Security researchers at Israeli tech firm CTS Labs have published a list of 13 critical security vulnerabilities and manufacturer backdoors in AMD’s latest CPU lineups, which are likely to have deeper implications than Intel’s Meltdown and Spectre flaws.
The report, titled “Severe Security Advisory on AMD Processors“, claim that the security flaws affect AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen Mobile lines of CPU chips, but the only saving grace – if you can call it that – is that it requires the would-be attacker to gain admin access to the devices to be able to plant the malware.
According to the security team behind the discovery, all consumers using these chips in their desktops, laptops, servers and workstations are affected by these vulnerabilities. The official website amdflaws.com tells us all about the vulnerabilities that could allow hackers to potentially install malware that resist all attempts to detect or delete them.
The Security Vulnerabilities
The CTS team detailed four classes of vulnerabilities in their report – viz. Masterkey, Ryzenfall, Fallout and Chimera. All of which were confirmed by Dan Guido, the founder of security firm ‘Trail of Bits’, whose researchers reviewed the flaws and the PoC exploit codes for each set of bugs.
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
— Dan Guido (@dguido) March 13, 2018
According to the paper published by the researchers, many of the security flaws are capable of surviving computer reboots and and even re-installations of the operating system, “while remaining virtually undetectable by most endpoint security solutions. This can allow attackers to bury themselves deep within the computer system and to potentially engage in persistent, virtually undetectable espionage”.
The Controversy
CTS Labs is taking a lot of fire from industry insiders and cyber-security analysts for going against convention and publishing the details just a day after disclosing them to AMD, barely giving the company a chance to issue security patches.
On its part, CTS published an unusually-long disclaimer, saying that it “may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports”, raising many to speculate that the company may be trying to hype up the issue to influence AMD’s stock prices negatively.
AMD Statement
The chip-maker, meanwhile, has released a statement, saying, “At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings”.
