AMD has recently hit the headlines this time with its responses to the reports published, stating of a range of security flaws affecting its Platform Security Processor (PSP) and chipset. The company, admitting about the bugs have added that in the weeks to follow, it would have new firmware available to resolve the PSP bugs. Further, these firmware fixes would also mitigate the chipset bugs.
Israeli firm CTS identified four separate flaw families, naming them Masterkey (affecting Ryzen and Epyc processors), Ryzenfall (affecting Ryzen, Ryzen Pro, and Ryzen Mobile), Fallout (hitting only Epyc), and Chimera (applying to Ryzen and Ryzen Pro systems using the Promontory chipset).
Masterkey, Ryzenfall, and Fallout are all problems affecting the Platform Security Processor (PSP). Along with this, the PSP would also have its own firmware and operating system that runs independently of the main x86 CPU. Software running on the x86 CPU can access PSP functionality using a device driver, though this access is restricted to administrator/root-level accounts.
However, in theory, the PSP would b able to keep secrets even from the x86 CPU and this ability is used for the firmware TPM capability.
However, the Ryzenfall and Fallout bugs enable an attacker to run the attacker-controlled code on the PSP. This attacker code also can disclose the PSP’s secrets, undermining the integrity of the firmware TPM, AMD’s encrypted virtual memory, and various other platform features.
But this Masterkey bug is even worse. The PSP does not properly verify the integrity of its firmware. A system that enabled a malicious firmware to be flashed could also have a malicious PSP firmware permanently installed, persisting across reboots.
The Chimera bug affects a chipset found in many, but not all, Ryzen systems. CTS regarded that these flaws would represent a backdoor, deliberately inserted to enable systems to be attacked, but offered no justification for this claim. As with the PSP flaws, exploiting this requires administrator access to a system.
AMD’s response today agrees that all four bug families are real and are found in the various components identified by CTS. Here, the company also added that it is developing firmware updates for the three PSP flaws. These fixes, to be made available in “coming weeks,” would be also installed through system firmware updates. The firmware updates would also mitigate, in some unspecified way, the Chimera issue, with AMD saying that it’s working with ASMedia, the third-party hardware company that developed Promontory for AMD, to develop suitable protections. In its report, CTS wrote that, while one CTS attack vector was a firmware bug the other was a hardware flaw. If this is true, there might be no effective way of solving it.
The striking thing about the bugs was not their existence but rather the manner of their disclosure. CTS gave AMD only a time span of 24 hours notice before its public announcement that it had found the flaws. Prior to reporting the problems to AMD, CTS has also shared the bugs, along with proofs of concept, with security firm Trail of Bits so that Trail of Bits could validate that the bugs were real and could be exploited the way that CTS described.
This short notice period led Linux creator Linus Torvalds to say that CTS’ report “looks more like stock manipulation than a security advisory.”
This perception was not much of an effect when short-seller Viceroy Research said that the flaws were “fatal” to AMD and, that its share price should drop to $0, and that the company should declare bankruptcy. Lastly, to suggest that such bugs should not merely hurt AMD’s share price, but drive the company out of business entirely, its long-term contracts with Microsoft and Sony, or its GPU architecture, plainly has no possible factual justification for this.