Israeli-based researchers claim to have uncovered 13 security flaws in AMD’s processor chipsets. CTS Labs’ researchers say the vulnerabilities could allow attackers to add viruses to guarded processors and evade detection.
But the firm has come under fire for not practising responsible disclosure. CTS issued an advisory notice about the flaws shortly after informing AMD, while manufacturers are normally given several weeks to address exploits.
The seriousness of the flaws is a matter of debate among researchers. Fearing hackers would exploit the vulnerabilities, CTS has not publicly set out any technical details. Instead, it enlisted security firm Trail of Bits to corroborate its findings.
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
— Dan Guido (@dguido) March 13, 2018
In an advisory notice published online, CTS’s researchers outlined 13 vulnerabilities and manufacturer backdoors inside AMD’s latest EPYC, Ryzen, Ryden Pro and Ryzen Mobile lines of processors. In a foreword, CTS alleges that the flaws “have the potential to put organisations at significantly increased risk of cyber attacks”.
The vulnerabilities have been separated into four categories, dubbed Ryzenfall, Fallout, Chimera and Masterkey, and CTS claims they could be exploited by malware which has already infiltrated a computer to access files and personal information. However, the superuser permissions an attacker would need to exploit the vulnerabilities would already grant them access to such information.
While the flaws do not make servers or computers running AMD chips accessible to remote hackers, they could make it more difficult for security staff to find or remove malicious code.
AMD said in a statement it is actively investigating the findings of the report: “This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”