• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
41,920 (8.17/day)
Location
Hyderabad, India
Processor AMD Ryzen 7 2700X
Motherboard ASUS ROG Strix B450-E Gaming
Cooling AMD Wraith Prism
Memory 2x 16GB Corsair Vengeance LPX DDR4-3000
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) Creative Sound Blaster Recon3D PCIe
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Microsoft Sidewinder X4
Software Windows 10 Pro
Security researchers with Israel-based CTS-Labs, have discovered a thirteen security vulnerabilities for systems based on AMD Zen processors. The thirteen new exploits are broadly classified into four groups based on the similarity in function of the processor that they exploit: "Ryzenfall," "Masterkey," "Fallout," and "Chimera."

The researchers "believe that networks that contain AMD computers are at a considerable risk," and that malware can "survive computer reboots and re-installations of the operating system, while remaining virtually undetectable by most endpoint security solutions," such as antivirus software. They also mention that in their opinion, "the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD."



Since this story went up some follow ups were posted:

1. "Masterkey": This is an exploit of the Secure Boot feature, which checks if nothing has been tampered with on your machine while it was powered down (i.e. changes in firmware, hardware, or the last software state before shutdown). The Masterkey vulnerability gets around this environment integrity check by using an infected system BIOS, which can be flashed even from within Windows (with administrative privileges). This does not mean that the user has to modify and flash the BIOS manually before becoming vulnerable, the malware can do that on the fly once it is running. Theoretically, Secure Boot should validate the integrity of the BIOS, but apparently this can be bypassed, exploiting bugs in the Secure Processor's metadata parsing. Once the BIOS signature is out of the way, you can put pretty much any ARM Cortex A5 compatible code into the modified BIOS, which will then execute inside the ARM-based Secure Processor - undetectable to any antivirus software running on the main CPU, because the antivirus software running on the CPU has no way to scan inside the Secure Processor.

2. "Ryzenfall" is a class of vulnerabilities targeting Secure Processor, which lets a well-designed malware stash its code into the Secure Processor of a running system, to get executed for the remainder of the system's up-time. Again, this attack requires administrative privileges on the host machine, but can be performed in real-time, on the running system, without modifying the firmware. Secure Processor uses system RAM, in addition to its own in-silicon memory on the processor's die. While this part of memory is fenced off from access by the CPU, bugs exist that can punch holes into that protection. Code running on the Secure Processor has complete access to the system; Microsoft Virtualization-based Security (VBS) can be bypassed and additional malware can be placed into system management storage, where it can't be detected by traditional antivirus software. Windows Defender Credentials Guard, a component that stores and authenticates passwords and other secure functions on the machine, can also be bypassed and the malware can spread over the network to other machines, or the firmware can be modified to exploit "Masterkey", which persists through reboots, undetectable.

3. "Fallout": This class of vulnerabilities affects only AMD EPYC servers. It requires admin privileges like the other exploits, and has similar effects. It enables an attacker to gain access to memory regions like Windows Isolated User Mode / Kernel Mode (VTL1) and Secure Management RAM of the CPU (which are not accessible, even with administrative privileges). Risks are the same as "Ryzenfall", the attack vector is just different.

4. "Chimera": This class of vulnerabilities is an exploitation of the motherboard chipset (e.g. X370 also known as Promontory). AMD outsourced design of their Ryzen chipsets to Taiwanese ASMedia, which is a subsidiary of ASUS. You might know the company from the third-party USB 3.0 and legacy PCI chips on many motherboards. The company has been fined for lax security practices in the past, and numerous issues were found in their earlier controller chips. For the AMD chipset, it looks like they just copy-pasted a lot of code and design, including vulnerabilities. The chipset runs its own code that tells it what to do, and here's the problem: Apparently a backdoor has been implemented that gives any attacker knowing the right passcode full access to the chipset, including arbitrary code execution inside the chipset. This code can now use the system's DMA (direct memory access) engine to read/write system memory, which allows malware injection into the OS. To exploit this attack vector, administrative privileges are required. Whether DMA can access the fenced off memory portions of the Secure Processor, to additionally attack the Secure Processor through this vulnerability, is not fully confirmed, however, the researchers verified it works on a small number of desktop boards. Your keyboard, mouse, network controllers, wired or wireless, are all connected to the chipset, which opens up various other attack mechanisms like keyloggers (that send off their logs by directly accessing the network controller without the CPU/OS ever knowing about these packets), or logging all interesting network traffic, even if its destination is another machine on the same Ethernet segment. As far as we know, the tiny 8-pin serial ROM chip is connected to the CPU on AMD Ryzen platform, not to the chipset or LPCIO controller, so infecting the firmware might not be possible with this approach. A second backdoor was found that is implemented in the physical chip design, so it can't be mitigated by a software update, and the researchers hint at the requirement for a recall.

