Security

OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws

Holes useful for malware on completely pwned PCs, servers


Analysis CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors."

Tuesday's glitzy advisory disclosed no technical details – but described 13 "critical" security vulnerabilities that span four bug classes in AMD's 64-bit x86 processor chipsets. CTS-Labs apparently gave AMD only one day of advance notice it was going public, an amount of time that precludes addressing the flaws prior to publication and deviates from security industry norms of responsible disclosure. Typically, organizations are given up to 30 to 90 days to fix their products.

The report describes the four classes of vulnerability, each of which has several variations. They all require local administrator access to exploit, which limits them as vulnerabilities useful for miscreants.

Essentially, the security holes can be exploited by malware already present in a computer to bury deep into its machinations to ensure it can't be easily detected and removed – not even by wiping hard drives and reinstalling everything from scratch. The malware can inject itself into motherboard firmware to stay out of sight, all while meddling with or siphoning off files and other personal information, and interfering with system hardware.

But it's important to note that a software nasty has to have superuser powers to abuse the programming cockups found by CTS-Labs. At which point, the malware already can spy on its victim, steal their data, hold their files to ransom, and so on.

The flaws do not open AMD-powered PCs and servers to remote hijacking over the internet, nor allow malicious apps to commandeer systems. Instead, they can be leveraged to ensure that once malware is present, it's more difficult to find and remove.

Also, no code exploiting the security shortcomings has been made public, nor is any circulating right now in malware. The holes are also not necessarily unfixable.

What are the bug classes?

RYZENFALL allows malicious code to take over the AMD Secure Processor in Ryzen, Ryzen Pro, and Ryzen Mobile chips. Exploitation requires being able to run a program locally with administrator privileges. CTS-Labs claims there's no mitigation, despite AMD's recent released BIOS update that is supposed to disable the Secure Processor, thus killing off the whole thing.

The Secure Processor – aka the Platform Security Processor or PSP – is a coprocessor that ships with modern AMD chips that ensures a valid, untampered operating system is booted, among other tasks.

The RYZENFALL vulnerability may be related to a security issue in AMD's Secure Processor reported by Google security researcher Cfir Cohen in January. RYZENFALL requires root-level access to attack. It can be used to commandeer the Secure Processor, boot backdoored operating systems, and extract, say, protected Bitlocker crypto-keys from the firmware to decrypt drives in seized Windows 10 machines.

FALLOUT, a flaw in the boot loader component of Epyc's Secure Processor, allows attackers to read and write sensitive and protected memory areas, such as SMRAM and Windows Credential Guard isolated memory (VTL-1). As with RYZENFALL, local administrative access is necessary to exploit the issue.

CHIMERA is described as a pair of manufacturer backdoors, one in firmware and one in hardware (specifically in an ASIC), that allow code to be injected into AMD Ryzen chipsets. Again, you need root privileges to do this. This means the underlying motherboard firmware can be programmed to become a keylogger, send keypresses for passwords over the network, and so on.

The advisory claims the backdoors were introduced, accidentally or otherwise, by Taiwanese chip manufacturer ASMedia, owned by ASUSTeK, which used its own insecure integrated circuits in AMD's Promontory chip, found in AMD's Ryzen and Ryzen Pro lines.

MASTERKEY, allows the installation of persistent malware inside the Secure Processor, running in kernel-mode with administrative permissions. It requires the ability re-flash the motherboard BIOS with a malicious software update. This typically requires admin-level or physical access to a box.

The key thing with, er, MASTERKEY is that the system accepts modified BIOS images – when really, it ought to reject them, regardless of who is flashing them.

Eypc server chipsets are, we're told, affected by FALLOUT and MASTERKEY. Ryzen workstation has CHIMERA, MASTERKEY and RYZENFALL. Ryzen Pro has CHIMERA and RYZENFALL. Ryzen mobile has RYZENFALL.

Questions of motivation

Some members of the online security community are characterizing the research as a hit piece designed to manipulate AMD's stock price, presumably to benefit those intending to short company stock.

Dan Guido, CEO of security firm Trail of Bits, meanwhile contends the findings are valid. He said he was contacted by CTS-Labs ahead of today's disclosures to check over the vulnerability discoveries to evaluate their impact, and said the blunders can be exploited. He was shown full technical details that have yet to be made public.

"Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public AFAIK), and their exploit code works," he said via Twitter.

