Question marks over ‘disclosure’ vulnerabilities in AMD Ryzen and Epyc platforms

A research firm claims to have found vulnerabilities in the Secure Processor of AMD’s Ryzen and Epyc platforms. The agency notified AMD just 24 hours before publication. Experts are skeptical about the turn of events.

According to Israeli security firm CTS, the AMD Secure Processor contains ten critical vulnerabilities, which can be used to write malicious code to the processor component. The errors affect Ryzen, Ryzen Mobile, Ryzen Pro and Epyc processors from AMD. In addition, AMD would use vulnerable ASMedia chips, which contain backdoors, for its Ryzen chipsets, according to the claim.

CTS has divided the vulnerabilities into four categories, named Masterkey, Ryzenfall, Fallout and Chimera. Masterkey is a collection of three vulnerabilities, which can bypass the Hardware Validated Boot of Epyc and Ryzen chips in three ways to run arbitrary code on the Secure Processor. This Secure Processor is an ARM Cortex A5 soc that is integrated into the processor and runs its own OS. The soc handles secure functions in the field of encryption, virtualization and the Trusted Platform Module and ensures a validated boot sequence.

In order to successfully deploy Masterkey, an attacker must be able to flash the BIOS, which in itself entails various attack scenarios. Preventing unauthorized bios updates from being implemented would therefore be sufficient protection, according to the company.

The four Ryzenfall vulnerabilities target AMD’s Secure OS running on the Secure Processor. The Epyc processors are not prone to it. Through these vulnerabilities, an attacker could not only run code on the secure processor, but also read shielded memory such as Windows Isolated User Mode and Isolated Kernel Mode, Secure Management RAM, and AMD Secure Processor Fenced DRAM. To do this, the attacker must be able to run software locally with administrator rights, which again opens the door to many security problems. In addition, the Secure Processor must be accessed via a signed driver, which is a significant obstacle to actual abuse.

The three Fallout vulnerabilities target Epyc and concern the boot component of the Secure Processor. Also, to abuse Fallout, administrator rights and access via a driver are required. CTS calls the backdoors of the ASMedia chip in the Ryzen and Epyc chipsets Chimera. One backdoor would be in the asic’s firmware and the other would be hardware. According to the research company, the ASMedia chip is based on the ASMedia ASM1142, whose security vulnerabilities have already been demonstrated. Again, however, administrator rights and access via a signed driver are required.

CTS is a relatively young company that seems to have paid a lot of attention to the marketing around the vulnerabilities. The company describes the vulnerabilities in a document and on the AMDFlaws site, but there are few details and according to security experts CTS greatly exaggerates the impact. According to CTS, details have been shared with AMD and other security companies. According to CNet, CTS notified AMD just 24 hours before publication. The agency therefore does not use the standard for responsible disclosure, which applies a period of at least 90 days for companies to be able to respond adequately to reports.

There is speculation on Reddit that it is an attempt to manipulate AMD’s stock price. The short seller Viceroy Research would also play a role in this. That company published relatively soon after CTS the claim that the ‘disclosures’ would be the death knell for AMD.