CHIMERA, RYZENFALL, FALLOUT and MASTERKEY are vulnerabilities and hardware backdoors that, according to the publication, once exploited allow the attacker to take complete control over the affected machine. An attacker leveraging these vulnerabilities may be able to run malicious code before the operating system boots and persist even if the operating system is reinstalled. It can also bypass advanced protections such as Windows 10 Virtualization Based-Security (VBS).
It was disclosed that the AMD Ryzen, Ryzen Pro and EPYC processors are subject to multiple vulnerabilities and hardware backdoors. Potentially all machines running AMD Ryzen, Ryzen Pro and EPYC processors. It’s also possible that other motherboards with the ASMedia chipsets are affected by these vulnerabilities.
Vulnerability: is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. Exploit: is the implementation of a one or more vulnerabilities in order to carry out some form of malicious intent, such as a denial-of-service attack, infiltration, privilege escalation. Malware: short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. Evasion: bypassing an information security device in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection.
Vulnerability: is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. Exploit: is the implementation of a one or more vulnerabilities in order to carry out some form of malicious intent, such as a denial-of-service attack, infiltration, privilege escalation. Malware: short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. Evasion: bypassing an information security device in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection.
CHIMERA Vulnerabilities and Backdoors - These are hidden manufacturer backdoors inside AMD’s Promontory chipsets which are part of all Ryzen and Ryzen Pro workstations. By leveraging these vulnerabilities an attacker can potentially run code on the chipset which has direct access to memory, network, keyboard and more. According to the publications, some of these vulnerabilities are embedded in the Chip’s ASIC Hardware, therefore a patch may not be possible.
FALLOUT and RYZENFALL Vulnerabilities - Design-flaw vulnerabilities in the boot loader of EPYC, Ryzen, Ryzen Pro and Ryen mobile Secure Operating System which runs in AMD’s Secure Processor. According to the publications, this flaw allow an attacker to inject malware into System Management Mode (SMM) Code, highly privileged code. Thus, it can bypass advanced protections such as Credential Guard.
MASTERKEY Vulnerabilities - This set of vulnerabilities allow an attack to exploit AMD’s Hardware Validated Boot mechanism in the Secure Processor that validates the integrity of the system ROM firmware (BIOS). This mean that an attacker can potentially run arbitrary code before the BIOS or Operating System Code starts executing. Thus, the attacker can persist on the target machine even if the Operating System is reinstalled.
In order to exploit the vulnerabilities, the attacker must be able to run code with admin privileges on the victim’s machine.
According to the publication, the CHIMERA, RYZENFALL, FALLOUT and MASTERKEY vulnerabilities can be leveraged by an attacker to create a malware that will be very hard to detect and protect against without mitigations from AMD. These are the potential capabilities:
Persist inside AMD’s Secure Processor and thus allow the malware to survive even operating system reinstallation. Execute code on AMD’s Promontory Chipsets. Run code in System Management Mode (SMM) which has higher privileges than the operating system. Bypass Credential-Guard and other VBS mitigations.
No. Currently AMD did not release any patch to address these vulnerabilities.
The vulnerabilities require the attacker to execute code on the affected machine in order to leverage the vulnerabilities. Blocking the malicious code that tries to leverage these vulnerabilities will protect against the attack. That said, if an attacker managed to execute code on the machine, AV/NGAV won’t be able to protect against the vulnerabilities as it allows the attacker to execute code in higher privilege level than AV/NGAV and the operating system itself.