Various vulnerabilities have been discovered in AMD’s Zen architecture based processors – Ryzen and EPYC. Ryzen processors are aimed towards workstations, laptops and mobiles and EPYC is geared towards servers.
The vulnerabilities have been discovered by CTS-Labs, they claim that attackers can exploit these vulnerabilities to :
- Inject malicious code in to the chip itself.
- Bypass security measures like
- Secure Encrypted Virtualization (SEV)
- Firmware Trusted Platform Module (fTPM)
- User mode-kernel mode isolation
- Secure Management RAM,Windows Credential Guard
- Network credential theft.
- Arbitrary code execution.
- Even cause physical damage by targeting SPI flash.
- Gain access to firmware and hardware backdoor
The table below lists the CVE(s) assigned to track these vulnerabilities.
CVE(s) | Description |
CVE-2018-8936 | The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chips allow Platform Security Processor (PSP) privilege escalation. |
CVE-2018-8935 | The Promontory chipset, as used in AMD Ryzen and Ryzen Pro platforms, has a backdoor in the ASIC, aka CHIMERA-HW. |
CVE-2018-8934 | The Promontory chipset, as used in AMD Ryzen and Ryzen Pro platforms, has a backdoor in firmware, aka CHIMERA-FW. |
CVE-2018-8932 | The AMD Ryzen and Ryzen Pro processor chips have insufficient access control for the Secure Processor, aka RYZENFALL-2, RYZENFALL-3, and RYZENFALL-4. |
CVE-2018-8931 | The AMD Ryzen, Ryzen Pro, and Ryzen Mobile processor chips have insufficient access control for the Secure Processor, aka RYZENFALL-1. |
CVE-2018-8930 | The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chips have insufficient enforcement of Hardware Validated Boot, aka MASTERKEY-1, MASTERKEY-2, and MASTERKEY-3. |
CVE-2018-8933 | The AMD EPYC Server processor chips have insufficient access control for protected memory regions, aka FALLOUT-1, FALLOUT-2, and FALLOUT-3 |
Background
Hardware Validated Boot : AMD’s implementation of hardware rooted Boot Integrity. Its dedicated hardware that runs in an isolated environment (ARM TrustZone) and contains its own on-chip ROM among other components. The chip is a 32-bit ARM Cortex A5 processor that provides immutable hardware root of trust. It is responsible for verifying the secure boot process among other security features. AMD calls it AMD Secure Processor. The on-chip ROM contains the initial immutable code that verifies the secure boot key, this key is used to validate the firmware (Secure Processor firmware). The firmware validates and initializes the BIOS and continues with its own initialization cycle.
Vulnerabilities
The vulnerabilities have been divided in to 4 categories each with variations based on the component they target.
MASTERKEY
Upon exploitation it allows the attacker to bypass AMD’s Hardware Validated Boot on Ryzen and Epyc. It allows the attacker to install malware within the secure processor thereby enabling it to disarm security features like Firmware Trusted Platform Module (fTPM), Secure Encrypted Virtualization (SEV). The table below lists the affected products.
Vulnerability | Product | Impact |
MASTERKEY-1 |
EPYC Server,Ryzen,Ryzen Pro,Ryzen Mobile |
Install persistent malware inside AMD Secure Processor |
MASTERKEY-2 | Disable security features such as Firmware Trusted Platform | |
MASTERKEY-3 | Module or Secure Encrypted Virtualization. |
Since it runs within the processor that validates the BIOS, it is executing with the highest kernel privilege which is invisible to the operating system because it has not yet been initialized at this point. This also means it is deviating from UEFI secure boot.
The attackers needs to be able to re-flash the BIOS with his own version that contains updates for the secure processor. This update goes through because of improper validation of said BIOS-update. This attack is possible remotely where re-flashing is allowed from the operating system. If re-flashing capability is not allowed/ not within reach, then the attacker could begin by exploiting RYZENFALL or FALLOUT which gives read/write access to the system flash.
