AMD CPU stack overflow flaw was exposed online

According to foreign media reports on January 6, Google expert, Cfir Cohen found that there is a stack overflow vulnerability in the fTMP module in the AMD processor platform security processor (PSP), affecting the AMD 64-bit x86 processor. The researchers revealed that although the loophole has not yet been resolved, the conditions of its use is also very harsh.

AMD PSP is a dedicated security processor built into the main CPU chip that provides management functions similar to Intel Management Engine; Trusted Platform Module (Trusted Platform Module) is an international standard for secure cryptographic processors, is also a dedicated microcontroller, through Integrating encryption keys into the device protects the hardware; fTMP is the firmware implementation of the Trusted Platform Module.

Vulnerability to being exploited by EK certificate

Cohen’s manual static analysis by security expert Discovery has a stack-based overflow in EkCheckCurrentCert, which invokes user control data (a DE-encoded certificate key (EK) certificate stored in NV memory) through TPM2_CreatePrimary. Cohen explained that a TLV (type length value) structure was parsed and copied into a parent stack frame, but lack of boundary checking for a specially crafted EK certificate when managing the TLV structure resulted in a stack overflow. So attackers can use a specially crafted EK certificate to gain remote code execution of the AMD security processor.

Vulnerability conditions are more demanding

Cohen said a prerequisite for exploiting this vulnerability is physical access, and experts say the PSP does not implement common mitigation techniques such as stack cookies, No-eXecute (NX) flags, or address space layout randomization (ASLR).

Meanwhile, Dino Dai Zovi, co-founder and CTO of security biz Capsule8, also said the vulnerabilities should be less remote. Because a certificate that uses this vulnerability needs to be written to NVRAM, an attacker must have privileged or physical access to the host.

A spokesman for AMD later confirmed to the media that the vulnerability was indeed hard to exploit: attackers first had to visit the motherboard and modify SPI-Flash to exploit it. Given these conditions, attackers may have access to information protected by the TPM, such as encryption keys.

AMD is currently planning to address the vulnerability on a limited number of firmware releases, which will be released later this month.

Related Reading:

AMD chips were disclosed security vulnerabilities

Source: TheRegister, SecurityAffairs