It’s 2018, a new breed of firmware design bug is sweeping the world. Unlike traditional bugs, these are hard-to-fix flaws in embedded processor and hardware firmware.
This week, four new families of AMD processor vulnerabilities were disclosed: RyzenFall, Fallout, Chimera and MasterKey. The AMD disclosure is the latest in a series of processor firmware issues, including Spectre, Meltdown, and Intel SA-00075 and SA-00086. Additionally, some of the vulnerabilities are considered purposefully implanted during the manufacturing supply chain as backdoors.
- New kinds of security bugswere recently found in the Intel, AMD, ARM, IBM and Qualcomm processor firmware common to enterprise and IoT
- Almost all enterprisenetworks are impacted, including campus, data center, virtualization and cloud.
- These fresh attack vectors require enterprises to adopt new device classification and patching strategies.
- Organizing devices and updates by operating system is no longer enough.
- Enterprises need the capability to group and manage devices by processor, hardware and manufacturer.
Enterprises are Struggling to Respond to New Kinds of Device Vulnerability
The vulnerable processor trend continues from last year, which heralded our first Intel firmware issues. Then the New Year brought us Meltdown, Spectre and an updated Okiru/Satori botnet attacking IoT devices with ARC processors. Now we have an additional 13 AMD security flaws and manufacturer backdoors in four new vulnerability families.
What these CPU firmware issues have in common is their uncommon attack methods: They target the trust boundaries used in modern processors. The rings of trust we take for granted in modern computing have melted away. A whole new kind of attack is spreading in the wild. But enterprises struggle to manage impacted devices because the required data isn’t always in their asset inventories.
Enterprises Need New Tools to See and Classify Vulnerable Devices
To respond to this new kind of threat, enterprises must re-think supply chain and asset management lifecycles. Enterprises need modern systems that offer new kinds of firmware tags, groups and hardware classification criteria.
- Asset inventory systems shouldinclude processor and firmware Legacy deployments must be re-classified by firmware and original equipment manufacturer. Granular asset tracking is a necessity.
- Patches from vendors are often hardware-specific and dependent on the OEM. New methods to group devices by OEM are needed, as not all vendors have delivered patches in a timely manner.
- Many malfunctioning firmware patches have been rolled back, including patches by Intel, VMWare and leading OEMs. Centralizing orchestration is increasingly important for the enterprise.
- Controlling devices by firmwareis now a patching requirement. There’s no way around firmware classification when managing fleets of varied devices.
The Next Generation of Enterprise Compliance Includes Hardware and Firmware
Solutions like ForeScout CounterACT® collect hardware-specific metadata for managed devices on your network. Such modern solutions help solve the enterprise challenge of managing fleets of varied devices.
- Classification goes beyond the operating system. Compliance is no longer a software-only metric.
- Compliance enforcement requires the ability to customize network access control policies. BYOD and guest access policies are in scope.
- Enterprises need the capability to control access via segmented networksand hierarchical trust zones.
- It’s now possible to control network access according to device firmware status.
Guidance for Enterprise Asset Management Strategy
- SEE: Make sure you know everything that you have on your network.Be able to group and segment devices based on processor type and firmware version.
- CONTROL: Ensure devices in trust zones are both software- and hardware-compliant. Enable the segmenting of untrusted devices to less-sensitive networks. Extend control over the potpourri of BYOD devices.
- ORCHESTRATE: Streamline patching processes to include patching by hardware OEM and firmware status.
Guidance for ForeScout Customers
For AMD, specifically, a Policy can be written to detect windows managed machines with the following registry key value path:
where the value matches a regex of .*(Ryzen|Epyc).*
Also, ForeScout has published Security Policy Templates v18.0.1, which classifies Windows, UNIX/Linux and Mac OSX devices susceptible to Meltdown or Spectre. CounterACT administrators can customize similar policies based on related indicators and signatures.
Additional guidance includes:
- Upgrade ForeScoutCounterACT to include SPT v18.0.1. For technical requirements, consult the Release Notes and CounterACT Plugin Help File.
- Enact networksecurity policies that segment and notify system owners of vulnerable devices.
- Classify virtual-managed vs. physical-managed endpoints into different Groups.
- For managed endpoints, focus on browser updates after upgrading operating systems.
- If you cannot install detection software on an endpoint, you maybe able use command line tools to get firmware make and model numbers. Utilities include wmic on Windows, dmidecode on Linux and ioreg on Mac OS.
- Implement hardware asset tracking that includes make, model and component details. Include hardware SKUs and serial numbers.
These CPU firmware issues are not new to Operational Technology (OT) networks. Even when a known vulnerability exists in a component, it can’t be fixed easily due to other considerations. In fact, a CPU vulnerability typically requires hardware changes to be fixed completely. We need to think differently about mitigating the risk these vulnerabilities pose to the organization. Network segmentation comes to mind as a major technology that can help reduce the risk in many situations involving network attached devices.
Yet, keep in mind, you must be able to discover and classify the devices to segment them properly.