Researchers from IOActive have presented a decades-old vulnerability in AMD processors at the Def Con security conference.
The team of researchers Enrique Nissim and Kryzsztof Okupski said that the vulnerability could potentially allow an attacker to disable critical memory protections in the Ryzen and Epyc CPU lines, potentially allowing an admin account to elevate into the firmware level, effectively giving a local attacker complete control over the targeted system’s firmware.
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
The vulnerability, dubbed CVE-2023-31315, is said to be present in hundreds of server and PC processor lines and is present in chips dating as far back as 20 years.
The flaw itself is the result of a flaw in System Management Mode, a firmware level state in which the OS is not running. Normally, AMD chips use a tool called SMM Lock to prevent any code running locally on the machine from being able to access SMM.
What the IOActive researchers found was that the SMM Lock protections can be circumvented under certain conditions. In this case, an attacker with ring 0 (ie admin level) privileges could boost themselves into what is effectively "god mode" over the machine.
Technically, the flaw is considered elevation of privilege and it should be noted that it is not something that could be targeted remotely or via a common user account. If an attacker can access the components needed to perform the exploit, they have already effectively pwned the target system.
Where it could come into play, however, is in establishing persistence on the target machine. By being able to run commands in SMM mode, the attacker can effectively reinstall the OS with a version of their choosing and re-establish control even after an administrator wipes and reinstalls on an infected machine.
What is also noteworthy about the vulnerability is that it is believed to be prevalent in hundreds of models of AMD processors. The researchers say that the configurations that expose the flaw are prevalent in the majority of AMD-powered systems deployed over the last 20 years.
There is a patch available for the flaw, and both AMD and IOActive are advising users and administrators to upgrade as soon as possible.
Hardware level flaws are particularly nasty bugs as, in addition to being difficult to patch, their remedies can often require disabling key features on the CPU resulting in significant impacts on performance.
Fortunately, the flaw appears to have been resolved without a significant impact. Nissim, a principal security consultant at IOActive, told CyberRisk Alliance that the AMD patch should not have any noticeable impact on the chip’s performance.
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
