AMD’s Ryzen and Epyc server chips may be exposed to several vulnerabilities outlined in a report published today by Israel-based security research firm, CTS-Labs.
CTS-Labs claims to have found 13 critical security vulnerabilities in AMD’s chips. These are separate to the Spectre flaws disclosed by Google in January that also affected Arm and Intel chips, prompting an industry-wide patching effort.
In an unusual move, CTS-Labs only provided the research to AMD immediately prior to publishing the “AMDFLAWS” website.
CTS-Labs also published a white paper that describes each vulnerability’s impact without providing a proof of concept exploit that would allow other researchers to test the validity of the claims.
The short deadline widely differs from Google’s Project Zero already-hard vulnerability disclosure policy, which offers vendors a 90 days grace before it goes public with flaws.
In the case of Spectre and Meltdown side-channel vulnerabilities, Google extended its disclosure for Intel, Arm, AMD and cloud platform to six months in order to give vendors time to develop and deploy fixes. AMD and Intel now face class action lawsuits over their respective responses to the flaws.
An AMD spokesperson told CSO Australia it is assessing CTS-Labs’ report.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,” the AMD spokesperson said.
The alleged vulnerabilities affect AMD’s Secure Processor, formerly known as Platform Security Processor, an ARM-based processor inside the main CPU that is responsible for processing sensitive data. A Google Cloud Security Team member recently reported a remote code execution flaw in one of its components.
CTS-Labs divides the alleged AMD vulnerabilities into four categories, including Masterkey, Ryzenfall, Fallout, and a set of backdoors it calls Chimera that it found in a chipset provided by a Taiwanese subsidiary of Asus. All of the flaws require the attacker have local access and administrative privileges in order to exploit them.
There is a possibility that CTS-Labs’ report is designed to depress AMD’s stock. Short-seller Viceroy Research released a report today claiming the AMD flaws are “difficult, some practically impossible, to patch” and argues the chip maker will be forced to file for bankruptcy.
CTS-Labs’s legal disclaimer also states that it may have a financial interest in stock movements of companies that it provides security reports on.
“Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” CTS-Labs says.
Despite this, CTS-Labs’s claims appear to be legit if somewhat overhyped, according to Jake Williams, CEO of security firm, RenditionSec. He noted in a tweet that even if CTS-Labs approach isn’t ethical, its claims can still be valid.
Ryan Shrout, principal analyst at chip-focussed research firm Shrout Research, said Viceroy’s research note should be taken with a grain of salt at least until AMD has had time to test the validity of CTS-Labs’ claims.
“Only giving AMD engineers and its security team a day or less time indicates to me that CTS does not in fact have the best interest of AMD, or AMD customers, at the forefront,” Shrout told CSO Australia in an email.
Security researcher Kevin Beaumont labelled CTS-Labs' disclosure as "reckless" and essentially a media hack, given the lack of proof-of-concept code and attacks in the wild.
"All of the bugs require administrator (or root) access to exploit. This is a significant mitigation," noted Beaumont who described CTS-Lab's FAQ as "worse than Buffy [the Vampire Slayer] fanfic".
"The only real public exploit here at the moment is a press exploit. This situation should not be happening."
The scenario is reminiscent of the unconventional disclosure of security flaws in heart implants manufactured by St Jude Medical in 2016. Muddy Waters, a short-seller, teamed up with security firm MedSec to find and report the flaws. Despite the financial motivation, the vulnerabilities were confirmed and prompted action from regulators.
Shrout reckons Viceroy's claim that AMD stock is worthless due to the flaws was "absurd".
"Given the recent history with Intel and the Meltdown security vulnerability, and the responsible way in which it was released and handled by security professionals and the afflicted companies, this new release, combined with a history of questionable financial dealings, the AMD-specific flaws here seem off base."
"To be clear however, this does not in and of itself mean the security concerns are invalid, and researchers inside and outside AMD need time for due diligence,” added Shrout.
CTS-Labs didn't respond to questions by CSO Australia by the time of publishing.