Researchers find 13 critical flaws in AMD's Ryzen and Epyc chips

Researchers accused of ignoring responsible disclosure claim AMD chips are riddled with critical flaws and backdoors; AMD says it is investigating.

Researchers find 13 critical flaws in AMD's Ryzen and Epyc chips
Newegg

It’s high drama on the AMD front as researchers claim to have discovered “multiple critical security vulnerabilities and exploitable manufacturer backdoors inside AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors.”

The researchers say that if attackers were to exploit the flaws, then the scenarios range from AMD’s processors being infected with persistent malware that would be almost impossible to detect to attackers stealing sensitive data.

Israel-based CTS-Labs published a site dedicated to the 13 critical flaws, as well as a 20-page whitepaper, “Severe Security Advisory on AMD Processors.” They code-named the four classes of vulnerabilities as Ryzenfall, Fallout, Chimera, and Masterkey. It is important to note that before the vulnerabilities could be exploited, attackers would first need to gain administrative rights (root access) on a targeted computer or network.

The report, which skips actual technical details, describes multiple, potential attacks. For example, CTS claims that an attacker could leverage Ryzenfall and Fallout to read and write from protected memory areas such as SMRAM and Windows Credential Guard isolated memory. Chimera and Masterkey could be leveraged to install persistent on-chip malware, which could evade detection and removal by virtually “all security solutions on the market.”

amd ryzen vulnerability map CTS-Labs/AMDFlaws.com

CTS gives AMD a 24-hour heads-up; short-seller claims AMD now worth $0

CTS admitted that it gave AMD only a 24-hour heads-up before going public with the flaws. Microsoft, Dell, HP, and “select vendors” were also notified one day before CTS announced the vulnerabilities to the public. That’s a far cry from the standard 90-day responsible disclosure.

A letter from CTS’s CTO criticized the responsible disclosure process (pdf), adding that notifying the public on “day 0” is a “better way,” as it puts more pressure on the vendor. He argued that by not disclosing “the actual technical details ever unless it’s fixed,” then the public is not put at risk.

The whole situation gets even muddier since short-seller Viceroy Research released a 25-page AMD “obituary” report (pdf) about the “fatal security vulnerabilities.” Viceroy founder Fraser Perring told Reuters “that somebody anonymously emailed him a draft of the report at about 4 p.m. on Monday.” In Viceroy’s opinion, “the issues identified by CTS are fatal to AMD on a commercial level, and outright dangerous at an international level.” Furthermore, Viceroy believes “AMD is worth $0.00 and will have no choice but to file for Chapter 11 in order to effectively deal with the repercussions of recent discoveries.”

Now add in CTS’s disclosure, “Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.”

AMD’s response

AMD did not respond to CSO’s questions, but it released the following statement:

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.

What some experts are saying about the AMD flaws

Trail of Bits CEO Dan Guido has been cited in nearly every article about the AMD flaws as he reviewed CTS’s technical reports and “proof of concept” code prior to CTS going public. He told Reuters, “’These are real security issues in AMD code and processors’ that hackers could exploit to manipulate or steal secure data.” Guido is not the only security professional saying the AMD flaws are real.

Other security experts, such as Kevin Beaumont, are beyond irked about the disclosure process. Beaumont gives his initial technical analysis, including that the bugs require root access and the ability to execute code — both of which are “significant” mitigations. Since the attacks are not in the wild, he added, “The only real exploit here at the moment is a press exploit. This situation should not be happening.”

NEW! Download the Winter 2018 issue of Security Smart