AMD on chip flaws: 'Newly outed bugs are real but no big deal, and fixes are coming'

AMD casts chip security bugs as a storm in a teacup but will offer firmware updates to fix them in coming weeks.
Written by Liam Tung, Contributing Writer

Video: AMD and Intel: Frenemies aligned vs Nvidia

AMD has confirmed its chips are vulnerable to the bugs exposed by Israel-based security research firm CTS-Labs this month.

But the chipmaker on Tuesday said it is developing firmware and BIOS updates to address the security flaws in its Ryzen and Epyc chips outed by CTS-Labs just 24 hours after notifying AMD on March 13.

The little-known security firm drew criticism from researchers and developers for its unusual disclosure. Linux creator Linus Torvalds said CTS-Labs' security advisory and promotional websites "looks more like stock manipulation".

The launch of CTS-Labs' AMDflaws website detailing the AMD Ryzenfall, Masterkey, Fallout, and Chimera bugs coincided with a report by short-seller Viceroy Research, which suggested AMD had no other option but to recall its chips since the bugs couldn't be patched.

Despite CTS-Labs' precipitous disclosure, its findings were validated by US security firm Trail of Bits, which was hired by CTS-Labs to confirm its findings, and Israel-based antivirus company Check Point.

The Ryzenfall, Masterkey, and Fallout flaws affect AMD's Platform Security Processor (PSP), a component akin to Apple's Secure Enclave that protects Face ID and Touch ID biometric data on the iPhone, and Intel's Management Engine system for the enterprise. The Chimera bugs are backdoors in an AMD chipset supplied by ASMedia, a subsidiary of Asus.

Download now: IT leader's guide to cyberattack recovery

Trail of Bits founder Dan Guido said the bugs could allow code execution in PSP that would be invisible to typical security products. The vulnerabilities could also allow an attacker to bypass the Windows 10 security feature Windows Credential Guard, secure boot, and other security features afforded by PSP.

However, he noted there is no immediate danger for most users, the vulnerabilities are expensive to exploit, and the bugs are not surprising to find. CTS-Labs discoveries are also not groundbreaking like the Meltdown and Spectre flaws found by Google, which variously affect Intel, AMD, and Arm chips.

AMD has grouped the vulnerabilities into three categories that it will fix with firmware and BIOS updates to be released in "coming weeks".

Unlike the performance overheads caused by mitigations for Spectre, AMD says its firmware updates for the bugs CTS-Labs found are not expected to have an impact on chip performance.

According to AMD, the Masterkey, Ryzen and Fallout, and Chimera can only be exploited if an attacker already has compromised a system.

It also notes that an attacker would need administrative access to exploit each of the three categories of vulnerabilities.

"AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations," Mark Papermaster, AMD's chief technology officer, said in a blogpost.

"It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings," he writes.

See also: Special report: Cybersecurity in an IoT and mobile world (free PDF)

"Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.

"Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues."

Previous and related coverage

AMD investigating chip security flaws after less than 24 hours' notice

For hours after the security research was first published, it wasn't clear if the flaws were even real.

AMD vs Spectre: Our new Zen 2 chips will be protected, says CEO

Forthcoming Zen 2 processors will include changes to deal with Spectre-like exploits, says chip giant.

AMD processors: Not as safe as you might have thought

With all the hub-bub about Meltdown and Spectre, AMD CPUs are widely regarded as being perfectly safe. Well AMD chips may be safer, but they're not invulnerable.

AMD CPU vulnerabilities published by unknown security firm after 24 hours notice(TechRepublic)

Published by Israeli security firm CTS Labs, the AMD chip flaws require significant work to exploit.

Major AMD vulnerability discovered, Fitbit's kid-friendly Ace(CNET)

Today's tech stories include the discovery of a major AMD chip vulnerability, Fitbit's kid-focused fitness tracker and a startup's unapproved satellite launch.

Editorial standards