It’s probably a good thing AMD didn’t rub Intel’s nose in the Meltdown and Spectre flaws too much because boy, would it have a doosy of a payback coming to it. A security firm in Israel has found 13 critical vulnerabilities spread across four separate classes that affect AMD’s hot new Ryzen desktop and Epyc server processors.
However, the handling of the disclosure is getting a lot of attention, and none of it good. The company, CTS-Labs of Israel, gave AMD just 24 hours notice of its plans to disclose the vulnerabilities. Typically companies get 90 days to get their arms around a problem, and Google, which unearthed Meltdown, gave Intel six months.
Yet CTS-Labs went through the trouble of setting up a dedicated website, AMDFlaws.com, to host its findings and white papers. Mind you, there isn’t much for supporting evidence, just claims, and no independent verification. Its white paper is replete with disclaimers, like this:
The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.
The result is CTS-Labs is getting roasted on Twitter, and rightfully so. The veracity of its claims will be proven in the coming days. Most everyone agrees, though, that CTS-Labs’ handling of the matter was awful.
4 categories of vulnerabilities in AMD processors
OK, enough editorializing. CTS-Labs classifies the four categories of the vulnerabilities as as Ryzenfall, Masterkey, Fallout, and Chimera. The company claims it discovered the vulnerabilities while studying what it called known backdoors in ASMedia chipsets, AMD’s third-party chipsets for Ryzen and Epyc.
It should be noted that the Epyc chip hasn’t really come to market yet. It takes longer to launch a server than a desktop. Ryzen, though, has been selling very well, so desktop users are primarily at risk if these vulnerabilities all check out.
The company claims these backdoors have existed for six years and would allow hackers to inject malicious code directly into the Platform Secure Processor (PSP), which is a separate and secure processor that provides global management functions. PSP is similar to Intel’s Management Engine (ME), which has also had security issues.
Each of the four classes of vulnerabilities has several individual vulnerabilities of its own. Masterkey has three, including persistent malware running inside PSP, bypassing firmware security, and even doing physical damage to hardware through flash wear.
The first three — Ryzenfall, Masterkey, and Fallout — overlap with a slew of vulnerabilities, such as accessing Windows Isolated User Mode and Isolated Kernel Mode (VTL1), direct tampering with trusted code running on AMD Secure Processor, network credential theft, bypassing Microsoft virtualization-based security (VBS), and memory-resilient malware.
A fourth Ryzenfall error slows for arbitrary code execution on an AMD Secure Processor by bypassing firmware-based security, network credential theft and hardware damage.
The two Chimera vulnerabilities are manufacturer backdoors, one implemented in firmware, the other in hardware. They allow malware to be injected into the chipset’s internal 8051 architecture processor, which links the CPU to USB, SATA, and PCI Express devices.
AMD has published a short response, given it was caught looking on this matter.
We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.