AMD ships CTS Labs vulnerability patches to ecosystem partners

AMD's patched are in 'final testing' and should soon be released publicly

AMD ships CTS Labs vulnerability patches to ecosystem partners

AMD ships CTS Labs vulnerability patches to ecosystem partners

In Mid-March a group called CTS Labs released a report which detailed 13 vulnerabilities in AMD's new Ryzen series of processors, affecting products from their Ryzen, Threadripper and EPYC product lineups. 

Going against standard procedure, CTS Labs publically announced their findings without providing AMD with a 90-day notice between the vulnerability's discovery and its public disclosure. This game AMD no time to validate CTS' discoveries or implement any fixes, creating a PR nightmare for the company. 

It took AMD a week to respond to CTS Labs' findings, confirming that all attack types required administrative access to exploit. In short, each attack could only be taken advantage of after an "Attacker already has compromised the security of a system", minimising the impact of the vulnerabilities. 

After being contacted by CTS Labs, Tom's Hardware contacted AMD for a progress update for their planned firmware mitigations. Over a month has passed since AMD's response to CTS Labs, though it seems that AMD is well on the way to addressing "all of the CTS identified vulnerabilities" in their EPYC lineup and patching Chimera across all platforms. Below is AMD's official response. 

   Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly.  We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month.  We expect these patches to be released publicly as our ecosystem partners complete their validation work.


AMD ships CTS Labs vulnerability patches to ecosystem partners


While AMD's response here is vague, the company has confirmed that they are working on the problem and are set to release platform mitigations when they are ready for public use. AMD doesn't want to repeat Intel's mistakes with Spectre, where early BIOS mitigations caused stability issues on both desktop and server platforms, forcing a recall for their firmware fixes and several significant delays. 

Less than 90 days have passed since CTS Labs went public with their findings, the time that AMD should have rightfully been given to address the issue before CTS Labs' public disclosure. Regardless, CTS Labs' vulnerabilities are much less concerning than they were initially advertised, acting as a secondary attack instead of a level 1 vulnerability like Spectre/Meltdown. 

You can join the discussion on AMD's release of CTS Labs vulnerability fixes to ecosystem partners on the OC3D Forums

«Prev 1 Next»

Most Recent Comments

06-05-2018, 05:32:44

If i can remember right all this issues can only be exploited if you are physically where the computer is, right? So, not a big problem.Quote

06-05-2018, 05:41:14

Still a problem. Still glad they fixed itQuote

06-05-2018, 05:58:09

Originally Posted by NeverBackDown View Post
Still a problem. Still glad they fixed it
Out of topic, but NBD, what are you rocking? Intel or Ryzen?...Quote

06-05-2018, 06:49:01

Originally Posted by NeverBackDown View Post
Still a problem. Still glad they fixed it
Yeah especially given the incredibly harsh way it was served to them. No warning, nothing.Quote

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.