AMD's Vega GPUs use an implementation of the Secure Processor, too, so it is very likely that Vega is affected in a similar way. An attacker could infect the GPU, and then use DMA to access the rest of the system through the attacks mentioned above.

The researchers have set up the website AMDFlaws.com to chronicle these findings, and to publish detailed whitepapers in the near future.

AMD provided us with the following statement: "We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise."

Update March 14 7 AM CET: It seems a lot of readers misunderstand the BIOS flashing part. The requirement is not that the user has to manually flash a different BIOS first before becoming vulnerable. The malware itself will modify/flash the BIOS once it is running on the host system with administrative privileges. Also, the signed driver requirement does not require a driver from any specific vendor. The required driver (which is not for an actual hardware device and just provides low-level hardware access) can be easily created by any hacker. Signing the driver, so Windows accepts it, requires a digital signature which is available from various SSL vendors for a few hundred dollars after a fairly standard verification process (requires a company setup with bank account). Alternatively an already existing signed driver from various hardware utilities could be extracted and used for this purpose.

View at TechPowerUp Main Site
 
Joined
Oct 19, 2007
Messages
7,681 (1.50/day)
Processor Intel i9 9900K @5GHz w/ Corsair H150i Pro CPU AiO w/Corsair HD120 RBG fan
Motherboard Asus Z390 Maximus XI Code
Cooling 6x120mm Corsair HD120 RBG fans
Memory Corsair Vengeance RBG 2x8GB 3600MHz
Video Card(s) Asus RTX 2080 STRIX OC
Storage Samsung 970 EVO Plus 500GB , 970 EVO 1TB, Samsung 850 EVO 1TB SSD, 10TB Synology DS1621+ RAID5
Display(s) Acer Predator 32" 2560x1440 OC'd to 170MHz
Case Corsair 570x RBG Tempered Glass
Audio Device(s) Onboard / Corsair Virtuoso Wireless RGB
Power Supply Corsair HX850w Platinum Series
Mouse Logitech G604s
Keyboard Corsair K70 Rapidfire
Software Windows 11 x64 Professional
Benchmark Scores Firestrike - 23520 Heaven - 3670
Take THAT AMD. I dont wanna hear the fanbois anymore.
 
Joined
Apr 16, 2010
Messages
3,303 (0.78/day)
Location
Portugal
System Name Dust gatherer (ol' Dale-y)
Processor AMD Ryzen 7 1700
Motherboard MSI X370 Gaming Plus
Cooling Noctua NH-C12P SE14 + NM-AM4 + NF-P14r
Memory 2x 8GB G.Skill Trident Z (F4-3200C16D-16GTZB)(Hynix)
Video Card(s) Sapphire Pulse AMD Radeon RX 5500 XT 8GiB
Storage HyperX Savage 240GB + KC300 240GB + 750EVO 500GB
Display(s) LG Flatron W2361V 23'' FHD (RN a 24'' IPS HP oldie)
Case NOX Blaze w/random fans and no aRrGeeBee
Audio Device(s) Creative SoundBlasterX AE-5 + GigaWorks t40 series II
Power Supply Corsair TX650M
Mouse Microsoft Comfort Mouse 4500
Keyboard Logitech Media Keyboard (PS/2)
Software Windows 10 x86-64 (1909)
Benchmark Scores Needs a reinstall...but it used to play a game or two in TV resolution from time to time, in 2019
Like Reddit is also weed whacking this thing to oblivion, it looks like a pure smear campaign.
Red flags:
- 24h deadline before publishing
- All flaws require administrative rights in order to accomplish anything (one requires flashing firmware)
- All domains, linkedin records and so forth for a "16 year" in operations company date back at best...a year.
 
