'

Severe processor vulnerabilities discovered on AMD Ryzen Processors - 13 vulnerabilities reported

CTS game AMD 24 hours notice before they made their findings public... something smells fishy here

Severe processor vulnerabilities discovered on AMD Processors - 13 vulnerabilities over four classes

Severe processor vulnerabilities discovered on AMD Ryzen Processors - 13 vulnerabilities reported

AMD came out of the Spectre and Meltdown controversies without much of a hit, with Intel bearing the brunt of the issues. Now it looks like AMD has vulnerabilities of their own, with CTS-Labs, an Israeli security company announcing that AMD has 13 vulnerabilities that affect their Ryzen CPU lineup, hitting all product lines from Ryzen mobile to EPYC. 

What is most worrying is that these flaws have been found within AMD's secure processor, an area within modern processors which are designed to maintain system security. It has also been reported that CTS Labs gave AMD less than 24 hours notice before making their findings public, which is a lot lower than the standard 90-days notice which is common within the industry. Intel was given 90 days notice for both Spectre and Meltdown, whereas AMD got less than a day, making CTS Lab's conduct here questionable at best.

With all of this news coming out so quickly and seemingly out of nowhere, CTS Labs' findings must be called into question. At a minimum, this is atrocious conduct on the part of CTS from a security standpoint, especially when given the fact that AMD has not validated their findings. Take this news with a grain of salt for now, as this is a situation that is wholly unlike Spectre and Meltdown.      

    A CTS Labs security audit revealed multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors. These vulnerabilities have the potential to put organizations at significantly increased risk of cyber-attacks.

CTS Labs has produced a white paper report further detailing these vulnerabilities available at amdflaws.com. CTS Labs has also shared this information with AMD, Microsoft, HP, Dell, and select security companies, in order that they may work on developing mitigations and patches, and examine and research these and any other potential vulnerabilities at the Company. CTS Labs has also shared this information with relevant U.S. regulators.

  
If these reported issues are genuine, they are not as readily exploitable as Spectre and Meltdown, seemingly requiring elevated administrator rights in many cases or in the case of Masterkey, the installation of BIOS-based Malware. For now, it seems like these issues are difficult to exploit, making these problems nowhere near as problematic as Spectre and Meltdown. 

AMD is currently assessing CTS Lab's reported vulnerabilities, though the lack of notice from CTS has placed them in a position where they still have to develop a fix from scratch, leaving systems vulnerable in the meantime. It is possible that these issues are not as bad a CTS Labs fears, though they have regardless placed AMD in an awkward position. Below is a statement from an AMD spokesperson, as seen on CNET

    At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,

 
The four major vulnerabilities that were found by CTS Labs are called Ryzenfall, Masterkey, Fallout and Chimera, each of which affects some or all of AMD's Ryzen CPU lineup. AMD is yet to confirm whether or not CTS Labs' reports are correct, mostly due to their lack of a standard vulnerability disclosure period. 

CTS Labs has stated in the video below that they want to "bring it [the issue] to public awareness before it becomes a real problem for society, not after". Sadly what they may have done was disclose critical vulnerabilities before anyone had the chance to mitigate its effects, carelessly leaving Ryzen-powered systems insecure in the process. 

 

More information about CTS Labs' reported vulnerabilities is available on amdflaws.com, citing issues with AMD's Ryzen chipset design (which uses ASMedia IP) and AMD's Secure Processor. Expect more information about these exploits to be released over the coming days and weeks. 

At this time AMD has not validated that any of these exploits work, which means that these exploits could still be proven to be false, a mistake from CTS or an outright fabrication. Regardless CTS Labs' reported 24 hours of notice is downright shady, breaking proper protocol and leaving countless systems vulnerable if their reports are true.

CTS Labs was founded in 2017, acting as a "cyber-security consultancy firm specialising in ASIC and embedded systems security". As a newcomer to the industry, the company's quick public disclosure could be attributed to inexperience, though the way that this has gone down cannot be described as anything other than questionable and shady. 

At this time these security concerns seem overblown, with CTS' whitepaper seemingly detailing issues that can only arise when combined with heightened security privileges, signed drivers or bios modification, all things that shouldn't be a problem for most users.  

Update - Below is an official statement from AMD which says that CTS Labs was previously unknown to AMD and that they find it unusual for a security firm to publish its findings without providing the affected party with a reasonable amount of time/disclosure to either investigate or address the issue.  

    We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.



You can join the discussion on the vulnerabilities that have been found on AMD's Ryzen platforms on the OC3D Forums

«Prev 1 Next»

Most Recent Comments

13-03-2018, 12:10:08

Bartacus
This smells. 24 hours notice, when they gave Intel 90 days for Spectre? My anti-Intel tinfoil hat is tingling.Quote

13-03-2018, 12:21:23

g0ggles1994
Quote:
Originally Posted by Bartacus View Post
This smells. 24 hours notice, when they gave Intel 90 days for Spectre? My anti-Intel tinfoil hat is tingling.
Same here, there's a thread about it on /r/AMD and they're voicing the exact same concerns about this. Plus the timing of this just before Ryzen 2000 is far too convenientQuote

13-03-2018, 12:37:33

AlienALX
Why does it seem like one guy in the video is reading from a script?

Ah well, so at least it's not just my BE chip that leaks like a hole ridden bucket Quote

13-03-2018, 12:55:00

WYP
Quote:
Originally Posted by Bartacus View Post
This smells. 24 hours notice, when they gave Intel 90 days for Spectre? My anti-Intel tinfoil hat is tingling.
Quote:
Originally Posted by g0ggles1994 View Post
Same here, there's a thread about it on /r/AMD and they're voicing the exact same concerns about this. Plus the timing of this just before Ryzen 2000 is far too convenient
Regardless of the way you look at it, this issue has been handled the wrong way by CTS Labs, real or not.

The exploits themselves seem terrible when looking at the end game, but the requirements to exploit these issues make them seem extremely easy to avoid.

As mentioned in the article one of them requires BIOS-level malware. If somebody can do that you are well past the "we messed up" stage, as is the heightened privileges required for a lot of the others.

In short, this isn't spectre/meltdown, not even close. It seems like proper system security would avoid most of these problems.Quote

13-03-2018, 15:42:03

barnsley
Oh look they've already got a full stack of names for it. Chances are they've been sitting on this for a while and waited for the right time to release them. judging by the registration date for amdflaws.com it looks like this has been planned.

For info,
Creation Date: 2018-02-22T13:52:35Z
(obviously the domain was registered by proxy)



Bit suspect this company was founded in 2017 as well.

The whole site looks and reads (to me atleast) like a scam site. That coupled with the amazing 'research' by https://viceroyresearch.org just makes this whole thing look like a stock scam.Quote
Reply
x

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.