Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

AMD Processor Flaws Real, But Limited

A vulnerability report threatened falling skies over AMD processor vulnerabilities that are real but limited in impact.

Spectre and Meltdown qualify as two of the biggest vulnerabilities in recent years because they are flaws in the basic architecture of the most common CPU used in computing devices. Initially, customers who chose AMD processors for their servers and PCs felt vindicated in their decision, but a set of announcements have led some to question the good feelings - and others to question the questions.

There's no question that the patches applied to software in order to mitigate the Intel vulnerabilities will also have an impact on software running on AMD-centered machines. The questions arise over a set of four announced vulnerabilities unique to AMD's Ryzen and EPYC processors.

Spectre and Meltdown

Spectre and Meltdown are popular terms for a class of issues known as speculative execution side-channel vulnerabilities. Discovered by Italian academic security researchers, they take advantage of a performance-boosting feature in CPU instruction execution to see the contents of processor memory - memory that could contain unencrypted details of information like login credentials.

While AMD processors don't contain the specific vulnerabilities found in Intel processors, AMD admitted that their processors are subject to Spectre (though not to Meltdown) and a series of lawsuits asserts that AMD processors are vulnerable to similar attacks based on their architectural likeness to Intel's chips. 

AMD released a firmware patch for the EPYC and Ryzen processors after initial firmware patches from Intel were found to brick AMD CPUs if they were mistakenly applied. The AMD patches solved the bricking issue but they weren't able to work around one of the other serious problems brought on by the twin vulnerabilities; patched AMD-based systems suffered the same sort of processor slowdown that left Intel users unhappy with performance.

A Vulnerable Quartet

As the excitement over Spectre and Meltdown seemed to be settling down, a new set of vulnerabilities were announced for AMD processors. The four vulnerability categories, named Ryzenfall, Masterkey, Fallout, and Chimera by Israeli research firm CTS-Labs, would allow an attacker to inject instructions into an AMD Secure Processor and, at that point, perform a host of unpleasant things.

Almost immediately after the vulnerability announcement went public, the announcement and CTS-Labs came under fire. The criticism fell along a set of related axes: the nature of the disclosure, the nature of the exploit required, the nature of CTS-Labs, and possible unethical (or even illegal) reasons for the disclosure.

Common "responsible disclosure" practice is to alert the manufacturer (or responsible party) of a vulnerability and allow them reasonable time to either remediate the flaw or refuse remediation. Only then will the vulnerability be made public.

In CTS-Labs' case, they gave information on the vulnerabilities to AMD less than 24 hours before the public disclosure, allowing essentially no time for remediation.

CTS-Labs' CTO has published a paper defending the vulnerability release by attacking the normal behavior. Ilia Luk-Zilberman writes, "I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together. And not to disclose the actual technical details ever unless it's already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk."

There can (and will be) significant discussion over the nature and appropriate application of ethical research guidelines, but conversation on social media and in the press seemed based on the premise that the CTS-Labs release was not the best way to begin those discussions.

Aboulnerabilities

Ryzenfall, Masterkey, and Fallout are related and tend to involve violating isolated operating modes, and being able to see into privileged memory. There are other vulnerabilities that come from these, including the ability to launch applications that are hidden and persistent. Chimera is a different set of vulnerabilities that are based around manufacturer backdoors that allow firmware re-writes to various subsystems in the computer.

It's important to note that all of the vulnerabilities detailed in this release are secondary vulnerabilities - that is, they can't be used as part of a payload to gain access to a system. Instead, they could allow dramatic escalation of an attack against an already compromised server or PC.

The nature of the vulnerabilities - that they require an already-compromised system before they can be exploited - is part of what led some professionals to criticize many aspects of the release. Linux originator Linus Torvalds was one of those levying criticism, when he wrote (as part of a Google+ discussion), "When was the last time you saw a security advisory that was basically "if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem"? Yeah."

This is not to say that the vulnerabilities are not real. CTS-Labs hired well-known security company Trail of Bits to verify their research. In a blog post, Trail of Bits CEO Dan Guido wrote, "We confirmed that the proof-of-concept code worked as described on the hardware we tested..."

At the same time, Guido tempered expectations for the critical nature of the vulnerabilities, noting that exploiting them would take massive effort and that there is no immediate risk for most users. He wrote of the vulnerabilities, "They are the result of simple programming flaws, unclear security boundaries, and insufficient security testing."

One of the points of criticism regarding CTS-Labs is, essentially, that they were unknown in the security research field before these vulnerabilities were announced. Looking at the "about us" section of their website shows that the company lists itself as a a consultancy firm specializing in ASIC and embedded system security. The nature of their business makes sense in the context of the Chimera vulnerabilities, which allow for code to be injected into a part of the AMD chipset based on the Intel 8051 architecture - architecture that is taken from an embedded controller more than 30 years old.

A Possible Stock Attack

The importance of security to the computer industry has been used as another point of concern about the CTS-Labs vulnerability report. Approximately half an hour after the CTS-Labs website on the AMD vulnerabilities went live, a stock analysis firm (that also trades in stock) posted its own "Obituary" of AMD based on the CTS-Labs report.

Both Viceroy and CTS-Labs state that there is no financial relationship between the two companies and Viceroy has said that it received the CTS-Labs report from an "anonymous tipster." Nevertheless, for a company that has become infamous for shorting international stock just before writing highly critical reports, Viceroy's rapid response to the CTS-Labs disclosure strikes some as being highly suspect.

And it means...

For IT security professionals, there are two critical takeaways from the AMD vulnerability disclosure so far. The first is that there are legitimate vulnerabilities present in AMD Ryzen and EPYC processors, vulnerabilities that are part of the basic processor architecture. It is critical that security professionals be aware of these vulnerabilities, that AMD respond to them with patches and (ultimately) re-designs, and that developers work to fence the vulnerabilities away from systems in use by individuals and businesses.

The second takeaway is that the language around vulnerability research should now be scrutinized with as much care as the vulnerabilities themselves. Stock traders and others with economic, non-security interests have learned just how important security is to the modern enterprise and are ready to take advantage of that for their own gain.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...