It’s been just over a week that Israeli cyber-security startup CTS Labs published its whitepaper on the laundry-list of vulnerabilities termed ‘AMDFlaws’ affecting AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen Mobile CPU lineups. The report managed to create quite a stir among cyber-security analysts and industry insiders, with many of them lambasting the Tel Aviv-based firm for disclosing the vulnerabilities publicly just a day after notifying AMD about them, blindsiding the chipmaker completely.
Some, like outspoken tech guru and the creator of the Linux kernel, Linus Torvalds, have even gone so far as to question the findings themselves, calling the security advisory ‘garbage’, and saying that “it looks like the IT security world has hit a new low”. However, others, like reputed cyber-security analyst, Dan Guido, said that he and his team reviewed the flaws, and found them to be very real, irrespective of all the hype and controversy surrounding them.
On its part, AMD said that it will investigate the report “to understand the methodology and merit of the findings”. Now, the company has released a statement confirming all the 13 vulnerabilities detailed by CTS, and has promised to issue patches for all of them within the next few weeks. The company further added that it doesn’t expect any performance degradation because of impending updates.
The full statement highlights the level of difficulty and access needed to pull off the hacks described in the CTS Labs discovery “It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.” AMD further added that anyone that can gain unauthorized administrative access can execute attacks of greater severity than the ones CTS Labs identified.
According to AMD, the issues will be fixed with firmware patches and BIOS updates within the next few weeks, “not months”. The company also said that none of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets. The flaws are also apparently unrelated to the Meltdown and Spectre vulnerabilities that created so much confusion over the past few months.