A new report published by Tel Aviv based security company CTS-Labs alleges discovering 13 fatal security flaws in AMD’s new lineup of Ryzen and EPYC processors. The report claims these 13 security vulnerabilities fall under four distinct classes which the company has dubbed Ryzenfall, Masterkey, Fallout, and Chimera.
CTS has classified the vulnerabilities, which it found over the course of a six-month investigation, into four categories they’re calling Ryzenfall, Masterkey, Fallout, and Chimera. Full details on each vulnerability can be found in CTS’ 20-page whitepaper. Fortunately, specific technical details that could be used to exploit the vulnerabilities have been omitted. It’s also worth noting that AMD has been made aware of the issues, as have “select security companies” that could help mitigate the fallout and US regulators.
RYZENFALL (v1, v2, v3, v4) AMD Vulnerabilities
According to researchers, RYZENFALL vulnerabilities allow unauthorized code execution on the Ryzen Secure Processor, eventually letting attackers access protected memory regions, inject malware into the processor itself, and disable SMM protections against unauthorized BIOS reflashing.
Attackers could also use RYZENFALL to bypass Windows Credential Guard and steal network credentials, and then use the stolen data to spread across to other computers within that network (even highly secure Windows corporate networks).
RYZENFALL can also be combined with another issue called MASTERKEY (detailed below) to install persistent malware on the Secure Processor, “exposing customers to the risk of covert and long-term industrial espionage.”
Masterkey is a set of three vulnerabilities that collectively allow malicious actors to install malware inside the secure processor. From here, the researchers say malware could bypass secure boot and inject code directly into a computer’s BIOS or operating system and disable firmware-based security features within the secure processor like Secure Encrypted Virtualization (SEV) or Firmware Trusted Platform Module (fTPM).
Because most EPYC and Ryzen motherboards on the market use a BIOS from American Megatrends that allows
reflashing from within the OS using a command-line utility, CTS says Masterkey can often be exploited remotely.