Researchers at CTS Labs are accusing computer chip manufacturer Advanced Micro Devices (AMD) of disregarding "fundamental security principles" and overlooking "poor security practices and insufficient quality controls," after reportedly finding serious vulnerabilities in the company's Zen line of processors.
However, some independent researchers and security professionals have reportedly criticised the Israel-based cyber-security firm for apparently only giving AMD 24 hours advance notice of the vulnerabilities before going public with them. Reports have also noted that CTS issued a disclaimer that it "may have, either directly or indirectly, an economic interest in the performance” of AMD, which suggests at least the possibility that the company could stand to financially benefit from revealing news about AMD.
According to an advisory issued by the CTS Labs, several of the flaws could allow attackers to permanently install malicious code into, or steal network credentials from the AMD Secure Processor, which sits beside the main CPU inside the processing chip and is responsible for creating, monitoring and maintaining the security environment. "These vulnerabilities could expose AMD customers to industrial espionage that is virtually undetectable by most security solutions," warns the advisory.
EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors are reportedly affected by the vulnerabilities, many of which have no known mitigation measures at this time.
CTS further asserts that the Security Processor is beset with security design errors and houses at least 10 critical vulnerabilities that can allow attackers to bypass key security features. The researchers have refrained from publicising any proof-of-concept exploits, and say that in addition to AMD they alerted other unnamed security companies that could help develop remediation techniques.
"CTS believes that networks that contain AMD computers are at a considerable risk. The vulnerabilities we have discovered allow bad actors who infiltrated the network to persist in it, surviving computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions," the advisory continues. "This allows attackers to engage in persistent, virtually undetectable espionage, buried deep in the system and executed from AMD's Secure Processor and chipset."
These issues could potentially spell danger for millions of users who use systems that incorporate the technology, including major data centers, aerospace and defence system, and even self-driving cars, CTS warns.
Reached for comment, AMD offered the following statement: "Security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings."
CTS has divided the vulnerabilities into four distinct groupings. The first, collectively dubbed Masterkey, reportedly consists of three vulnerabilities that can allow remote, unauthorised attackers to inject and execute code and create persistence on the AMD Secure Processor by bypassing the "Hardware Validated Boot" process conducted by EPYC and Ryzen processors. (Ryzen Pro and Ryzen Mobile may also be vulnerable, but were not tested against this exploit.)
Malicious actors would have kernel-level access in this scenario, granting the highest level of permissions. "From this position of power, a malware is able to bypass Secure Boot and inject malicious code into the BIOS or operating system, as well as to disable any firmware-based security features within the Secure Processor itself," the advisory explains.
The next category of vulnerabilities, Ryzenfall, consists of four "design and implementation flaws" inside the AMD Secure OS, which powers the AMD Secure Processor found in Ryzen, Ryzen Pro and Ryzen Mobile products.
Local attackers who gain elevated admin privileges can exploit these bugs to allow arbitrary code execution on the Secure Processor, as well as gain access to protected memory regions that normally would not be accessible to them. Consequently, attackers are able to steal network credentials, inject malware or disable protections against BIOS flashing (aka updating the motherboard).
CTS describes the next set of vulnerabilities, nicknamed Fallout, as a group of three design-flaw vulnerabilities inside the boot loader component of EPYC's Secure Processor. As with Ryzenfall, the Fallout flaws can be exploited by local attackers with elevated privileges to access protected memory regions. The adversaries have many tantalising choices: they can bypass Microsoft's Virtualisation-based Security feature to steal network credentials, inject malware where endpoint solutions can reach it, and disable protections against BIOS flashing.
The fourth set of vulnerabilities, Chimera, consists of a manufacturer's backdoor in both the firmware and hardware of the Ryzen and Ryzen Pro processors, which CTS asserts "could not have passed even the most rudimentary white-box security review."
CTS claims that AMD's outsourcing partner, Taiwanese chip manufacturer ASMedia, a subsidiary of ASUS, built these backdoors into the Ryzen chipset - a core system component on the motherboard. "The backdoors outlined in this section provide multiple pathways for malicious code execution inside the chipset's internal processor," the advisory states. "Because the chipset is a core system component, running malware inside the chip could have far reaching security implications."
Moreover, because one of the backdoors was allegedly manufactured into the chip itself, "a direct fix may not be possible and the solution may involve either a workaround or a recall," CTS continues.
SC Media has reached out to ASUS for comment.