Joined
Aug 6, 2017
Messages
7,412 (4.81/day)
Location
Poland
System Name Purple rain
Processor 10.5 thousand 4.2G 1.1v
Motherboard Zee 490 Aorus Elite
Cooling Noctua D15S
Memory 16GB 4133 CL16-16-16-31 Viper Steel
Video Card(s) RTX 2070 Super Gaming X Trio
Storage SU900 128,8200Pro 1TB,850 Pro 512+256+256,860 Evo 500,XPG950 480, Skyhawk 2TB
Display(s) Acer XB241YU+Dell S2716DG
Case P600S Silent w. Alpenfohn wing boost 3 ARGBT+ fans
Audio Device(s) K612 Pro w. FiiO E10k DAC,W830BT wireless
Power Supply Superflower Leadex Gold 850W
Mouse G903 lightspeed+powerplay,G403 wireless + Steelseries DeX + Roccat rest
Keyboard HyperX Alloy SilverSpeed (w.HyperX wrist rest),Razer Deathstalker
Software Windows 10
Benchmark Scores A LOT
Whohohoa ! That's a lot !

Is this like meltdown or spectre which can affect AMD too or does it not affect intel at all ?
 
Joined
Jul 5, 2016
Messages
155 (0.08/day)
System Name Purple Stuff
Processor Intel Core I7-8700K @ 5.0 Ghz
Motherboard Asus ROG Strix Z370-F Gaming
Cooling NZXT Kraken X62
Memory Corsair Vengence 16 GB DDR4 @ 3600 Mhz
Video Card(s) Asus ROG Strix GTX 1080 TI
Storage Samsung EVO 960 500 GB, HDD 4TB WD Black, SSD Crucial MX400 1TB
Display(s) Acer Predator XB271HU 27" x2
Case Phanteks Enthoo Evolv ATX Tempered Glass
Power Supply Seasonic Focus + Platinum 850 W
Mouse Steelseries Rival 700
Keyboard Razer Blackwidow Chroma V2
Software Win 10 Pro
Wow and I thought Intel had a a bumpy road ahead ... this is going to be interesting to say the least.
 
Joined
Feb 3, 2012
Messages
129 (0.04/day)
Location
Tottenham ON
System Name Current
Processor i7 4790k @4.5GHz
Motherboard Asus ROG Hero
Cooling Noctua NHD15s
Memory 16GB Corsair
Video Card(s) GTX 1070Ti
Storage Mushkin Deluxe 240GB, Sandisk Extreme Pro II 500GB, WD SN-850 2TB
Display(s) LG Ultragear 27GL850-B
Case Corsair Obsidian 450D
Audio Device(s) Onboard
Power Supply Seasonic 1000W Platinum
I wonder what the performance hit will be for fixing some of these.
 
Joined
Oct 19, 2007
Messages
7,681 (1.50/day)
Processor Intel i9 9900K @5GHz w/ Corsair H150i Pro CPU AiO w/Corsair HD120 RBG fan
Motherboard Asus Z390 Maximus XI Code
Cooling 6x120mm Corsair HD120 RBG fans
Memory Corsair Vengeance RBG 2x8GB 3600MHz
Video Card(s) Asus RTX 2080 STRIX OC
Storage Samsung 970 EVO Plus 500GB , 970 EVO 1TB, Samsung 850 EVO 1TB SSD, 10TB Synology DS1621+ RAID5
Display(s) Acer Predator 32" 2560x1440 OC'd to 170MHz
Case Corsair 570x RBG Tempered Glass
Audio Device(s) Onboard / Corsair Virtuoso Wireless RGB
Power Supply Corsair HX850w Platinum Series
Mouse Logitech G604s
Keyboard Corsair K70 Rapidfire
Software Windows 11 x64 Professional
Benchmark Scores Firestrike - 23520 Heaven - 3670
Joined
Oct 2, 2004
Messages
13,791 (2.21/day)
The first is a very unlikely scenario because you need to craft it specifically for the exact board. The other 3 however, that sucks. Both, AMD and Intel will have to do dramatic changes if they want to sell new stuff, especially to businesses. Home users often just don't care, but corporate is not as unforgiving.
 
Joined
Nov 13, 2007
Messages
8,607 (1.69/day)
Location
Austin Texas
System Name Chernobyl
Processor 10850K @ 5.1
Motherboard MSI 490-A PRO
Cooling 280MM push pull water Loop
Memory 32 GB 4133 Mhz DDR4 18-18-18-37
Video Card(s) MSI Ventus RTX 3080
Storage 3x1TB SSDs, 2TB SSD
Display(s) LG CX OLED 48"
Case Lian Li O11 Dynamic Mini
Audio Device(s) Bose Solo
Power Supply Corsair SF750
Mouse Logitech GPro Wired
Keyboard tecware phantom w/ pudding keycaps
Software Windows 10 64 Bit
So basically... the biggest vulnerability is the meatsickle between the keyboard and the floor.
 
