Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices.
Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors — typically where your device stores sensitive data like passwords and encryption keys. It’s also where your processor makes sure nothing malicious is running when you start your computer.
CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD’s Ryzen and EPYC processors, as well as install malware on them. AMD’s Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers.
The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days notice, so companies have time to address flaws properly.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,” an AMD spokesman said.
The revelation of these vulnerabilities come after the emergence of Meltdown and Spectre, security flaws that affected Intel and Arm chips. They caused such a problem for PCs dating all the way back to the last two decades. The vulnerabilities were widespread considering that 77 percent of computer processors are Intel, while AMD takes up 22 percent.
When those two security flaws were announced in January, AMD said it was not affected because of the differences in its architecture. These new security vulnerabilities break down into four categories, according to CTS-Labs co-founder and Chief Financial Officer Yaron Luk-Zilberman.
All of the vulnerabilities essentially allow an attacker to target the secure processor, which is crucial to protecting the sensitive information on your device.
“You’re virtually undetectable when you’re sitting in the secure processor,” Luk-Zilberman said. “An attacker could sit there for years without ever being detected.”
Here’s a breakdown:
When a device starts up, it typically goes through a “Secure Boot.” It uses your processor to check that nothing on your computer has been tampered with, and only launches trusted programs.
The Master Key vulnerability gets around this start-up check by installing malware on the computer’s BIOS, part of the computer’s system that controls how it starts up. Once it’s infected, Master Key allows an attacker to install malware on the Secure Processor itself, meaning they would have complete control of what programs are allowed to run during the start-up process.
From there, the vulnerability also allows attackers to disable security features on the processor.
This vulnerability specifically affects AMD’s Ryzen chips, and would allow malware to completely take over the secure processor.
That would mean being able to access protected data, including encryption keys and passwords. These are regions on the processor that a normal attacker would not be able to access, according to the researchers.
If an attacker can bypass the Windows Defender Credential Guard, it would mean they could use the stolen data to spread across to other computers within that network. Credential Guard is a feature for Windows 10 Enterprise, which stores your sensitive data in a protected section of the operating system that normally can’t be accessed.
“The Windows Credentials Guard is very effective at protecting passwords on a machine and not allowing them to spread around,” Luk-Zilberman said. “The attack makes spreading through the network much easier.”
Like Ryzenfall, Fallout also allows attackers to access protected data sections, including Credential Guard. But this vulnerability only affects devices using AMD’s EPYC secure processor. In December, Microsoft announced a partnership with for its Azure Cloud servers using AMD’s EPYC processor.
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule,” a Microsoft spokesperson said.
These chips are used for data centers and cloud servers, connecting computers used by industries around the world. If an attacker used the vulnerabilities described in Fallout, they could use it to steal all the credentials stored and spread across the network.
“These network credentials are stored in a segregated virtual machine where it can’t be accessed by standard hacking tools,” said CTS-Labs CEO Ido Li On. “What happens with Fallout, is that this segregation between virtual machines are broken.”
Segregated virtual machines are portions of your computer’s memory split off from the rest of the device. Researchers use it to test out malware without infecting the rest of their computer. Think of it like a virtual computer inside your computer.
On Credential Guard, the sensitive data is stored there, and protected so that if your computer were infected by normal malware, it wouldn’t be able to access it.
Chimera comes from two different vulnerabilities, one in its firmware and one in its hardware.
The Ryzen chipset itself allow for malware to run on it. Because WiFi, network and Bluetooth traffic flows through the chipset, an attacker could use that to infect your device, the researchers said. In a proof-of-concept demonstration, the researchers said it was possible to install a keylogger through the chipset. Keyloggers would allow an attacker to see everything typed on an infected computer.
The chipset’s firmware issues means that an attack can install malware onto the processor itself.
“What we discovered is what we believe are very basic mistakes in the code,” Uri Farkas, CTS-Labs’s vice president of research and design said.
What should I do?
It’s unclear how long it will take to fix these issues with AMD’s processors. CTS-Labs said it hasn’t heard back from AMD. The researchers said it could take “several months to fix.” The vulnerabilities in the hardware can’t be fixed.
Intel and Microsoft are still managing its patches for Meltdown and Spectre, and the fixes have ended up causing more problems, such as bugs that slowed down your computer. These new vulnerabilities could mean similar headaches for AMD-powered devices.
“Once you’re able to break into the security processor, that means most of the security features offered are broken,” Li On said.
Post a comment