Security researchers from CTS Labs released a report on March 13 that claims Advanced Micro Devices CPUs are at risk from 13 critical flaws that can endanger users and organizations.
The flaws impact AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen Mobile processors and have been dubbed Ryzenfall, Masterkey, Fallout and Chimera by CTS Labs. There currently are no publicly available patches for the issues, due in part to the fact that CTS Labs provided little time for AMD to respond. Meanwhile, some security researchers are disputing the severity of the flaws, given that they require administrative access to systems.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise,” AMD wrote in a statement sent to eWEEK. “We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
A common best practice for responsible security disclosure is that security researchers provide vendors with a window of time that can range from several days to several months to properly respond to a security report. In the case of the Meltdown and Spectre vulnerabilities impacting multiple CPUs that were publicly reported on Jan. 3, vendors including Intel worked on fixes for months ahead of the public disclosure.
Among the flaws that CTS Labs reported is Ryzenfall, which is a set of vulnerabilities that could enable an attacker to take control of the AMD Secure Processor element found in the Ryzen architecture.
“Secure Processor privileges could be leveraged to read and write protected memory areas, such as SMRAM and the Windows Credential Guard isolated memory,” the CTS Labs researchers claimed.
The AMD Secure Processor is also allegedly at risk from another set of flaws that CTS Labs has dubbed Masterkey. The Masterkey flaws are issues with the AMD Secure Processor firmware that could enable an attacker to install persistent malware.
In addition, CTS Labs is reporting that a flaw it calls Fallout impacts the EPYC AMD server chips and could enable an attacker to read and write arbitrary code from protected memory areas in a system. The last set of flaws, named Chimera, include what CTS Labs claims to be backdoors that could enable malicious code injection into the AMD Ryzen chipset.
CTS Labs has not publicly revealed full proof of concept code or explicit technical details for the AMD flaws. The company did, however, share some of its research with security researcher and Trail of Bits CEO Dan Guido.
“Yes, all the flaws require admin privs but all are flaws, not expected functionality,” Guido wrote in a Twitter message. “Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.”
However, not all IT experts are certain that the AMD flaws reported by CTS Labs represent new risks for end users. Linux creator Linus Torvalds was among those who were critical of the public reports from CTS Labs.
“It looks more like stock manipulation than a security advisory to me,” Torvalds wrote in a Google plus message.
Rapid7 Director of Research Tod Beardsley is also among those who are critical of the CTS Labs report.
“The issues all seem to be predicated on already having privileged access to the affected machines,” Beardsley told eWEEK.
Beardsley explained that to execute the CTS Labs AMD CPU flaws, an attacker would need to have the ability to update the running BIOS, the ability to run code as a local administrator or the ability to run unsigned drivers.
“In the end, the techniques described seem to lend themselves to more of an ongoing persistence campaign that requires extreme measures to avoid forensic detection, rather than an initial intrusion,” he said. “So, in that light, I think AMD’s users aren’t any worse off today than they were yesterday.”
As AMD continues its investigation, there are multiple things that end users can do to help mitigate potential risk. Beardsley suggests that standard advice for IT security best practices still applies.
“Keep up on patch management, restrict access to trusted individuals and trusted code, and mind your network segmentation,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.