CPU manufacturers are enduring a rough few months. The massive Spectre and Meltdown vulnerabilities shook the computing world. And then, if the vulnerabilities weren’t bad enough, the patches put out to fix the issues came with their own set of problems. It’ll be some time until the effects of Spectre/Meltdown fade.
AMD chips weren’t unscathed. Worse, in March 2018, researchers claim to have found a raft of new AMD-specific critical vulnerabilities. However, some people in the tech world are unsure. Is there any truth to the reports of critical vulnerabilities in AMD Ryzen CPUs? Let’s take a look at the story so far.
Critical Vulnerabilities and Exploitable Backdoors
Israeli security firm CTS Labs disclosed 13 critical vulnerabilities. The vulnerabilities affect AMD’s Ryzen workstation, Ryzen Pro, Ryzen mobile architecture, and EPYC server processors. Furthermore, the vulnerabilities bare similarities to Spectre/Meltdown and could allow an attacker access to private data, to install malware, or gain access to a compromised system.
The processor vulnerabilities stem from the design of AMD’s Secure Processor, a CPU security feature that allows safe storage of encryption keys, passwords, and other extremely sensitive data. This, in conjunction with a flaw in the design of AMD’s Zen chipset that links the processor to other hardware devices.
“This integral part of most of AMD’s products, including workstations and servers, is currently being shipped with multiple security vulnerabilities that could allow malicious actors to permanently install malicious code inside the Secure Processor itself.”
Are These Vulnerabilities Real?
Yes, they’re very much real and come in four flavors:
- Ryzenfall: Allows malicious code to take complete control of the AMD Secure Processor
- Fallout: Allows an attacker to read from and write to protected memory areas such as SMRAM
- Chimera: A “double” vulnerability, with one firmware flaw and one hardware flaw that allows the injection of malicious code directly into the AMD Ryzen chipset; chipset-based malware evades virtually all endpoint security solutions
- Masterkey: Exploits multiple vulnerabilities in AMD Secure Processor firmware to allow access to Secure Processor; allows extremely stealthy persistent chipset-based malware to evade security; could allow for physical device damage
The CTS Labs security blog states, “Attackers could use Ryzenfall to bypass Windows Credential Guard, steal network credentials, and then potentially spread through even highly secure Windows corporate network […] Attackers could use Ryzenfall in conjunction with Masterkey to install persistent malware on the Secure Processor, exposing customers to the risk of covert and long-term industrial espionage.”
Other security researchers quickly verified the findings.
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
— Dan Guido (@dguido) March 13, 2018
None of the vulnerabilities require physical device access or any additional drivers to run. They do, however, require local machine administrator privileges, so there is some respite. And let’s face it, if someone has direct root access to your system, you’re already in a world of pain.
What’s the Issue Then?
Well, no one has really heard of CTS Labs. Which on its own is not an issue. Small firms complete excellent research all the time. It is, rather, how CTS Labs went about disclosing the vulnerabilities to the public. Standard security disclosure asks researchers to give the vulnerable company at least 90-days to rectify an issue before going public with sensitive findings.
CTS Labs gave AMD a whopping 24 hours before putting their amdflaws site online. And that has attracted significant ire from the security community. It isn’t only the site though. The way the vulnerabilities are presented is also drawing issue. The vulnerability information site features an interview with one of the researchers, is full of infographics and other media, has exciting and catchy names for the issues and seems overblown for the release of a vulnerability. (A vulnerability they gave AMD less than 24-hours to fix, mind!)
CTS Labs gave their reasoning for this, too. CTS Labs CTO Ilia Luk-Zilberman explains that “the current structure of ‘Responsible Disclosure’ has a very serious problem.” Furthermore, they “think it’s hard to believe we’re the only group in the world who has these vulnerabilities, considering who are the actors in the world today.” You can read the full letter right here [PDF].
TL;DR: CTS Labs believes the 30/60/90 day waiting period prolongs the danger to already vulnerable consumers. If researchers make the disclosure straight away, it forces the hand of the company to act immediately. In fact, their suggestion of using third-party validation, as CTS Labs did with Dan Guido (whose confirmation Tweet is linked above), is sensible—but something that already happens.
Shorting AMD Stock
Other researchers downplayed the severity of the flaws due to the required level of system access. There were further questions about the timing of the report as it emerged stock short-selling firm Viceroy Research were issuing a report declaring that AMD shares might lose all their value. AMD shares did indeed take a tumble, coinciding with the release of the CTS Labs vulnerability report, but closed the day higher than before.
Linux-kernel lead developer Linus Torvalds also believe that CTS Labs approach is negligent, stating “Yes, it looks more like stock manipulation than a security advisory to me.” Torvalds also laments the unnecessary hype surrounding the release, claiming that security researchers “Look like clowns because of it.”
Torvalds ranting isn’t unprecedented. But he is right. It also comes on the back of another “security alert” requiring both a terrible SSH and terrible root password to work. Torvalds (and other security researchers and developers) point is that sometimes just because a flaw sounds dangerous and exotic, it doesn’t make it a huge issue for the general public.
Can You Stay Safe?
Well, it is a mixed security bag. Is your AMD Ryzen CPU vulnerable? Yes, it is. Is your AMD Ryzen CPU likely to see an exploit of this manner? It is somewhat unlikely, at least in the short-term.
That said, those with an AMD Ryzen system should raise their security vigilance level for the next few weeks until AMD can release a security patch. Hopefully, they’ll be a darn sight better than the Spectre/Meltdown patches!