AMD Responds To CPU Security Flaw Report

AMD has finally issued a full response to CTS Labs’ report that Ryzen and EPYC processors contain a total of 13 security flaws. Here’s the short version of the chipmakers’ response:

  • Exploitation of the vulnerabilities requires admin access
  • The vulnerabilities have to do with firmware and chipsets, not the x86 architecture
  • Patches are coming in the form of BIOS updates and firmware patches only--no microcode updates are required--via OEMs and ODMs
  • All issues will be addressed within “weeks,” but we strongly infer that AMD is aiming for 90 days  or less
  • There is no expected performance impact

The whole story was strange from the beginning. CTS Labs issued a red-alert type of report stating that AMD’s Ryzen and EPYC processors had numerous vulnerabilities, but it gave AMD just 24 hours to respond instead of the industry-norm 90 days. The firm also refused to release the full details of its findings, so only one entity--a security firm--was able to evaluate the assertions independently. Some of the surrounding coverage that landed immediately after the report was issued made the whole thing feel like a hit piece on AMD’s stock price. Further, no one had ever heard of CTS Labs before. Subsequent interviews that CTS Labs gave the press (including Tom’s Hardware and AnandTech) seemed to cloud things even more.

Having only CTS Labs’ own whitepaper on the subject to work from, we broke down the security flaws as much as we could here.

Although we still do not have access to the actual details of the vulnerabilities, we now, at least, have AMD’s response. It’s short and to the point.

In the post, AMD’s Mark Papermaster wrote in part:

The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

Papermaster also addressed the access issue--that is, in order for the vulnerabilities to be exploitable, one would need metal access. He stated:

Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues.

CTS Labs has made it seem as though an enterprise-level threat is a real possibility, but when AnandTech pressed the issue, CTS Labs clarified:

To be honest with you, in that particular situation [running a virtual machine on a server], the vulnerabilities do not help you very much. However if a server gets compromised and the cloud provider is relying on secure virtualization to segregate customer data by encrypting memory, and someone runs an exploit on your server and breaks into the SP, they could tamper with this mechanism and this mechanism.

Note that in AMD’s response, it condensed CTS Labs’ four threat categories into three. In all three, AMD stated that admin access is required, and all the attacks would require that the system’s security has already been compromised.

Expect all patches to arrive via AMD’s ODM and OEM partners within the next 90 days.

Create a new thread in the UK News comments forum about this subject
This thread is closed for comments
2 comments
Comment from the forums
    Your comment
  • Yuka
    Ok, that's a wrap then.

    No one ever mentions CTS again with a straight face, or unless giving a talk on how not doing proper security research.

    I kid, please mention them again, after they get sued by AMD and there are investigations in place to see why they were so friggin' dumb.

    Cheers!
  • DbD2
    From what I can tell they managed to make a lot of money off a pretty easy to fix set of bugs, and no one seriously expects any legal comeback. Hence we'll probably mention them again when the next bunch of people try the same trick.