Security researchers have discovered a flaw in the AMD PSP (Platform Security Processor), which could enable hackers to execute code in a security module that stores data such as passwords, certificates, and encryption keys.
AMD PSP is similar to Intel's Management Engine (ME). The bug was found by Cfir Cohen, a security researcher from Google's cloud security team. The vulnerability exists in the fTMP of AMD's Platform Security Processor (PSP), which sits on its 64-bit x86 processors.
fTPM is a firmware TPM implementation. It runs as a trustlet application inside the PSP. fTPM exposes a TPM 2.0 interface over MMIO to the host. This stores data such as passwords, certificates, and encryption keys, in a secure environment away from more accessible AMD cores.
Cohen said that through manual static analysis, he found a stack-based overflow in the
function EkCheckCurrentCert. This function is called from TPM2_CreatePrimary with user controlled data - a DER encoded endorsement key (EK) certificate stored in the NV
“A TLV (type-length-value) structure is parsed and copied on to the parent stack frame. Unfortunately, there are missing bounds checks, and a specially crafted certificate can lead to a stack overflow,” said Cohen on a posting to Seclists.
He added that some general exploit mitigation technologies (such as stack cookies, NX stack, ASLR) are not implemented in the PSP environment. This would make exploitation of the flaw relatively easy to perform if an attacker has administrator or root access.
Cohen reported the vulnerability to AMD in September with AMD readying a patch in December. Cohen said that AMD was working to rollout the patch to affected vendors. According to Reddit, an update for some AMD chips has been available that partially disables PSP.
Last November, Intel rushed out updates for similar vulnerabilities affecting its Management Engine that enabled hackers to install rootlets and steal data from its processors.
Patrick McNeil, principal solutions architect at CA Veracode, told SC Media UK that exploitation of the AMD PSP flaw requires the attacker to gain physical access to the machine or to gain remote access to the system and escalate to a privileged account (administrator level).
“This would typically be achieved by leveraging some other kind of known vulnerability that would give them some initial access. So, mitigation of this is no different to many of the other vulnerabilities out there and relies on an in-depth defence strategy,” he said.
“If an unauthorised user can enable and compromise the TPM they can enable the remote management capabilities, gaining a persistent foothold in your network that cannot be detected by the host operating system. In addition, control of the TPM might enable the attacker to derive private keys used for encryption or digital message signatures such as on email.”
“With all of this said, my opinion is that a typical consumer is not likely to be a target for this particular flaw. The level of effort expended to the initial foothold, to exploit the TPM, and then operationalise it will likely be reserved for enterprise and government targets,” added Mc Neil.