web analytics

AMD’s unpatched chip microcode glitch may require extreme measures by CISOs – Source: www.csoonline.com

Rate this post

Source: www.csoonline.com – Author:

AMD has confirmed an unpatched “processor vulnerability” that may require CISOs to isolate their systems or even air gap them until there’s a fix.

AMD has had to confirm the existence of a major cybersecurity problem in its chip microcode before it can post a fix.

Microcode often loads during startup and it can change chip capabilities: Security specialists are recommending that CISOs consider extreme protective measures, including network isolation, possible air gapping, and ideally blocking all updates and patches until AMD fixes this problem.

The disclosure was forced on AMD after PC manufacturer Asus released details of the cybersecurity hole as part of a beta BIOS update. Although Asus has since deleted that part of the update, AMD decided to confirm the barest of details about the issue.

Good news and bad news

“AMD is aware of a newly reported processor vulnerability. Execution of the attack requires both local administrator level access to the system, and development and execution of malicious microcode. AMD has provided mitigations and is actively working with its partners and customers to deploy those mitigations,” it said in a statement to CSO on Thursday. “AMD recommends customers continue to follow industry standard security practices and only work with trusted suppliers when installing new code on their systems. AMD plans to issue a security bulletin soon with additional guidance and mitigation options.”

The technical nature of the problem delivers both good news and bad news. AMD’s statement that  “execution of the attack requires both local administrator level access to the system and development and execution of malicious microcode” is critical. 

The good news, in a sense, is that this attack vector is beyond the means of most attackers. They first have to achieve full local admin access, and then they have to have the skills and tools to create realistic-looking malicious microcode. 

The bad news is that attackers that do have such capabilities, such as state sponsored actors, could use this glitch to deliver fake microcode that would appear to be signed by AMD or some other trusted source. The glitch hampers the chip’s ability to authenticate, which means the microcode might be able to modify CPU functionality.

On Thursday, one AMD official, who couldn’t speak on the record, told CSO that it will likely be multiple days before the patch would be ready for dissemination.

The story was broken by The Register, which went into detail about how the glitch came to be disclosed. But more importantly for CISOs is what to do about it until the patch is installed on their systems. 

Puts CISOs in a bind

John Price, CEO at Cleveland-based security firm SubRosa, said there is a history of these patch development timeframes getting longer.

“We have no idea how long it is actually going to take. I would proceed as if this will take quite some time,” Price said. 

Price said the unpatched glitch puts enterprise CISOs in a horrible bind. It means that nothing external that tries to touch the CPU can be permitted, at least not until the problem is fully patched.

“Restrict privileges wherever possible and delay non-critical firmware changes, including bios settings that might further increase exposure,” he initially said in a CSO interview, but he then added that even stricter measures might be needed. 

“Explore doing strict hardware segmentation, especially on high-priority critical systems. It must be a risk-based approach,” he said, adding that some companies might need to block all firmware changes entirely.

“If from a risk perspective it makes sense to air gap, then absolutely do that. Focus on risk elimination. Air gapping might be the way to go,” Price said. “If someone gets system level access, you have big problems.”

Price stressed the sophistication an attacker would need to take advantage of this hole, saying, “The exploit requires highly specialized skills to craft malicious microcode, making it less likely to be widespread. However, if a sophisticated threat actor perfects it, the impact could be severe.”

Another concern is that firmware issues straddle the lines between chipset design, motherboard vendors, and software, Price said. 

Flavio Villanustre, global chief information security officer of LexisNexis Risk Solutions, agreed with Price that the damage from a successful microcode attack could be catastrophic. 

“If a system is compromised to this level, the ability to deploy malicious microcode to the CPU could make for a very insidious attack vector that would be very hard to identify and address,” Villanustre said. “Creating these types of sophisticated attacks would require significant resources, but it could be something that a state sponsored actor could certainly do.”

Coordinated disclosure is critical

Villanustre was one of several security specialists who said that much of the potential damage came not from AMD, but from the disclosure by Asus.

“It’s possible that certain resourceful bad actors already knew about it, but making it widely known creates unnecessary exposure to organizations that still don’t have a way to mitigate the risk, since mainstream patches are not available,” Villanustre said, adding that “Asus’ disclosure seems to have been a mistake, but it would have been irresponsible otherwise. In any case, it’s not the first time CPUs are vulnerable and it won’t be the last time either.”

The Asus leak was “underscoring the critical importance of coordinated vulnerability disclosure. Prematurely revealing a security flaw heightens the risk of zero-day cyberattacks and spreads confusion, both of which can damage trust in Asus and AMD by users and the public,” said Frank Riccardi, a cybersecurity specialist and the author of the book, Mobilizing the C-suite: Waging War Against Cyberattacks. “I appreciate that the leak was accidental, but that will be cold comfort if cybercriminals exploit the vulnerability before AMD releases the official patch.”

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3809165/amds-unpatched-chip-microcode-glitch-may-require-extreme-measures-by-cisos.html

Category & Tags: Bugs, CSO and CISO, Security – Bugs, CSO and CISO, Security

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post