Chip maker AMD has confirmed the validity of flaws that a security firm recently claimed to have found in its processors and plans to release firmware patches in the coming weeks.
A small security firm based in Israel called CTS Labs published a controversial report last week that described 13 vulnerabilities in AMD’s Ryzen and Epyc CPUs and its Promontory chipset. The report was widely criticized in the security community for lack of technical details and because the company notified AMD of its findings less than 24 hours before going public.
The unusual disclosure raised many ethical questions, as well as accusations of it potentially being a stock price manipulation attempt, but several third-party security experts were able to reproduce and confirm the vulnerabilities in days following the disclosure.
AMD, however, remained silent about the validity of CTS’ claims, saying only that it was reviewing the report. That changed March 20 when AMD’s CTO Mark Papermaster published the company’s technical assessment in a blog post.
“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings,” Papermaster said. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues.”
Exploitation of the flaws allows attackers to disable security features such as Secure Encrypted Virtualization (SEV) and Firmware Trusted Platform Module (fTPM), to install malware in the low-level firmware that cannot be detected by security products or to read protected memory that should be inaccessible to the OS.
It’s true that attackers need full administrative access to systems to exploit the vulnerabilities and this does make potential attacks more difficult. However, experts who commented on Twitter over the past week pointed out that some of the security features that can be bypassed through these vulnerabilities were specifically designed to protect sensitive data and processes even in the case of a full OS compromise. This means the flaws are quite serious and relevant for certain threat models.
Papermaster said that the majority of the flaws will be mitigated through upcoming BIOS updates, with no performance impact expected. However, in the case of CHIMERA, a flaw in the Promontory chipset, the company will work with the third-party chipset manufacturer on future mitigations.
Promontory is used in many desktop motherboards with AM4 and TR4 sockets and was developed by a Taiwanese company called ASMedia. Researchers pointed out that the flaws in ASMedia chipsets have been known for years.
Papermaster also noted that AMD’s Zen CPU architecture, which is used in its main CPUs, is not affected. The issues are located either in the firmware of the ARM-based co-processor which is included with the main CPU and handles security-related functions, or in the chipset, which handles communications between the CPU and various peripherals.