AMD have today published a measured response to the CTS-Labs report on vulnerabilities in AMD Ryzen CPUs. Rather than attack the low-hanging fruit of the tone and content of said report and website, AMD have specifically acknowledged the security issues outlined in the report. The statement, which can be read below, outlines both the nature of the issues (resulting from firmware flaws and/or 3rd party chipset vulnerabilities) and the exceptional requirements necessary to attempt exploits.
For their part, AMD also make it clear that these vulnerabilities are separate from the Spectre vulnerabilities disclosed by Google Project Zero in January, and confirms that they were given less than 24hrs to respond by CTS Labs (an organisation previously unknown to AMD) before they published their white paper. They wisely do not take the authors to task for the rather... unconventional nature of the report.
Firmware updates to the Platform Security Processor - issued through BIOS updates - are now being developed to address the issues known as Masterkey, Ryzenfall and Fallout. Given the nature of the affected component it will be no surprise if these updates are put through thorough testing before being rolled out via BIOS update cycles.
Chimera meanwhile, a security issue in 3rd party chipsets used by many AM4 and TR4 motherboards, is set to be mitigated by a further BIOS patch. The implication is that AMD require the manufacturer to provide a true fix, and will also work towards that end.
It's anticipated that fixes to these issues will have no performance impact.
AMD Statement
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
The security issues identified can be grouped into three major categories. The table [reproduced below] describes the categories, the AMD assessment of impact, and planned actions.
AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
The security issues identified can be grouped into three major categories. The table [reproduced below] describes the categories, the AMD assessment of impact, and planned actions.
AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
SOURCE: AMD Corporate Statement
