Amid the tumult that CTS Labs stirred up with its questionably-conducted disclosure of a range of potential vulnerabilities in AMD hardware last week, it's important to remember that those vulnerabilities are, by the accounts of all who have seen proof-of-concept code, legitimate. While the vulnerabilities generally require administrative rights to exploit, they reward that privilege escalation with the potential to compromise a system's hardware root of trust or install persistent malware. Today, AMD announced plans to begin mitigating the four categories of exploits that CTS Labs revealed through its disclosure. Happily, the company believes it can safeguard its processors and chipsets against all of these vulnerabilities through firmware updates.
As a brief refresher, the so-called "Masterkey" vulnerability allows an attacker to compromise the AMD Secure Processor, an integrated ARM core that handles some platform security functions for some Ryzen and Epyc systems, by installing a corrupted firmware that the Secure Processor does not detect during its own self-checks. Once the Secure Processor is compromised in this way, an attacker could persistently bypass the protections of AMD's Secure Encrypted Virtualization and Firmware Trusted Platform Module features. CTS Labs also warns that Masterkey exploits could bypass Windows' Credential Guard features and physically damage or "brick" affected hardware. AMD says a firmware patch for this issue will arrive "in the coming weeks."
The Ryzenfall and Fallout vulnerabilities, according to AMD, allow an attacker to write to some of the Secure Processor's own registers. That access could allow an attacker to read or write to protected memory regions for x86 System Management RAM and Windows Credential Guard. In conjunction with the Masterkey vulnerability, CTS Labs says Ryzenfall could be used to install persistent malware on a system. As with Masterkey, AMD believes it can mitigate the issue through a firmware update, and it plans to release those mitigations soon.
Finally, AMD says the Chimera vulnerability in its Promontory chipset silicon can be exploited by an attacker who can install a malicious driver on a system. Once that's done, the company says "certain Promontory functions" can be exposed. AMD says Chimera can be used to access physical memory through the chipset or to install malware on the chipset that does not persist across reboots. AMD says it is working with the "third-party provider"—ASMedia, by CTS Labs' account—that designed and produced the Promontory chipset to mitigate the problem. Like the other two vulnerabilities, AMD expects that Chimera can be mitigated through a firmware update that will arrive soon.
If AMD can, in fact, mitigate these issues through firmware updates alone, owners of its processors and platforms will likely be able to breathe a little easier. Presumably, CTS Labs will test those mitigations independently and determine whether those customers are, in fact, safe. We'll continue to keep an eye on this story as it develops.