AMD Processors And Chipsets Reportedly Riddled With New Ryzenfall, Chimera And Fallout Security Flaws

AMD Processors And Chipsets Reportedly Riddled With New Ryzenfall, Chimera And Fallout Security Flaws

Given that industry-wide panic that was unleashed following the disclosure of the Meltdown and Spectre processor vulnerabilities (with Intel taking

Tinder investigates after 40,000 profile pics snatched
ZeniMax Files Suit Against Samsung For Gear VR Tech After $500 Million Victory Over Oculus
Facebook's fake news experiment backfires

Given that industry-wide panic that was unleashed following the disclosure of the Meltdown and Spectre processor vulnerabilities (with Intel taking the brunt of the heat), many are on edge about the potential for similar exploits to be discovered in other products. Unfortunately for those that are running AMD’s current Zen-based processor architecture, researchers have discovered over a dozen critical security flaws that affect Ryzen and EPYC processor families.

According to CTS-Labs, the Israeli security firm that first reported on the chip flaws, vulnerabilities lie in both the AMD Secure Processor (which is included on-die in every Zen-based processor) and the complementary chipset used with Ryzen and Ryzen Pro workstations. There are four primary exploits, which each have their own variants: Ryzenfall, Fallout, Chimera and Masterkey.

Ryzenfall leverages vulnerabilities in the Secure Processor, giving access to protected memory areas including SMRAM and the isolated memory for the Windows Credential Guard. With escalated privileges, malicious code can be injected to take full control of the Secure Processor, bypass the Windows Credential Guard, and gain access to passwords and even encryption keys. Critically, CTS-Labs says that Ryzenfall has the potential to “[expose] customer to the risk of covert and long-term industrial espionage.” Ryzenfall affects Ryzen, Ryzen Pro and Ryzen Mobile.

Fallout has a similar attack pattern to Ryzenfall, including gaining access to SRAM and Windows Credential Guard. However, an added wrinkle is that it can bypass protections that are in place on certain systems to prevent the BIOS from being overwritten. Fallout is limited to EPYC servers.

[embedded content]

Chimera takes advantage of two backdoors found in the supporting Ryzen chipset (one in hardware, one in firmware). Given that the chipset serves as central staging areas for Wi-Fi, Bluetooth, Network, PCI-E, and USB traffic (among others), attackers can install malware in the chipset to perform man-in-the-middle attacks with a keylogger. Chimera affects Ryzen and Ryzen Pro.

Masterkey leverages “multiple vulnerabilities” in the Secure Processor that can infiltrate AMD’s Secure Encrypted Virtualization (SEV) and Firmware Trusted Platform Module (fTPM). Incredibly, Masterkey attacks could allow an attacker to permanently damage Zen-based hardware. Masterkey affect Ryzen, Ryzen Pro, Ryzen Mobile and EPYC.

We reached out to AMD for their take on this developing situation, and a spokesman provided us with the following response, “At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.”

CTS-Labs really takes AMD to task over these exploits, and specifically calls out the company’s decision to outsource development of the Ryzen chipset (which is linked to Chimera) to ASUSTeK subsidiary ASMedia. The researchers allege that ASMedia has a “poor security track record” and has already come under fire from the FTC for its lapses in security.

“The vulnerabilities we have discovered allow bad actors who infiltrated the network to persist in it, surviving computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions,” writes CTS-Labs in a white paper [PDF]. “This allows attackers to engage in persistent, virtually undetectable espionage, buried deep in the system and executed from AMD’s Secure Processor and chipset.”

“In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD.”

According to CTS-Labs, it has not disclosed any technical information that would allow malicious actors to create working attacks for Zen-based processors. In addition, it has already contacted AMD, Microsoft and a handful of other companies to help implement patches for these vulnerabilities.

Patches for Ryzenfall, Fallout, and Masterkey could be available with “several months”, while there is no potential fix for Chimera, which would require a workaround that could have “undesired side-effects”. Again, CTS-Labs unloads on ASMedia saying that while it is unaware of any of vulnerabilities being exploited in the wild, “similar vulnerabilities in other ASMedia products have been known in hardware hacking circles for several years.”

loadDisqus(jQuery(‘#initdisqus’), disqus_identifier, url);

else {
setTimeout(function () { disqusDefer(); }, 50);


function loadDisqus(source, identifier, url) {

if (jQuery(“#disqus_thread”).length) {


if (window.DISQUS) {

reload: true,
config: function () { = identifier; = url;

} else {

//insert a wrapper in HTML after the relevant “show comments” link

disqus_identifier = identifier; //set the identifier argument
disqus_url = url; //set the permalink argument

//append the Disqus embed script to HTML
var dsq = document.createElement(‘script’); dsq.type = ‘text/javascript’; dsq.async = true;
dsq.src = ‘https://’ + disqus_shortname + ‘’;



function disqusEvent()
idleTime = 0;

Go to Source