In a video published in conjunction with the research, Ido Li On, CEO of CTS-Labs, claimed many of Taiwanese chipmaker ASMedia's products contain backdoors that could be used by hackers to inject malicious code. Fined by the FTC in 2016 for ignoring security flaws, ASMedia has helped build some AMD chipsets.

"When we looked at Ryzen computers, we saw that the very same backdoors that have existed on ASMedia chips for over six years are now on every Ryzen PC in the market," Li On said. "This was deeply concerning to use and it got us to look at AMD security as a whole."

Response

AMD in a statement issued a few hours ago said it was looking into the claims:

We have just received a report from a company called CTS-Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.

In keeping with the practice cemented by the Spectre and Meltdown vulnerabilities in January, CTS-Labs is promoting the disclosure on a dedicated website, amdflaws.com – complete with logos, codenames, claims of public safety risks, and media briefings to create a big splash. No CVE ID numbers, though.

The website, and the white paper that accompanies it, includes a lengthy disclaimer advising not to use the research as investment advice. "The report and all statements contained herein are opinions of CTS and are not statements of fact," the dot-com declared. "Organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents."

It also, curiously, acknowledges the possibility that those involved may have a financial interest in AMD stock:

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

A separate website published under the name Viceroy Research meanwhile has cited CTS-Labs' work to claim, rather sensationally, "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries." Viceroy's blog post and CTS' findings went live today within a couple of hours of each other.

Reached by phone, John Fraser Perring, founder of Viceroy Research, which describes itself as "a group of individuals that see the world differently," confirmed to The Register that his firm has a short position in AMD stock and that he intends to increase that position in light of support for CTS-Labs' findings.

He said that technical experts he corresponded with who have verified the findings, specifically Dan Guido, have left him convinced that these flaws pose a serious risk to AMD customers.

Perring said he received a copy of report from an anonymous source and found the findings credible after consultation with internal and external technical experts.

Not everyone believes the flaws are quite so dire – certainly not enough to warrant a media blitz with claims of doom and death.

If you're already that pwned...

Jake Williams, founder and president of Rendition Infosec, commented on the above quoted disclaimer via Twitter, saying, "I'm pretty well convinced that this is designed to manipulate stock prices. That doesn't make the vulnerabilities fake or any less dangerous (though you need admin access to exploit most)."

Arrigo Triulzi, a security consultant based in Switzerland, described the paper as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an insult."

Google security researcher Tavis Ormandy, responding to Triulzi wrote, "Nothing in this paper matters until the attacker has already won so hard it's game over. Not something I'm too interested in, but maybe DFIR [Digital Forensics and Incident Response] people are?"

Ormandy is referring to the fact that exploiting these supposed flaws require local administrative access, making them significantly less dangerous than vulnerabilities that can be exploited by a remote, unprivileged user.

Linux kernel contributor and expert Matthew Garrett also broke down the four bug classes thus:

In an email to The Register, Yuriy Bulygin, CEO and cofounder of firmware security firm Eclypsium, said that while the white paper offered little in the way of technical details, it nonetheless describes what look to be an important set of vulnerabilities affecting the Platform Security Processor, a critical security component on AMD systems.

"Assuming these vulnerabilities are confirmed, they would seem to lead to a bypass of fundamental platform protections like hardware based secure boot, Windows 10 Virtualization Based Security (with Credential and Device Guard), firmware based Trusted Platform Module, secure encrypted virtualization," said Bulygin.

"This would also allow malicious code to persist in PSP’s firmware and other firmware like UEFI and runtime SMM. If we navigate beyond marketing language and disclosure discussions, this is important research into the platform security of AMD-based systems. The next step is to evaluate technical details when they are released to confirm the issues."

Impact

Jake Williams told The Register that the lack of details in the report made gauging the impact of the vulnerabilities difficult, but the flaws could be a major issue - depending on who you think is likely to go after your networks.

"If nation state attackers top your threat model, then yeah this is bad. The vulnerabilities will allow attackers to bypass Trusted Boot (allowing them to bypass device driver signing and other rootkit mitigations) and Credential Guard (allowing them to bypass Windows 10 credential hardening mitigations)," he explained.

"The most concerning are the two chipset vulnerabilities. These have the potential to more widely exploited. The hardware vulnerability that involves direct memory access (DMA) is particularly concerning since it will be difficult to impossible to patch through software."

AMD stock closed up about one per cent on Tuesday. If the plan was to short the stock, well, that backfired somewhat.

