Another day, another vulnerability. This time, it’s AMD’s turn, a large part of its modern processor lines suffering from a dangerous driver vulnerability that could leave PCs open to all kinds of attacks.
As reported by TechSpot, the flaw is in the AMD Platform Security Chip (PSP) driver and could leave systems vulnerable by allowing attackers to steal encryption keys, passwords or other memory data. Today we will see what the role of PSP is and how this vulnerability can be used against affected machines.
What is a PSP, anyway?
The AMD platform security processor is functionally the equivalent of the enterprise Intel Management Engine (ME), which we have already discussed. AMD describes it as a subsystem “responsible for creating, monitoring and maintaining the security environment”. It consists of an ARM microcontroller core integrated into the main processor chip and interfaces with the main system memory, I / O and registers of the processor.
In short, it’s a coprocessor that has access to pretty much every part of the computers it’s on. This makes them a prime target for attacks. Introduced around 2013, it is also a fully closed source, existing as an unknown black box in modern AMD processors, making security-conscious people very wary. Running at a low level, entirely outside the scope of the main processor and operating system, the PSP, like the IME, is often seen as a potential backdoor into a machine.
Processors have been adding security features for years, along with other technologies including AMD’s secure memory encryption and Intel’s System Guard extensions. These subsystems allow sections of memory to be partitioned and secured for special uses. However, these features were also found to be prone to vulnerabilities.
How vulnerability works
The vulnerability is found in a line of AMD chipsets. It affects everything from modern Ryzen processors to chips dating back at least to the 2013 AMD Athlon X4 according to AMD’s own disclosure. The issue was first reported to the company by [Kyriakos Economou] of ZeroPeril Ltd, who prepared a useful vulnerability report.
The vulnerability gives underprivileged users access to uninitialized memory. It may seem irrelevant, but uninitialized memory is often overflowing with data left over from previous processes, even if the computer has been restarted or turned off. This can be an easy way to access encryption keys, password hashes, or all kinds of other data stored in unallocated RAM.
The first part of the problem arises when a user calls the AMD driver to allocate uninitialized memory using the AMD PSP. When a request is made to initialize a certain amount of memory, the driver rounds the request to the default memory page size, typically on the order of 4096 bytes.
If the user requests to initialize 1 byte, the driver will round this to 4096 full bytes and allocate that amount of memory to the user. However, it will only initialize the first byte, leaving the rest in its previous state. The user can then access the remaining 4095 bytes that have not been touched, thereby accessing the contents of the uninitialized memory.
The second problem involves calls to the driver to free up contiguous memory space that was previously allocated. When some such calls are made, the driver does not properly release the allocated memory and the hold privately associated with the original process making the call. This creates a memory leak and can quickly monopolize large amounts of memory, making it unavailable to the rest of the system.
The hunt group was able to access gigabytes of uninitialized memory. The data recovered included everything from user password hashes to pool addresses that could help an attacker bypass security features such as Kernel Address Space Layout Randomization (KASLR) that attempt to make it more difficult for hackers to know where to find critical system areas in memory.
Patch early, patch often
Fortunately, downloading the latest AMD chipset drivers should be enough to avoid any potential attack. AMD’s advice is to upgrade to ADM PSP 126.96.36.199 driver through Windows Update, or download AMD chipset driver 3.08.17.735. Presumably, this fixes the problem by properly zeroing memory during allocation, as well as properly freeing memory when it is no longer needed.
All in all, a software patch is enough to fix the problem, and it’s a vulnerability that lacks some of the scary factors of the biggest discoveries like Meltdown and Specter of years gone by. However, this just shows that IT security is an ever-changing target. There is always another vulnerability lurking around the corner.