AMD CPU PSP holes lead to APT SNAFU, say CTS n00bs

AMD chips have some nasty security holes, say formerly unknown researchers. Bugs and back doors in several families of AMD processors could lead to uncleanable malware infections, and even destroyed hardware.

But the researchers’ disclosure methods are creating serious anger, with some infosec pundits accusing the researchers' company, Israel-based CTS-Labs, of overblowing the situation and manufacturing a short-selling operation on AMD stock.

In this week’s Security Blogwatch, we cut through the hyperbole and work out what’s really going on.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  smokeongo 

Gartner Magic Quadrant for Application Security Testing 2018

Don't believe the hype?

What’s the craic? Alfred Ng subtends the obvious angle—AMD allegedly has its own Spectre-like security flaws:

Researchers say they've found 13 flaws in AMD's Ryzen and EPYC chips … critical security flaws … that could allow attackers to access sensitive data from highly guarded processors across millions of devices. … The alleged vulnerabilities lie in what's designed to be the secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys.

Putting the malware on the secure processor itself creates a higher potential for damage than a normal attack. … Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers.

The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing. … Standard vulnerability disclosure calls for at least 90 days. … It's unclear how long it would take to fix these issues. … The researchers said it could take "several months."

"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise," an AMD spokesman said. "We are investigating this report, which we just received."

And Dan Goodin floats A raft of flaws in AMD chips:

Secure enclaves … are intended to be impenetrable fortresses that handle tasks too sensitive for the main CPUs. … AMD's version of that co-processor contains a raft of critical flaws [but] has direct access to a vulnerable computer's most sensitive secrets.

The chips also contain what the report called "backdoors" that hackers can exploit. … Attackers can exploit the vulnerabilities to achieve a variety of extraordinary feats that would be catastrophic:

Running persistent malware [that's] nearly impossible—to detect. Bypassing advanced protections such as AMD's Secure Encrypted Virtualization [and] Firmware Trusted Platform Module. … Physically destroying hardware by attackers in … "ransomware" scenarios.

One of the backdoors is built into the firmware, the report contended, while the other resides in the hardware. [It] went on to warn that the Chimera vulnerabilities resulting from the purported backdoors may be impossible to fix.

But you can't get pwned unless you already have root. So how is this news? CTS explains:

RYZENFALL, FALLOUT and CHIMERA do not require physical access to exploit, [but do need] local machine admin privileges. The vulnerabilities are most harmful in APT situations.

Persistence: Attackers could load malware into the AMD Secure Processor before the CPU starts. From this position they can prevent further BIOS updates and remain hidden. … Sitting inside the AMD Secure Processor or the AMD Chipset is, at the moment, outside the reach of virtually all security products. AMD chips could become a safe haven for attackers.

Network Credential Theft: Bypass Microsoft Credentials Guard and steal network credentials. We have a PoC version of mimikatz that works even while Credential Guard is enabled.

Specific AMD Secure Processor features for cloud providers, such as Secure Encrypted Virtualization, could be circumvented or disabled by these vulnerabilities.

So don’t panic? Thomas Claburn suggests we all take a deep breath:

The report describes the four classes of vulnerability, each of which has several variations. They all require local administrator access – or in one case, physical access – to exploit, which limits them as vulnerabilities useful for miscreants.

[But] the security holes can be exploited by malware … to ensure it can't be easily detected and removed – not even by wiping hard drives and reinstalling everything. … The flaws do not open AMD-powered PCs and servers to remote hijacking over the internet, nor allow malicious apps to commandeer systems.

RYZENFALL allows malicious code to take over the AMD Secure Processor. … CTS-Labs claims there's no mitigation.

FALLOUT, a flaw in the boot loader component of Epyc's Secure Processor, allows attackers to read and write sensitive and protected memory areas, such as SMRAM and … VTL-1.

CHIMERA is described as a pair of manufacturer backdoors, one in firmware and one in hardware. … The advisory claims the backdoors were introduced … by Taiwanese chip manufacturer ASMedia, owned by ASUSTeK.

MASTERKEY, allows the installation of persistent malware inside the Secure Processor, running in kernel-mode. … The system accepts modified BIOS images – when really, it ought to reject them.

Could you pass my atlas? sinij shrugged: [You’re fired—Ed.]

If AMD and Intel get into "flaw disclosure" wars, the only winner will be consumers. This is not a bad thing.

But Will Godfrey smells a Rodent:

This whole thing stinks. A security company nobody's ever heard of. Instant 'disclosure'. No truly independent confirmation. No context. This can't possibly be anything except an attempt to damage AMD.

As in a short-selling op? Tavis “@taviso” Ormandy ponders thuswise:

I think that short selling directed by vulnerability research could work, but … this one is going to fail. … They overshot the appropriate hype level by several orders of magnitude.

Short sellers need customers to respond without providing full details (or they would be fixed, and then the stock market wouldn't care). … This was clown town … hardly high-risk stuff anyway.

But Jake “@MalwareJake” Williams thinks different:

My personal $.02 is that it is probably a market manipulation scheme, but I don't doubt that the vulns are real. Reminds me of St Jude/MuddyWaters.

I know people running AMD servers who (smugly) breathed a sigh of relief when they found out Meltdown was only easily exploitable on Intel. This new round impacts them.

[But] if CTS is acting in bad faith, they'll be sued out of existence. … I don't think you can say "our report is an opinion and not a statement of fact" and have that be an affirmative defense if you're manipulating stock prices.

Vaikkakin, Linus Torvalds kirjoittaa tämän vihainen kommentti:

It looks like the IT security world has hit a new low.

I thought the whole industry was corrupt before, but it's getting ridiculous. … At what point will security people admit they have an attention-whoring problem?

So is there any third-party confirmation? Dan “@dguido” Guido was paid to independently evaluate the PoCs:

CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.

Regardless of the hype … the bugs are real, accurately described … we found their documentation far above average for typical security companies, the exploit code all worked exactly as described, and worked on the first try. … They are well understood programming flaws.

They found us through a mutual friend. I had never spoken to them before, and I have no ongoing relationship with them. They sought us out because they were concerned about the validity of their findings.

I discussed pros/cons of various [disclosure] options with them and recommended that they report the vulnerabilities to a CERT.

But Kevin “@gossithedog” Beaumont is not at all happy:

This is a highly unusual and reckless disclosure of security flaws.

All of the bugs require administrator (or root) access to exploit. … All of the bugs require the ability to execute code.

The website makes extreme claims about the vulnerabilities – the FAQ section is worse than Buffy fanfic. … Fancy videos were provided – with fake office backgrounds.

I would encourage security researchers not to disclose vulnerabilities like this. If you have vulnerabilities that you truly think are serious … work to get them resolved and work with the cyber security community around mitigations.

The only real public exploit here at the moment is a press exploit.

Meanwhile, Brad Sams takes a break from teasing Paul Thurrott:

Remember when AMD was smug about Intel's issues?

The moral of the story? Don’t believe the hype.

And finally …

How Formation Flying Works

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Fritzchens Fritz (cc0)

State of Security Operations 2018: Go Inside World SOCs
Topics: Security