Israel-based CTS-Labs states that more than 13 major flaws are found within AMD’s Ryzen, Ryzen Pro, Ryzen Mobile, and EPYC processors, affecting millions of devices. These flaws are similar to the recent Intel Spectre and Meltdown vulnerabilities and allow a threat actor to install malware inside the chip to access sensitive data and compromise the entire system. Here's a short summary video of the recent announcement:
The vulnerabilities are inside AMD’s chipset architecture, in an area where passwords and encryption keys are stored. With this vulnerability, a hacker could use the unpatched vulnerability to defeat AMD’s Secure Encrypted Virtualization (SEV) technology to bypass Microsoft Windows Credential Guard. Masterkey, Ryzenfall and Fallout vulnerabilities can bypass the Windows Credential Guard. In addition, CT-Labs states that a hacker could use the vulnerabilities to:
- Steal credentials on a high-security enterprise network
- Evade detection from virtually any endpoint protection solution
- Cause damage to hardware with full control of a system
Here’s a quick breakdown on each of the vulnerabilities affecting AMD Processors:
- Threat actor can install malware on the computer’s BIOS then install malware on the processor
- Threat actors can control what programs are allowed to run during startup
- Threat actor can disable security features on the processor
- Threat actor can use the vulnerability to deploy ransomware
- Threat actor can inject malicious code and completely take over AMD Secure Processor
- Threat actor can obtain access to AMD Secure Processor to read and write on protected memory areas – SMRAM and Windows Credential Guard
- Threat actor can use this vulnerability to steal credentials and compromise other systems
- Threat actor could conduct espionage on a system by installing malware on the processor
- Threat actor can obtain access to protected sensitive data and credentials
- Threat actor can break segregated virtual machines created from computer’s memory
- Threat actor can install a keylogger to see everything that is typed on a machine
- Threat actor can install malware onto the processor directly
RYZENFALL, FALLOUT, and CHIMERA do not require physical access to exploit. MASTERKEY requires BIOS re-flashing, but that is often possible by just having local admin on the machine and running an EXE. CT-Labs confirmed this works on motherboards made by Tyan, ASUS, ASRock, Gigabyte, Biostar, and others.
A wide array of devices running this AMD architecture will be affected, including laptops, workstations, and servers. The following AMD product lines are affected by the vulnerabilities:
What Should You Do?
CT-Labs provided AMD the details related to the vulnerability discovery. AMD is actively working on patches at this time and should have a fix over the next few months. To exploit the vulnerabilities, a local machine would need admin privileges. Make sure to disable any endpoints, workstations, or servers that have admin privileges enabled.
AMD has been provided full details and is now working on patches, and security vendors have also been given full details and are now developing mitigations.