March 14, 2018 by Nick Griffin
(UPDATED March 21, 2018)
Thirteen critical security vulnerabilities in AMD processors have been allegedly exposed by researchers at "CTS Labs", an Israeli cyber security firm.
The vulnerabilities are said to be found in AMD Ryzen & EPYC products, and classified into four categories that the researchers have code-named 'RYZENFALL', 'MASTERKEY', 'FALLOUT', and 'CHIMERA'. Some of these vulnerabilities are harshly described by the researchers as "backdoors, [that] could not have passed even the most rudimentary white-box security review".
An AMD spokesperson has commented saying: "...at AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings."
UPDATE: AMD have now commented on the vulnerabilities and confirmed their existence, stating that "it’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system ... Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."
All Bark and no Bite?
Some users have been quick to shoot down the researchers' findings, with one Twitter user claiming that the vulnerabilities are "over-hyped beyond belief".
Key technical details of the vulnerabilities have not been released and so it is difficult to gauge the full extent of these alleged vulnerabilities. However, the high bar of requirements needed to exploit most of them (i.e. administrative privileges, ability to flash the system BIOS, requiring the use of a vendor-supplied signed driver) somewhat diminishes their severity.
Criticism of CTS-Labs has also come in the way of displeasure over the cyber security organisation only giving AMD 24 hours to respond to their findings. A typical, responsible disclosure period calls for a 90 day notice period before publication.
We urge users to reserve a degree of scepticism in regards to this research until an official announcement is released by AMD. CTS-Labs claim that they have shared the details with AMD, Microsoft, and 'a small number of companies that could produce patches and mitigations'. At present there are no known patches or mitigations available, although it is highly unlikely that these vulnerabilities are being exploited by attackers.