CTS Labs caught silicon vendor Advanced Micro Devices off-guard on March 12 when it reported to the company that it had discovered a set of vulnerabilities that impact AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen Mobile processors.
Contrary to established best practices in the security industry, CTS Labs only gave AMD 24 hours to respond, publicly disclosing the flaws on March 13. AMD has now had just over a week to analyze the findings, and on March 20 it released an initial technical analysis of the CTS Labs research. The analysis confirms initial reports that the flaws pose limited risk to most end users.
“We believe that each of the issues cited can be mitigated through firmware patches and a standard BIOS update, which we plan to release in the coming weeks,” AMD stated in an email sent to eWEEK. “These patches and updates are not expected to impact performance.”
The flaws impact AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen Mobile processors and have been dubbed Ryzenfall, Masterkey, Fallout and Chimera by CTS Labs. Most of the issues were found with AMD’s Secure Processor element that could potentially have enabled attackers to read and write to protected memory.
While AMD did not refute that the vulnerabilities are real, the company did say their impact is somewhat muted given that an attacker would need administrative access to a system.
“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings,” AMD CTO Mark Papermaster wrote in a blog post. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
Going a step further, Papermaster noted that there are controls in modern operating systems that provide an additional layer of security that can help to prevent unauthorized administrative access. Even though the issues outlined by CTS Labs require administrative access, AMD is taking the flaws seriously and is now working on firmware patches that will be made available via BIOS updates in the coming weeks.
Disclosure
CTS Labs was broadly criticized in the security community for not giving AMD enough time to respond to its vulnerability reports. Industry best practices for responsible disclosure on vulnerabilities that are not actively being exploited dictate that researchers provide vendors with an appropriate amount of time that can range from 30 to more than 90 days to investigate and respond to flaws.
In an open letter responding to the criticism about its AMD flaws disclosure, Ilia Luk-Zilberman, CTO of CTS Labs, argued that responsible disclosure doesn’t actually work to protect end users. He wrote that with the current model of responsible disclosure, during the initial 30- to 90-day period it’s up to the vendor if it wants to alert customers that there is a problem.
“I think that a better way would be to notify the public on day 0 that there are vulnerabilities and what is the impact,” Luk-Zilberman wrote. “To notify the public and the vendor together and not to disclose the actual technical details ever unless it’s already fixed.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.