El Reg asked the US Department of Homeland Security whether it was aware of the CTS-Labs report, and whether it had any comment on the findings. A spokesperson in an email said: “DHS is aware of the report” but has nothing further to add at this time.

The Register also asked an Intel spokesperson whether the company had any financial or logistical ties to CTS-Labs. We have yet to hear back. ®

Updated to add

AMD's chief technology officer Mark Papermaster has confirmed the chip designer will address the security shortcomings in upcoming firmware updates.

Bootnote

Linux kernel chief Linus Torvalds is not amused. "It looks like the IT security world has hit a new low," he stormed.

"At what point will security people admit they have an attention-whoring problem?"

Send us news
124 Comments

Aviation-themed phishing campaign pushed off-the-shelf RATs into inboxes for 5 years

Not all promises of international flight itineraries are real, warns Cisco Talos

A phishing campaign that mostly targeted the global aviation industry may be connected to Nigeria, according to Cisco Talos.

The malicious campaigns centred around phishing emails linking to "off-the-shelf malware" being sent to people around the world – even those with a marginal interest in commercial aviation.

Although Talos couldn't confirm the threat actor behind the campaign was actually based in Nigeria or associated with the Nigerian state, Cisco's infosec arm was able to say with confidence that the campaign had been running for at least three years.

Continue reading

RIP Sir Clive Sinclair: British home computer trailblazer dies aged 81

From pocket calculators to ZX Spectrum and beyond

Sir Clive Sinclair died on Thursday at home in London after a long illness, his family said today. He was 81.

The British entrepreneur is perhaps best known for launching the ZX range of cheap microcomputers, which helped bring computing, games, and programming into UK homes in the 1980s, at least.

This included the ZX80, said to be the UK's first mass-market home computer for under £100, the ZX81, and the trusty ZX Spectrum. And then there was the Sinclair QL, which was Sir Clive's big shot at business.

Continue reading

The age of the Service Pack is over. The time of the Modern Servicing Model has come

It's CUs and GDRs here on out for Microsoft's SQL Server

It's the end of an era. Microsoft has finally released its very last SQL Server service pack.

Microsoft first warned the end was nigh some years ago, but the reality is here: SP3 for SQL Server 2016 is to be the last, the service pack beloved by administrators around the world killed off in favour of a "Modern Servicing Model."

The successors to SQL Server 2016 have already moved on from service packs, according to Microsoft, with only Cumulative Updates (CU) and General Distribution Releases (GDR) filling the void.

Continue reading

CityFibre scores extra £1bn+ of funding to plumb in up to eight million British homes by 2025

Ikea parent Interogo Holding among the investors

Full-fibre network operator CityFibre has grabbed £1.125bn in financing to help support its plan to wire up to eight million homes in the UK.

The funding is made up of £825m of equity from new investors – Abu Dhabi sovereign wealth fund, Mubadala Investment Co, and Interogo Holding, a private equity investor best known for owning flat-packed furniture maker Ikea.

CityFibre’s coffers are swelled still further with a £300 million extension to its banking facilities.

Continue reading

Hack yourself before someone else does it for you

Breach and attack simulation tools help you raise your game, Keysight says

Sponsored Stop me if you’ve heard this before, but something appears to be amiss with cybersecurity. The spectacular success of ransomware is only the latest and worst example, a phenomenon in which small groups of often barely technically literate attackers ransack some of the biggest and best resourced companies on earth for easy money.

Tens of millions of dollars head out the door every day in this dystopia and yet it is becoming a quickly forgotten blur. Most industries would have folded with this record of failure and yet, on the contrary, cybersecurity is booming. Ironically, as the attack earlier in 2021 on FireEye shows, even security companies full of elite white hats can’t stop the bad people.

Is it that the cybersecurity kit doesn’t work or that the people deploying it inside organizations don’t know how to use it? Either explanation is plausible but there’s a third possibility – networks are inherently complex, getting more so, and change so much every day that things that were working yesterday end up being fumbled.

Continue reading

Bepanted shovel-toting farmer wins privacy payout from France TV

Unwitting star of #Slipgate viral images awarded reduced damages, tempts Streisand effect

A French farmer who was filmed setting about bird conservationists with a shovel while in his underpants has won damages from a TV company that filmed the incident for violating his privacy.

The set-to originally occurred back in 2015, when a French bird conservation group called the Ligue pour la Protection des Oiseaux (LPO, or Bird Protection League in English) invited a group of journalists to accompany them as they investigated a farm in Audon in southwestern France for bird traps.

