plus69free - Fotolia

Researchers accused of irresponsible disclosure of AMD chip flaws

Israel-based researchers have been accused of irresponsible disclosure for going public with more than a dozen security flaws discovered in AMD processors

Researchers at CTS Labs issued a security advisory on vulnerabilities inside processors made by Advanced Micro Devices (AMD) just 24 hours after notifying the company.

This comes in sharp contrast to the way the disclosure of the Meltdown and Spectre chip vulnerabilities was handled. Although the flaws became public sooner than expected by affected chip makers, they already had around seven months in which to plan a response and prepare security updates.

Responsible disclosure typically allows software or hardware manufactures enough time to fix discovered vulnerabilities before they are made public, although Google’s Project Zero controversially allows software companies just 90 days to produce a patch before going public.

The CTS Labs security advisory states that the security firm’s researchers have discovered “multiple critical security vulnerabilities” and “exploitable manufacturer backdoors” in AMD’s latest EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile lines of processors.

“These vulnerabilities have the potential to put organisations at significantly increased risk of cyber attacks,” the advisory said.

Four groups of vulnerabilities

According to CTS Labs, critical vulnerabilities in the AMD Secure Processor could allow attackers to install malicious code inside the processor, steal network credentials and defeat the secure encrypted virtualisation feature.

The security firm claims that the Ryzen chipset is being shipped with exploitable manufacturer backdoors, which could allow attackers to inject malicious code into the chip.

The advisory divides the vulnerabilities into four groups. The first, dubbed Masterkey, consists of three vulnerabilities that can allow remote, unauthorised attackers to inject and execute code and create persistence on the AMD Secure Processor by bypassing the “Hardware Validated Boot” process conducted by EPYC and Ryzen processors. 

The second, dubbed Ryzenfall, consists of four “design and implementation flaws” inside the AMD Secure OS, which powers the AMD Secure Processor found in Ryzen, Ryzen Pro and Ryzen Mobile products. Attackers who gain elevated admin privileges can exploit these flaws to allow arbitrary code execution on the Secure Processor, as well as gain access to protected memory regions.

The third, dubbed Fallout, consists of three design-flaw vulnerabilities inside the boot loader component of EPYC’s Secure Processor. The Fallout flaws can be exploited by local attackers with elevated privileges to access protected memory regions.

The fourth, dubbed Chimera, consists of a manufacturer’s backdoor in the firmware and hardware of the Ryzen and Ryzen Pro processors, which CTS claims “could not have passed even the most rudimentary white-box security review”.

The security advisory notes that AMD’s outsource partner, ASMedia, is a subsidiary of ASUSTeK Computer, a company that has recently been penalised by the US Federal Trade Commission for neglecting security vulnerabilities and put under mandatory external security audits for the next 20 years.

“CTS believes that networks that contain AMD computers are at a considerable risk. The vulnerabilities we have discovered allow bad actors who infiltrated the network to persist in it, surviving computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions,” the advisory said.

“This allows attackers to engage in persistent, virtually undetectable espionage, buried deep in the system and executed from AMD’s Secure Processor and chipset.

“In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD.”

Suspicions surrounding threat discovery

AMD issued an initial statement saying that the company was investigating the report to understand the “methodology and merit” of the findings.

Considering the “risk” involved, it is surprising that CTS Labs went public with their finding just 24 hours after notifying AMD.

However, CTS Labs claims that its actions are intended to highlight what is described as AMD’s “disregard of fundamental security principles” in the hope that the security community takes note.

The security notice also points out that to ensure public safety, all technical details that could be used to reproduce the vulnerabilities have been redacted. The CTS Labs researchers have also not published any proof-of-concept exploits and said they had informed other unnamed security companies that could help develop remediation techniques.

However, the disclaimer following the advisory states: “Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.”

This had raised suspicions that CTS Labs may have a commercial motive for disclosing the AMD vulnerabilities so soon after notifying the chip maker.

AMD followed up its initial statement with a blog post confirming that the chip maker is investigating and analysing the CTS Labs findings.

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops,” the company said.

As with the Spectre and Meltdown vulnerabilities, it will take time for the true nature of the risk to become clear, but already security commentators appear to be divided in their opinion.

Some have noted that the flaws discovered by CTS Labs require administrative privileges to execute, which means attackers would need considerable access to the target system to be able to exploit the flaws and that they are less of a threat than Spectre or Meltdown.

Others, however, say the impact of the newly disclosed vulnerabilities and backdoors is likely to be greater than Spectre and Meltdown because they allows an attacker to execute highly privileged code and persist on the victim machine.

Read more about Spectre and Meltdown

  • As IT recoils from the Spectre and Meltdown chip exploits, companies face patches that are incompatible, leading to crashes, reduced performance and lock-ups.
  • Meltdown and Spectre represent a risk that goes to the very heart of computing – this microprocessor flaw could be exploited to gain privileged access to a computer’s memory.
  • Although consumers are relatively unaffected by the recently disclosed security vulnerabilities in most modern processors, enterprises need to take the threat seriously.

Read more on Hackers and cybercrime prevention