Report Claims AMD Ryzen, EPYC CPUs Contain 13 Security Flaws

CTS-Labs, an Israeli-based security company, released a "severe security advisory on AMD processors" that alleges AMD's Ryzen and EPYC processors are susceptible to 13 critical security vulnerabilities that span four different classes. The company has classified the categories as Ryzenfall, Masterkey, Fallout, and Chimera.

CTS-Labs released the information in an unusual fashion. Typically, semiconductor vendors are given 90 days to respond to vulnerabilities before they're disclosed to the public, but CTS-Labs provided AMD with only a 24-hour notice. CTS-Labs states:

To ensure public safety, all technical details that could be used to reproduce the vulnerabilities have been redacted from this document. CTS has privately shared this information with AMD, select security companies that can develop mitigations, and the U.S. regulators. What follows is a description of the security problems we discovered and the risks they pose for users and organizations.

The unusual nature of the disclosure, and the lack of any supporting evidence, makes it difficult to asses the impact (be it real or imagined) of the alleged AMD security flaws. It is noteworthy that the three different groups of researchers that discovered the Spectre/Meltdown vulnerabilities provided the industry with 200 days of notice to prepare mitigations, which was unraveled by The Register.

CTS-Labs published the information at, which is a new site created by the small company. The company claims that it discovered the vulnerabilities while studying the impact of what it characterizes as known backdoors in ASMedia chipsets. The company claims these backdoors have existed for six years.

AMD uses ASMedia as its third-party chipset supplier, and CTS-Labs claims to have found the same backdoors on the Ryzen and EPYC chipsets. These backdoors purportedly allow hackers to inject malicious code directly into the Platform Secure Processor (PSP), which is a separate and secure processor that provides global management functionality.

The PSP (also called AMD Secure Processor) functions much like Intel's ME (Management Engine), which has proven in the past to have vulnerabilities. Neither AMD nor Intel open-source the code that runs on the processors, instead opting to run closed-source Linux distros.

CTS-Labs claims the chipset vulnerabilities led it to conduct an investigation into AMD's broader security practices, whereupon it discovered additional vulnerabilities.

We reached out to AMD for comment and received the following statement:

At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.

AMD's statement is somewhat vague, but the company has obviously had little time to assess the situation. AMD also had several lawsuits lodged against it after its initial statements on the Spectre/Meltdown vulnerabilities, which the Plaintiffs claim were misleading, so the company is obviously wisely exercising come caution.

We're digging deeper to find out more information about the vulnerabilities, but given the lack of information, it is best to be cautious. Much like the initial few days of the Spectre/Meltdown vulnerabilities, there is likely to be quite a bit of misinformation circulating in regards to potential performance impacts. Currently the information that CTS-Labs has posted is unverified and is presented without evidence, and the company has several strong disclaimers regarding its "disclosures." We've pasted a partial outtake of the disclaimers below.

AMD has said it will provide further information as it becomes available, and we expect a more detailed assessment of these alleged vulnerabilities will emerge as third-party security researchers study them. 

The CTS-Labs disclaimer, in part:

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report.  Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.  Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

Create a new thread in the UK News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • HEXiT
    if these flaws are real it seems a bit odd that this company has released this info so soon after informing amd.
    then we see mention of economic interests?...
    yeah something seems off with this report.

    im now wondering how many of these exploits intel cpu's are affected by saying as they have some shared instruction sets.
  • HEXiT
    then i read the updated article... HARDWARE BACK DOORS!


    thats an obscene breach of privacy... and some 1 needs to be held to account.
    especially if it turns out that its been done at the behest of certain government agencies.
  • bicycle_repair_man
    You can't claim to be "informing the public about the vulnerabilities" and then cite an "economic interest in the performance of the securities" and still remain credible, particularly when you give AMD just 24 hours to respond and fail to back up your accusations with any evidence.

    This whole things reeks of horse sh*t.