Bird trapping, in which songbirds are trapped using various techniques and later eaten, is mostly forbidden in France, but it is still practised in many regions either illegally or via legal exemptions issued for supposed small-scale trapping.

Continue reading

OpenSilver throws Microsoft Silverlight devs a lifeline as end of support looms – or you could forget it ever happened

Open-source project migrates deprecated apps to WebAssembly

Microsoft Silverlight, now only supported in the legacy Internet Explorer, goes completely end of life on 12 October – but an open-source project called OpenSilver has appeared to convert Silverlight projects to WebAssembly.

Silverlight is a plugin developed by Microsoft in what now seems like an alternative universe, when Adobe Flash looked like it might become the de facto platform for multimedia and a strong contender for cross-platform client applications.

The first version of Silverlight appeared in 2007 as a multimedia player, but was soon followed by versions that included a cut-down .NET runtime and could run both in the browser and on the desktop, on Windows and Mac (Linux support was claimed but never fully delivered). Silverlight content and applications were defined in XAML, a slimline version of Windows Presentation Foundation. Silverlight also became the runtime for applications on Windows Phone.

Continue reading

Ransomware-hit law firm secures High Court judgment against unknown criminals

You tell 'em, 4 New Square chambers

The London law firm which secured a court injunction forbidding ransomware criminals from publishing data stolen from them has now gone a step further – by securing a default judgment from the High Court.

4 New Square Ltd, a barristers' chambers, raised some amusement in cyber security circles in July when it applied for a High Court injunction in the wake of a ransomware infection. Yesterday the High Court ruled in the firm's favour by default, as the criminals had "not engaged with the proceedings and have not filed an Acknowledgement of Service or Defence."

Judge Mr Justice Nicklin went into five pages of legal detail setting out how the ransomware gang must "by 4pm on 27 September 2021 deliver up to the Claimants' solicitors and/or delete the Information in his possession, custody or control" and by 4 October give "details about whether he has passed any of the Information to a third party and identifying any said third party and their contact details."

Continue reading

Dowden out, Dorries in: Is UK data protection in safe hands?

It's a new dawn, it's a new day, it's a new life... for Dorries

Comment Nadine Dorries is the latest government minister charged with steering the data protection law through the choppy straits between the UK's desire to unleash "data's power across the economy and society for the benefit of British citizens and British businesses", and the boring need to comply with EU data protection law.

A Conservative politician once suspended from the party whip for appearing on a television programme in which she ate ostrich anus may not be the obvious choice for the challenge, but that's where we are today.

Dorries replaces Oliver Dowden as minister in charge of the Department for Digital, Culture, Media and Sport, after Brit Prime Minister Boris Johnson's ruthless cabinet reshuffle. If taken at his word, Dowden is a man who cares about data. "Data is now one of the most important resources in the world. It fuels the global economy, drives science and innovation, and powers the technology we rely upon to work, shop and connect with friends and family," he oozed in the foreword to the recent consultation on changes to UK data protection law.

Continue reading

If it were possible to evade facial-recognition systems using just subtle makeup, it might look something like this

Interested in poking away at machine-learning models? This academic study could be a good start

Makeup carefully applied to the forehead, cheeks, and nose may help you evade facial recognition systems, judging from these computer scientists' experimental work.

Their described method is a form of adversarial attack, which generally involves subtly tweaking input data to trick machine-learning algorithms into misidentifying things in images, text, or audio.

In this case, the goal is to prevent a facial-recognition system from identifying you. In the past we've seen stickers you can put on your face or paper glasses you can wear to fool these kinds of technologies, though they aren't very inconspicuous. Guards, operators, or anyone else nearby will probably realize something's up when you walk by with this stuff on you.

Continue reading

What have the Romans ever done for us? In ServiceNow's new Rome release, replaced intranets, for one

Adds Teams integration for new ‘Employee Centre’, automated automation for service desk

ServiceNow has loosed the new "Rome" release of its SaaS workflow platform on a waiting world.

This one's very much a "When in Rome, do as the Romans do" affair as it doesn't diverge markedly from ServiceNow's current strategy of providing a platform that creates and orchestrates workflows. But there's also a bit of an "All roads lead to Rome" flavour to it, if you substitute "Rome" for apps that try to make sense of running a business at a time when people no longer come to the office every day.

In ServiceNow's take on the "new normal", hybrid work is perfectly possible, but in its view needs some additional tools to replicate the office experience.

Continue reading