13 Security Vulnerabilities and Backdoors Discovered in AMD Zen Architecture

Israel-based security research firm CTS-Labs has published their discovery of alleged multiple critical flaws in AMD’s Zen CPU microarchitecture which they claim is as serious as the recent public disclosure of the Meltdown and Spectre vulnerabilities that affected CPUs from Intel, ARM and AMD. CTS-Labs cites 13 vulnerabilitties which they file under four groups based on which function they exploit. The exploit classes are dubbed Ryzenfall, Masterkey, Fallout and Chimera. CTS-Labs states that “… some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD.”

The researchers claims that they “believe that networks that contain AMD computers are at a considerable risk,” with the malware capable of surviving reboots and re-installations all the while being virtually undetectable by endpoint security solutions like antivirus software.

The exploit classes are detailed as follows:

1. Ryzenfall – a class of vulnerabilities that target Secure Processor. This class allows malware to place code in the Secure Processor of a system and execute during system up-time. This attack requires admin privileges on the target but can be performed in real-time on the system without modifying firmware. Secure Processor uses system alojngside on-die memory. While normally this part of the memory is inaccessible by the CPU, certain bugs can be exploited to bypass this protection allowing code to be ran on Secure Processor and have full access to the system. Microsoft Virtualization-based Security can be bypassed and more malware can be dumped into system management storage where it will not be detected by traditional antivirus software. Windows Defender Credentials Guard, a password-authentication and storage component can also be bypassed and allows the malware to spread to other systems in the networks. The firmware can also be modified to exploit the Masterkey.
2. Masterkey – An exploit targetting the Secure Boot feature which checks the machine for any tampering that may have occurred during power down states e.g. firmware changes, hardware or software state before shutdown. Masterkey bypasses this via a compromised system BIOS that can be flashed from within Windows with admin privileges. The user does not have to manually be involved in the flashing of the BIOS for the infection to occur, malware that target this vulnerability can flash the system on the fly. Once infected, Secure Boot is rendered useless with the malware allowing any ARM Cortex A5 code to be executed in the Secure Processor.
3. Fallout – These vulnerabilities are restricted to AMD’s EPYC server CPUs only. It requires admin privileges and has similar effects as the previous vulnerabilities. Fallout allows an attacker to gain access to memory regions which are not normally accessible even with administrative privileges. Its similar to Ryzenfall but with a different attack vector.
4. Chimera – A chipset exploit which utilizes a backdoor implemented in the chipset by exploiting the motherboard. With the right passcode, an attacker can gain access to the chipset including running arbitrary code. This grants direct-memory access  to system memory which can be used to inject malware to the operating system. Peripherals and many other connected devices can then be targeted including keyloggers. Since a second backdoor was found that is in the physical chip design, this cannot be patched via software updates and the researches have hinted at possible recalls of affected products.

The researches have published AMDFlaws.com to detail their findings and publish white papers in the future.

Responding to TechPowerUp, AMD reps gave the following statement:

“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”