Joined
Jun 3, 2010
Messages
2,465 (0.59/day)
Conveniently they have set up naming charts that copy Intel's own.
Chimera(Spectre), Fallout(Meltdown), Masterkey(?), Ryzenfall(?).
 
Joined
Aug 6, 2017
Messages
7,412 (4.81/day)
Location
Poland
System Name Purple rain
Processor 10.5 thousand 4.2G 1.1v
Motherboard Zee 490 Aorus Elite
Cooling Noctua D15S
Memory 16GB 4133 CL16-16-16-31 Viper Steel
Video Card(s) RTX 2070 Super Gaming X Trio
Storage SU900 128,8200Pro 1TB,850 Pro 512+256+256,860 Evo 500,XPG950 480, Skyhawk 2TB
Display(s) Acer XB241YU+Dell S2716DG
Case P600S Silent w. Alpenfohn wing boost 3 ARGBT+ fans
Audio Device(s) K612 Pro w. FiiO E10k DAC,W830BT wireless
Power Supply Superflower Leadex Gold 850W
Mouse G903 lightspeed+powerplay,G403 wireless + Steelseries DeX + Roccat rest
Keyboard HyperX Alloy SilverSpeed (w.HyperX wrist rest),Razer Deathstalker
Software Windows 10
Benchmark Scores A LOT
So basically... the biggest vulnerability is the meatsickle between the keyboard and the floor.
As has always been the case.
 
Joined
Jun 15, 2016
Messages
1,041 (0.53/day)
Location
Pristina
System Name My PC
Processor 4670K@4.4GHz
Motherboard Gryphon Z87
Cooling CM 212
Memory 2x8GB+2x4GB @2400GHz
Video Card(s) XFX Radeon RX 580 GTS Black Edition 1425MHz OC+, 8GB
Storage Intel 530 SSD 480GB + Intel 510 SSD 120GB + 2x500GB hdd raid 1
Display(s) HP envy 32 1440p
Case CM Mastercase 5
Audio Device(s) Sbz ZXR
Power Supply Antec 620W
Mouse G502
Keyboard G910
Software Win 10 pro
There always be flaws, there are 2 types, deliberate ones and unnoticed ones....
 
Joined
Aug 6, 2017
Messages
7,412 (4.81/day)
Location
Poland
System Name Purple rain
Processor 10.5 thousand 4.2G 1.1v
Motherboard Zee 490 Aorus Elite
Cooling Noctua D15S
Memory 16GB 4133 CL16-16-16-31 Viper Steel
Video Card(s) RTX 2070 Super Gaming X Trio
Storage SU900 128,8200Pro 1TB,850 Pro 512+256+256,860 Evo 500,XPG950 480, Skyhawk 2TB
Display(s) Acer XB241YU+Dell S2716DG
Case P600S Silent w. Alpenfohn wing boost 3 ARGBT+ fans
Audio Device(s) K612 Pro w. FiiO E10k DAC,W830BT wireless
Power Supply Superflower Leadex Gold 850W
Mouse G903 lightspeed+powerplay,G403 wireless + Steelseries DeX + Roccat rest
Keyboard HyperX Alloy SilverSpeed (w.HyperX wrist rest),Razer Deathstalker
Software Windows 10
Benchmark Scores A LOT
Still, 13 sounds downright disgusting for a consumer that purchased it in the last 12 months.
 
Joined
Mar 6, 2017
Messages
2,303 (1.36/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) Gigabyte GeForce RTX3060 12GB (https://www.techpowerup.com/gpuz/details/d6y4u)
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and HP 2311x (DVI/HDMI)
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
This has the potential to be even worse than Spectre and Meltdown.
 
Low quality post by xkm1948
Joined
Mar 18, 2008
Messages
5,697 (1.15/day)
System Name Virtual Reality / Bioinformatics
Processor Undead CPU
Motherboard Undead TUF X99
Cooling Noctua NH-D15
Memory GSkill 128GB DDR4-3000
Video Card(s) EVGA RTX 3090 FTW3 Ultra
Storage Samsung 960 Pro 1TB + 860 EVO 2TB + WD Black 5TB
Display(s) 32'' 4K Dell
Case Fractal Design R5
Audio Device(s) BOSE 2.0
Power Supply Seasonic 850watt
Mouse Logitech Master MX
Keyboard Corsair K70 Cherry MX Blue
VR HMD HTC Vive + Oculus Quest 2
Software Windows 10 P
Joined
Jul 5, 2013
Messages
16,047 (5.29/day)
Location
USA
System Name GPD-Q9
Processor Rockchip RK-3288 1.8ghz quad core
Motherboard GPD Q9_V6_150528
Cooling Passive
Memory 2GB DDR3
Video Card(s) Mali T764
Storage 16GB Samsung NAND
Display(s) IPS 1024x600
Software Android 4.4.4R5 Custom
Whohohoa ! That's a lot ! Is this like meltdown or spectre which can affect AMD too or does it not affect intel at all ?
This is specific to AMD Ryzen CPU's. No other CPU's are affected.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
23,019 (3.61/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
The first is a very unlikely scenario because you need to craft it specifically for the exact board.
Source on that?
 
