that CTS Labs appears to have ignored and gone public in the way it did, without giving AMD the time to prepare patches.