cancel
Showing results for 
Search instead for 
Did you mean: 

Initial AMD Technical Assessment of CTS Labs Research

8 19 126K

On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.

The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.

The security issues identified can be grouped into three major categories. The table below describes the categories, the AMD assessment of impact, and planned actions.

Vulnerability Groups

Problem Description & Method of Exploitation

Potential Impact

Planned AMD Mitigation

MASTERKEY

and

PSP Privilege Escalation

(AMD Secure Processor or “PSP” firmware)

Issue: Attacker who already has compromised the security of a system updates flash to corrupt its contents. AMD Secure Processor (PSP) checks do not detect the corruption.

Method: Attacker requires Administrative access

Attacker can circumvent platform security controls. These changes are persistent following a system reboot.

Firmware patch release through BIOS update. No performance impact is expected.

AMD is working on PSP firmware updates that we plan to release in the coming weeks.

RYZENFALL and FALLOUT

(AMD Secure Processor firmware)

Issue: Attacker who already has compromised the security of a system writes to AMD Secure Processor registers to exploit vulnerabilities in the interface between x86 and AMD Secure Processor (PSP).

Method: Attacker requires Administrative access.

Attacker can circumvent platform security controls but is not persistent across reboots.

Attacker may install difficult to detect malware in SMM (x86).

Firmware patch release through BIOS update. No performance impact is expected.

AMD is working on PSP firmware updates that we plan to release in the coming weeks.

“Promontory”
Chipset

CHIMERA

“Promontory” chipset used in many socket AM4 desktop and socket TR4 high-end desktop (HEDT) platforms.

AMD EPYC server platforms, EPYC and Ryzen Embedded platforms, and AMD Ryzen Mobile FP5 platforms do not use the “Promontory” chipset.

Issue: Attacker who already has compromised the security of a system installs a malicious driver that exposes certain Promontory functions.

Method: Attacker requires Administrative access.

Attacker accesses physical memory through the chipset.

Attacker installs difficult to detect malware in the chipset but is not persistent across reboots.

Mitigating patches released through BIOS update. No performance impact is expected.

AMD is working with the third-party provider that designed and manufactured the “Promontory” chipset on appropriate mitigations.

AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.

Mark Papermaster,

​Senior Vice President and Chief Technology Officer

19 Comments
Adept II
Adept II

if AMD had as long as intel for vulnerabilities, there would have been zero media attention.

smh gj AMD

btw can.t wait for gen.2 to switch from i5 2500k

Miniboss
Miniboss

Yup, if the standard 90-day policy was used then there'd be nothing to report.

It also completely debunks their claim that the issue would have taken a very long time to fix (which was their "justification" for disclosing it so quickly).

Adept III
Adept III

Oh look, it was all blown out of proportion... go figure. Probably CTS-Labs first and last paper. No one will take their FUD garbage seriously anymore... not like most did in the first place.

Journeyman III
Journeyman III

What a joke, the stock gets hammered by some kids in a garage

Journeyman III
Journeyman III

'Kids'???   Kids who worked for Israel's NSA equivalence. Wondering if they're using any of Intel's many lawyers

Adept I
Adept I

Read their "disclaimer": https://amdflaws.com/disclaimer.html

"you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports"

Journeyman III
Journeyman III

Thanks for the information! Alright they gave you zero time to investigate, but is there any indication

at AMD so far that the PSP-related issues could also affect pre-Ryzen platforms? As i understand PSP

exists since Mullins more or less?

Journeyman III
Journeyman III

Yes, naïve hacker kids in a garden shed.

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

Journeyman III
Journeyman III

I guarantee we'll be hearing that Intel was behind the bogus one day leak.

Intel is scared because AMD is releasing newer Ryzen cpu's and X470 motherboards that are faster than the original Ryzen cpu's and X3** series motherboards.

Journeyman III
Journeyman III

After all look how fast AMD fixed it's Sceptre 2 bug. One update fixed it.

Intel took 4 updates to get it right.

I know that as one pc has a Intel cpu and the other has a AMD cpu.

Guess which one's getting replaced by April's newer Ryzen cpu's and a X470 motherboard ?

BuhBye-Bye Intel....

Journeyman III
Journeyman III

yes i think AMD is much smarter and 'the peoples' kinda company, they actually want to help their customers!

Adept I
Adept I

Thank you for your question. I work on the AMD PR team and wanted to share that we are addressing the products highlighted in the research and are also investigating older products. We will provide an update if any mitigation for older products is required. 

Journeyman III
Journeyman III

Thank you Sarah. Is there a small hope that in the long-term AMD-strategy team will even reconsider the

coreboot/libreboot folks position on this?      

Journeyman III
Journeyman III

How can we know that there aren't other security vulnerabilities? The answer is of course that we cant. With that in mind. Please AMD, make it possible to disable the security liability that is the PSP. Even if it means giving up features.

Journeyman III
Journeyman III

You really think those vulnerabilities are there by accident? The only accident is that we found out about it. The NSA will always keep a backdoor open for "national security". And no, I'm not paranoid or a conspiracy theorist, merely pragmatic. If I were them I'd do the same.

Journeyman III
Journeyman III

This is the greatest security vulnerability in AMD's entire history, its been 8 months and they haven't made so much as a peep since they released this data.

Adept II
Adept II

Where is this coming from?

AFAIR (and it mentions the patches in this very post) around 3 weeks after the CTS stuff appeared AMD announced fixes. The fixes appeared soon after and have been part of vendor UEFIs ever since.

Or do you have some information that the fixes don't work/have not been implemented?

Journeyman III
Journeyman III

you are a disgrace to humanity.

About the Author
Avid gamer!Lover of all AMD tech!