Joined
Feb 8, 2012
Messages
2,979 (0.84/day)
Location
Zagreb, Croatia
System Name Windows 10 64-bit Core i7 6700
Processor Intel Core i7 6700
Motherboard Asus Z170M-PLUS
Cooling Corsair AIO
Memory 2 x 8 GB Kingston DDR4 2666
Video Card(s) Gigabyte NVIDIA GeForce GTX 1060 6GB
Storage Western Digital Caviar Blue 1 TB, Seagate Baracuda 1 TB
Display(s) Dell P2414H
Case Corsair Carbide Air 540
Audio Device(s) Realtek HD Audio
Power Supply Corsair TX v2 650W
Mouse Steelseries Sensei
Keyboard CM Storm Quickfire Pro, Cherry MX Reds
Software MS Windows 10 Pro 64-bit
All flaws require administrative rights in order to accomplish anything (one requires flashing firmware)
lol :laugh: exploiting security vulnerability with root privileges ... it's like having the superpower to pass through solid objects but still picking the door lock (that is btw only pickable when you have that superpower)
 
Joined
Jul 5, 2013
Messages
16,047 (5.29/day)
Location
USA
System Name GPD-Q9
Processor Rockchip RK-3288 1.8ghz quad core
Motherboard GPD Q9_V6_150528
Cooling Passive
Memory 2GB DDR3
Video Card(s) Mali T764
Storage 16GB Samsung NAND
Display(s) IPS 1024x600
Software Android 4.4.4R5 Custom
It's not impossible to infect system BIOS with ring-0 privileged software, if the malware is tailor-made for a device.
@W1zzard I think @RejZoR was referring to that part of the statement, which is what I took from it as well.
 
Joined
Sep 10, 2014
Messages
626 (0.24/day)
This "security company" is based in Israel where Intel has it's most important design centre and one of the largest manufacturing facilities. The same Israel behind Stuxnet, by the way. Also a 24 hour notice and a site called amdflaws.com plus what I can only call promotional videos... soon we'll have the white helmets releasing clips from the CPUs civil war front...
This smells rotten for anyone but dumbed down minds... oh wait
 

bug

Joined
May 22, 2015
Messages
9,321 (3.97/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
It's so funny seeing AMD aficionados going in defense mode :p
 
Joined
Jan 29, 2012
Messages
5,681 (1.60/day)
Location
Florida
System Name natr0n-PC
Processor Various - Ryzen 3600XT & 3700X & 5950x
Motherboard Various - Aorus B450M
Cooling Various - EK AIO 360
Memory Various - TEAM VULCAN 32GB DDR4 4000
Video Card(s) Various - EVGA 1660ti
Storage Various
Display(s) Various AOC 27G2 IPS 144Hz
Case Various
Audio Device(s) Various
Power Supply Various
Software XP/7/8.1/10
Benchmark Scores http://valid.x86.fr/79kuh6
It's like a game..."Don't worry Intel we'll fuck them just as hard"
 
Joined
Mar 18, 2008
Messages
5,697 (1.15/day)
System Name Virtual Reality / Bioinformatics
Processor Undead CPU
Motherboard Undead TUF X99
Cooling Noctua NH-D15
Memory GSkill 128GB DDR4-3000
Video Card(s) EVGA RTX 3090 FTW3 Ultra
Storage Samsung 960 Pro 1TB + 860 EVO 2TB + WD Black 5TB
Display(s) 32'' 4K Dell
Case Fractal Design R5
Audio Device(s) BOSE 2.0
Power Supply Seasonic 850watt
Mouse Logitech Master MX
Keyboard Corsair K70 Cherry MX Blue
VR HMD HTC Vive + Oculus Quest 2
Software Windows 10 P
Everything of these so called “white papers” seems fishy. Only one source, no independent duplication of their “research “ findings is a pretty serious red flag.

I am calling this b*llshit. Seems like some smearing operation. Ryzenfall, so amature and obvious.
 
Top