Another day, another vulnerability. This time, it’s AMD’s turn, with a broad swathe of its modern CPU lines falling victim to a dangerous driver vulnerability that could leave PCs open to all manner of attacks.
As reported by TechSpot, the flaw is in the driver for AMD Platform Security Processor (PSP), and could leave systems vulnerable by allowing attackers to steal encryption keys, passwords, or other data from memory. Today, we’ll take a look at what the role of the PSP is, and how this vulnerability can be used against affected machines.
What is a PSP, Anyway?
The AMD Platform Security Processor is functionally the company’s equivalent to the Intel Management Engine (ME), which we’ve discussed before. AMD refers to it as a subsystem “responsible for creating, monitoring, and maintaining the security environment.” It consists of an ARM microcontroller core baked into the main CPU die, and interfaces with the main system memory, IO, and CPU registers.
In short, it’s a coprocessor that has access to just about every part of the computers to which it’s inside. This makes it a prime target for attacks. Introduced around 2013, it’s also entirely closed source, existing as an unknown black box within modern AMD CPUs, which makes the security-conscious highly wary. Operating at a low-level, entirely outside the purview of the main CPU and operating system, the PSP, like the IME, is often considered a potential backdoor into a machine.
CPUs have been adding security features for years, with other technology including AMD’s Secure Memory Encryption and Intel’s System Guard Extensions. These subsystems allow sections of memory to be partitioned off and secured for special uses. However, these features have also proved to be subject to vulnerabilities too.
How The Vulnerability Works
The vulnerability is found in a range of AMD chipsets. It affects everything from modern Ryzen processors to chips stretching all the way back at least as far as the AMD Athlon X4 from 2013 according to AMD’s own disclosure. The issue was first reported to the company by [Kyriakos Economou] from ZeroPeril Ltd, who prepared a useful report on the vulnerability.
The vulnerability gives low privileged users access to uninitialised memory. This may sound unimportant, but uninitialised memory is often teeming with data left behind from prior processes, even if the computer has been rebooted or power cycled. It can be an easy way to gain access to encryption keys, password hashes, or all manner of other data that is sitting in unallocated RAM.
The first part of the problem is when a user makes a call to the AMD driver to allocate some uninitialised memory using the AMD PSP. When a request is made to initialise a certain amount of memory, the driver rounds up the request to the default memory page size, usually on the order of 4096 bytes.
If the user requests to initialise 1 byte, the driver will round that up to a full 4096 bytes, and allocate that much memory to the user. However, it will only initialise the first byte, leaving the rest in its prior state. The user can then access the remaining 4095 bytes which have been untouched, thus gaining access to the contents of uninitialised memory.
The second problem involves calls to the driver to free up contiguous memory space that has previously been allocated. When certain calls of this type are made, the driver does not properly release the allocated memory and keeps it privately associated to the original process making the call. This creates a memory leak and can quickly tie up great amounts of memory, making it unavailable to the rest of the system.
The research group were able to access gigabytes of uninitialised memory. The data recovered included everything from user password hashes to pool addresses that could help an attacker get around security features like kernel address space layout randomization (KASLR) which try to make it harder for hackers to know where to find crucial system areas in memory.
Patch Early, Patch Often
Thankfully, downloading the latest AMD chipset drivers should be enough to stave off any potential attacks. AMD’s advice is to upgrade to the ADM PSP driver 126.96.36.199 through Windows Update, or to download AMD Chipset Driver 3.08.17.735. Presumably, this solves the issue by properly zeroing out memory during allocation, as well as freeing up memory properly when its no longer needed.
Overall, a software fix is enough to solve the issue, and its a vulnerability that lacks some of the scare factor of bigger finds like Meltdown and Spectre from years past. However, it just goes to show that computer security is an ever-shifting target. There’s always another vulnerability lurking just around the corner.