This article is more than 1 year old
OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws
Holes useful for malware on completely pwned PCs, servers
If you're already that pwned...
Jake Williams, founder and president of Rendition Infosec, commented on the above quoted disclaimer via Twitter, saying, "I'm pretty well convinced that this is designed to manipulate stock prices. That doesn't make the vulnerabilities fake or any less dangerous (though you need admin access to exploit most)."
Arrigo Triulzi, a security consultant based in Switzerland, described the paper as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an insult."
Google security researcher Tavis Ormandy, responding to Triulzi wrote, "Nothing in this paper matters until the attacker has already won so hard it's game over. Not something I'm too interested in, but maybe DFIR [Digital Forensics and Incident Response] people are?"
Ormandy is referring to the fact that exploiting these supposed flaws require local administrative access, making them significantly less dangerous than vulnerabilities that can be exploited by a remote, unprivileged user.
Linux kernel contributor and expert Matthew Garrett also broke down the four bug classes thus:
The argument is that if you can replace the firmware then of course you win, except the whole point of having the CPU validate the firmware is that replacing the firmware means the machine doesn't boot. It's not a real threat for most people, but it still matters.
— Matthew Garrett (@mjg59) March 13, 2018
RYZENFALL: OS-level admin can gain access to the Secure Processor. This means root can extract any secrets stored in the fTPM. Use Bitlocker? Attacker can boot their own OS image, break into the fTPM, extract the key, decrypt your drive.
— Matthew Garrett (@mjg59) March 13, 2018
FALLOUT: Different attack path to Ryzenfall, looks like it gives the same kind of outcomes - any protections mediated by the Secure Processor are broken
— Matthew Garrett (@mjg59) March 13, 2018
CHIMERA: Someone with root can potentially turn your motherboard chipset into a hardware keylogger that sends anything that looks like a password over the network and you can never fix it look this is kind of a big deal
— Matthew Garrett (@mjg59) March 13, 2018
But there are many other people who don't want to make that assumption - root shouldn't be able to replace your system firmware with malware, root shouldn't be able to extract secrets from your credential VM, root shouldn't be able to trojan your chipset
— Matthew Garrett (@mjg59) March 13, 2018
In an email to The Register, Yuriy Bulygin, CEO and cofounder of firmware security firm Eclypsium, said that while the white paper offered little in the way of technical details, it nonetheless describes what look to be an important set of vulnerabilities affecting the Platform Security Processor, a critical security component on AMD systems.
"Assuming these vulnerabilities are confirmed, they would seem to lead to a bypass of fundamental platform protections like hardware based secure boot, Windows 10 Virtualization Based Security (with Credential and Device Guard), firmware based Trusted Platform Module, secure encrypted virtualization," said Bulygin.
"This would also allow malicious code to persist in PSP’s firmware and other firmware like UEFI and runtime SMM. If we navigate beyond marketing language and disclosure discussions, this is important research into the platform security of AMD-based systems. The next step is to evaluate technical details when they are released to confirm the issues."
Impact
Jake Williams told The Register that the lack of details in the report made gauging the impact of the vulnerabilities difficult, but the flaws could be a major issue - depending on who you think is likely to go after your networks.
"If nation state attackers top your threat model, then yeah this is bad. The vulnerabilities will allow attackers to bypass Trusted Boot (allowing them to bypass device driver signing and other rootkit mitigations) and Credential Guard (allowing them to bypass Windows 10 credential hardening mitigations)," he explained.
"The most concerning are the two chipset vulnerabilities. These have the potential to more widely exploited. The hardware vulnerability that involves direct memory access (DMA) is particularly concerning since it will be difficult to impossible to patch through software."
AMD stock closed up about one per cent on Tuesday. If the plan was to short the stock, well, that backfired somewhat.
El Reg asked the US Department of Homeland Security whether it was aware of the CTS-Labs report, and whether it had any comment on the findings. A spokesperson in an email said: “DHS is aware of the report” but has nothing further to add at this time.
The Register also asked an Intel spokesperson whether the company had any financial or logistical ties to CTS-Labs. We have yet to hear back. ®
Updated to add
AMD's chief technology officer Mark Papermaster has confirmed the chip designer will address the security shortcomings in upcoming firmware updates.
Bootnote
Linux kernel chief Linus Torvalds is not amused. "It looks like the IT security world has hit a new low," he stormed.
"At what point will security people admit they have an attention-whoring problem?"