Security researchers say they found a number of vulnerabilities within certain AMD processors.
Tel Aviv-based hardware security firm CTS Labs dropped a bombshell yesterday (13 March), warning that some AMD processors contain vulnerabilities described as “critical”.
The announcement was made via a standalone website, a series of videos and an accompanying whitepaper.
An array of flaws
Many of the claims within the whitepaper are damning, with researchers claiming the existence of “an array of hidden manufacturer backdoors inside AMD’s Promontory chipsets” and saying that Ryzen and Ryzen Pro chipsets could not have passed “even the most rudimentary white-box security review”.
The whitepaper also claims that the backdoors were placed in the processors by ASMedia, a Taiwanese manufacturer recently fined by the FTC for ignoring hardware vulnerabilities. According to CTS, the flaws are in AMD’s EPYC, Ryzen, Ryzen Pro and Rzyen Mobile lines of processors.
The four vulnerability classes (13 individual vulnerabilities in total) have been labelled Masterkey, RyzenFall, Fallout and Chimera, and require attackers to first gain administrative control of a targeted network or computer (not an impossible feat).
Once achieved, bad actors could then exploit the vulnerabilities to run persistent malware – which is near impossible to detect – or steal credentials a vulnerable computer uses to access networks, among other nefarious actions.
Some people within the security community are sceptical of the report from CTS. Critics of the report have noted highly unusual disclaimers within the report, relating to CTS possibly having “an economic interest in the performance of the securities of the companies” implicated.
Many are querying whether CTS could see a financial benefit from a drop in AMD stock prices, which is likely after such a massive threat disclosure. People also noted that CTS only provided AMD with a single day’s grace before publicly releasing the report, with many noting this was not exactly adhering to responsible disclosure guidelines.
AMD told Wired: “We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
Arrigo Triulzi, a Google security researcher, described the research as “overhyped beyond belief” and many others are worried the claims could be inflated.
Security researcher Dan Guido told Ars Technica that all of the vulnerabilities are actionable. “Each of them works as described.” He added: “The package that was shared with me had well-documented, well-described write-ups for each individual bug. They’re not fake. All these things are real. I’m trying to be a measured voice. I’m not hyping them. I’m not dismissing them.”
As they are second-stage vulnerabilities (users must gain access to administrative privileges first), threats could install malicious files without being detected by security software.
While there are doubts around the marketing around CTS’ findings and the motivation for their release, the core research seems relatively sound.
Updated, 11.55am, 14 March 2018: This article was updated to clarify that the AMD vulnerabilities revealed by the CTS researchers are alleged.