It looks like 2018 is going to pass under the flag of critical hardware vulnerabilities of modern CPUs. Following the promulgation of Specter and Meltdown problems associated with the speculative execution of commands, security experts discovered a number of security holes in AMD chips, allowing attackers to gain access to protected data.
Particularly alarming is the fact that the vulnerabilities concern the so-called special protected area of processors – it is there that the device usually stores sensitive and confidential data like passwords or encryption keys. In addition, this unit is responsible for verifying that no malicious programs are running on the system when the computer starts.
A security company in Israel, CTS-Labs, has announced that its researchers have discovered as many as 13 critical vulnerabilities, which in theory allow attackers to access data stored on AMD Ryzen and EPYC processors, and install malware on them. Ryzen chips are used in desktop PCs and laptops, and EPYC processors are used in the server market.
Unlike Google Project Zero, which gave the industry a six-month head start to investigate the problems of Meltdown and Specter, Israeli experts did not pull. Before the publication of the report, they gave AMD just less than a day to study the vulnerabilities and respond. Usually disclosure of vulnerability information requires 90 days notice so that companies can correct the deficiencies correctly.
“Security for AMD priority, and we are constantly working to provide it for our users as new risks arise. We are studying this report, which we just received in order to understand the methodology and essence of the results of the work of researchers ” , – AMD representative commented.
AMD so describes the protection technology : “The Secure Processor (formerly a platform security processor, PSP) is a dedicated processor with ARM TrustZone technology, as well as a software-based Trusted Execution Environment (TEE), designed to provide trusted third-party applications. AMD Secure Processor is a hardware-based technology that provides secure boot from the BIOS level to the TEE environment. Trusted third-party applications can use standard APIs to take advantage of the TEE security environment. Functions TEE protection are working not in of all applications “.
According to co-founder CTS-Labs and financial director Yaron Luk-Zilberman (Yaron Luk-Zilberman), these new vulnerabilities can be divided into four main categories. All of them essentially allow attackers to aim at the most secure segment of the processor, which is crucial for storing confidential information on the device. “Identify the malicious code stored in the Secure Processor , almost impossible. Malicious can be there for years and not be detected ” , – Mr. Luk-Zilberman stressed. What kind of categories are we talking about?
When the device starts up, it usually goes through the “safe boot” process. The PC uses the processor to verify that nothing is forged on the computer, and only trusted programs are executed. Vulnerability Master Key allows you to bypass the startup check by installing malware in the computer’s BIOS, the key part of the system that controls the startup process before the OS starts. Once the PC is infected, Master Key allows attackers to install malicious software, despite any hardware protection of the CPU, that is, to gain full control over executable programs during startup. Accordingly, the vulnerability also allows attackers to disable the security functions on the processor.
This vulnerability affects exactly AMD Ryzen chips and allows malicious programs to completely gain control over the Secure Processor. This, as already noted, means the ability to access the most secure data, including encryption keys, passwords, credit card information and biometric information. According to the researchers, in theory a common attacker can not access these processor blocks.
If intruders can bypass the Windows Defender Account Protection, they can use stolen data to distribute to other computers on the network. Credential Guard is a feature of Windows 10 Enterprise that stores sensitive user data in a protected operating system partition that can not normally be accessed. “Technology Windows Credentials Guard , as a rule, is very effective for password protection on the machine and does not allow them to spread, – says Mr. Luk-Zilberman. – The attack greatly simplifies the task of spreading over the network. ”
As with Ryzenfall, Fallout attacks also allow attackers to access protected data sections, including Credential Guard. But this vulnerability affects only devices using the protected AMD EPYC processor. In December, Microsoft announced a partnership with AMD within Azure Cloud platforms using EPYC.
These chips are used in data centers and cloud servers, linking computers used in different industries around the world. If the attackers exploited the vulnerabilities described in Fallout, they could steal all the stored credentials and spread over the network. “These network credentials are stored in a separate virtual machine, to which conventional hacking tools can not be applied , – said the executive director of CTS-Labs Aido Li He (Ido Li On). – In case of Fallout , this isolation between virtual machines is violated. ”
Isolated virtual machines are parts of computer memory that are separated from the rest of the system. Researchers use them, for example, to test malware, without risking to infect the rest of the computer. For maximum security, Credential Guard uses virtualization-based mechanisms so that only privileged system software can access protected data.
“Windows there are obligations towards clients, within which we will certainly investigate the stated security problems and update vulnerable devices as soon as possible. Our standard policy is to provide solutions through our current update schedule on Tuesdays, – the representative of Microsoft commented on the situation.
Chimera is generated by two different vulnerabilities: one – in the firmware and one – in the hardware. As a result, the Ryzen chipset allows malicious programs to work on it. Since Wi-Fi, network and Bluetooth traffic pass through the chipset, an attacker, according to researchers, can use it to infect the device. In the demonstration supporting the concept, the specialists managed to install a keylogger that allowed to see everything that is entered on the infected computer. Problems with the chipset firmware mean that the attack can install malware on the processor itself. “We found that the problem is caused in many ways by the simplest errors in the firmware code Ryzen “, – said vice-president of CTS-Labs for research and design Uri Farkas (Uri Farkas).
What to do now?
It’s hard to say how long it will take to fix these problems with AMD processors. CTS-Labs said it has not yet received a response from AMD. The researchers said it may take several months to make the necessary corrections. Hardware vulnerabilities, they said, can not be fully eliminated.
Intel, ARM, AMD, Microsoft and many other companies are still making fixes to close the vulnerabilities of Meltdown and Specter, and eventually patches cause some problems, including slowing down the devices. Novel vulnerabilities can mean a similar headache for AMD and the owners of devices based on the latest processors.
“If an intruder can enter a security processor, this means that most of the declared data protection functions are invalid” , – Mr. Lee emphasized. Read more about the vulnerability description and with affected or potentially unsafe AMD chips. on a special site .
If you notice an error – select it with the mouse and press CTRL + ENTER.