RYZENFALL
As the name suggests this set of vulnerabilities are specific to Ryzen series of processors. These vulnerabilities are design and implementation weaknesses within AMD Secure OS.
Vulnerability | Product | Impact |
RYZENFALL-1 | Ryzen Pro | VTL-1 memory write |
Ryzen Mobile | ||
Ryzen | ||
RYZENFALL-2 | Ryzen Pro | Disable SMM protection |
Ryzen | ||
RYZENFALL-3 | Ryzen | VTL-1 memory read |
Ryzen Pro | SMM memory read (requires RYZENFALL-2) | |
RYZENFALL-4 | Ryzen | Arbitrary code execution on Secure Processor |
Ryzen Pro |
AMD Secure OS is found only in AMD’s Ryzen series. Secure OS is a chip firmware that runs within AMD Secure Processor. It allocates a portion of the systems memory for its operations. This memory is not accessible even from the main processor. The allocated memory is called fenced DRAM. This isolation is based on ARM Trust Zone® technology.
RYZENFALL allows code execution within the Secure Processor and allows us to bypass system isolation features to access guarded memory regions like:
– Windows Isolated User Mode and Isolated Kernel Mode (VTL1)
– Secure Management RAM (SMRAM)
– AMD Secure Processor Fenced DRAM
To exploit RYZENFALL attackers need to be able to run a program at the OS level with elevated administrator privileges. The program targets the Secure Processor via vendor provided drivers.
FALLOUT
These vulnerabilities are similar to RYZENFALL but they target EPYC Secure Processor’s boot loader. FALLOUT allows an attacker to bypass system isolation features to access guarded memory regions like:
– Windows Isolated User Mode and Isolated Kernel Mode (VTL1)
– Secure Management RAM (SMRAM)
Similar to RYZENFALL attackers need to be able to run a program at the OS level with elevated administrator privileges. The program targets the Secure Processor’s boot loader via vendor provided drivers. The table below lists the affected products.
Vulnerability | Product | Impact |
FALLOUT-1 | EPYC Server | VTL-1 memory write |
FALLOUT-2 | EPYC Server | Disable SMM protection |
FALLOUT-3 | EPYC Server | VTL-1 memory read |
SMM memory read (requires FALLOUT-2) |
CHIMERA
These vulnerabilities expose firmware and hardware based backdoors that can be accessed by an attacker for code execution. The backdoors are present in AMD’s Promontory chipsets which is a core component in Ryzen and Ryzen Pro. It is connected to USB, SATA, and PCI-E ports,LAN, WiFi, and Bluetooth. The researchers were able to achieve code execution in the chip and were able to control DMA to gain access to the operating system memory. Upon successful exploitation an attacker could:
– Install a keylogger
– Man-in-Middle type attacks on LAN, WiFi, and Bluetooth.
– Gain access to protected memory regions like System Management RAM (SMRAM).
To exploit CHIMERA attackers need to be able to run a program at the OS level with elevated administrator privileges. The program targets the chip via vendor provided drivers. The table below lists the affected products.
Vulnerability | Product | Impact |
CHIMERA-FW | Ryzen | Chipset code execution |
Ryzen Pro | ||
CHIMERA-HW | Ryzen | Chipset code execution |
Ryzen Pro |
Mitigation
AMD has acknowledged these vulnerabilities. A patch is under development and will be rolled out. Trail of Bits has also confirmed that the vulnerabilities are legitimate and reproducible.
Most of the fixes appear to be software based involving the BIOS and PSP firmware. Unlike Specter/Meltdown performance hit is not expected. Qualys is actively working on adding QIDs to detect AMD Ryzen and EPYC processors.
Update: Added CVE(s)
Please continue to follow Qualys for more information on these vulnerabilities.
References
Severe Security Advisory on AMD Processors
Hardware Validated Boot
The View from Our Corner of The Street
“AMD Flaws” Technical Summary
Initial AMD Technical Assessment of CTS Labs Research