This site may earn affiliate commissions from the links on this page. Terms of use.

AMD-Ryzen-Feature-3

In the wake of Meltdown and Spectre, AMD has come up out relatively clean compared with Intel. While it remains exposed to Spectre (Variant 1 and Variant 2), it dodged Meltdown altogether. Merely a new security business firm is claiming AMD has no fewer than 13 critical vulnerabilities in its Ryzen processor and chipsets, including vulnerabilities within the heart of the CPU itself.

In a contempo disclosure, security firm CTS-Labs has accused AMD of failing to grab xiii high-profile and serious security flaws in four carve up families: Masterkey, Ryzenfall, Chimera, and Fallout. A chart of the four is shown below:

AMD-Security1

CTS-Labs has non disclosed plenty data most these flaws to hash out them in not bad detail, but we'll encompass the summaries. The first flaw, Masterkey, can but be triggered if the malware writer can flash a malicious UEFI on to the motherboard itself. One time flashed, this malicious UEFI can be used to execute code arbitrarily on the integrated ARM Cortex-A5 processor inside every Ryzen CPU. While this type of malicious lawmaking execution attack from within the CPU is a real threat — it's ane of the bug with the Intel Direction Engine — it's not clear if this is practically all that easy to exploit — though it's also a potentially dangerous exploit, since malware loaded into the CPU would remain active thereafter. Locking the UEFI from updates may prevent it (CTS-Labs isn't sure if it can bypass that solution or not). Ryzen and Epyc are both afflicted; Ryzen Pro and Ryzen Mobile are theorized to be affected.

Next up is Ryzenfall, a set of security bug inside the Ryzen Secure OS (that'southward the Os running in the Cortex-A5 CPU). This attack allows for secure access to areas of memory that are supposed to be fenced off and protected. Epyc is non affected by any of these vulnerabilities, though Ryzen Mobile and Ryzen are. Ryzenfall requires elevated ambassador privileges and a vendor-signed boot driver to exploit.

AMD-Security2

Ryzenfall vulnerability

Fallout is basically Ryzenfall, but for Epyc. Information technology targets the off-chip kick loader every bit opposed to an on-chip hardware block, but it targets protected memory and the organisation management mode that's not meant to exist user-accessible.

Finally, there'due south Bubble, which refers to a pair of backdoors supposedly hidden in the Ryzen chipset. The white paper claims "one is implemented inside the firmware running on the bit, while the other is inside the chip'due south ASIC hardware. Because the latter has been manufactured into the chip, a direct fix may not be possible and the solution may involve either a workaround or a call up." Once again, chipset-level backdoors are a serious accusation, though we don't know details notwithstanding or whether the flaws tin be ameliorated.

AMD'due south chipsets are designed past Asmedia, and previous Asmedia chips have been criticized for their security implementations. The security flaws in Chimera allege that code can exist run direct on the chipset and then used to dispense the OS running on the main CPU, at to the lowest degree equally a proof of concept. The security house theorizes this could be used to create a keylogger or to spy on network accesses. Information technology may also exist possible to again access protected memory (this is the only expanse where CTS-Labs performed whatever verification).

If true, these security flaws collectively correspond some significant problems that weren't previously known, and AMD is going to have to practise some significant work to fix them. It'southward non clear yet how difficult that volition be or what grade it will take. It'due south also non clear how accurately the attacks have been conveyed; there's a number of reasons to suspect CTS-Labs of acting in profound bad religion, as far as disclosure is concerned, whether its findings are accurate or not.