AMD Investigating Reports of Ryzen Flaws

UPDATED at end of report with questions raised about the ethics of the security researchers involved, and statement from CTS-Labs. This post was originally published at 12:34 p.m. March 13 and has since been updated.

Researchers have found 13 critical security vulnerabilities in AMD's Ryzen and EPYC processors that can infect the PCs with malware, give attackers access to important data, read and write files and take over chipsets entirely. CNET first reported on the issues.

The vulnerabilities were discovered by Israeli security firm CTS-Labs, which gave AMD less than 24 hours' notice before CTS-Labs disclosed the issues. (Standard security-research practice is to provide the vendor with 90 days' notice.) However, CTS-Labs is cagey about the technical details, which may make the attacks exploiting the flaws difficult to reproduce. 

The flaws and their related attacks fall into four camps, which CTS-Labs named Masterkey, Ryzenfall, Chimera and Fallout.

"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise," an AMD spokesperson told Laptop Mag. "We are investigating this report, which we just received, to understand the methodology and merit of the findings."

In a blog post, AMD cast doubt on the report:

"We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops."

Masterkey can affect the widest swath of machines, including laptops (running Ryzen Mobile), powerful creative machines (with Ryzen Pro) and workstations and servers (running Ryzen Workstation and EPYC Server chips, respectively). The attack involves reflashing the BIOS, which can be done via malware infection. Successful exploitation of the flaw would let attackers disable security features and even launch unwanted programs upon startup.

Ryzenfall, Chimera and Fallout are less of a direct threat, because they each require that an attacker must "be able to run a program with local-machine elevated administrator privileges" and supply "a driver that is digitally signed by the vendor,"  according to the researchers' white paper. (Simpler explanations are at the new website dedicated to promoting the flaws, AMDFlaws.com.)

If bad actors, even those without direct physical access, had that kind of power on a machine, they could do whatever they wanted anyway. Supplying a spoofed digital signature isn't within the skill set of most ordinary cybercriminals. 

Ryzenfall makes it possible for attackers to target any Ryzen-based machine and use malicious code to take over the processor completely, which would allow access to all sorts of protected data, including passwords. The researchers suggest that there are parts of the CPU that Ryzenfall can access that previous attacks couldn't get to.

Chimera, which affects Ryzen Workstation and Ryzen Pro machines, has two variants: hardware and firmware. On the hardware site, the chipset allows for malware to be run, so it can be infected through Wi-Fi, Bluetooth or other wireless traffic. On the firmware side, there's the issues that malware can be put directly on the CPU. But you have to weaken the processor with the Chimera attack first.

Fallout is likely to affect only enterprises, as it is limited to EPYC server chips. It lets attackers both read and write from protected memory areas, including Windows Defender Credential Guard, which stores data in a separated part of the operating system.

"We were recently made aware of this report and are reviewing the information," a Microsoft spokesperson said.

Researchers told CNET that these flaws might take several months to fix, although AMD has yet to provide a timeline. At the moment, the best option is to always keep your operating system updated, and, when possible, install the latest patches from your machine's vendor or from AMD. These are the same tips to follow if your machine is affected by Spectre or Meltdown, which affected Intel, AMD and ARM Processors.

UPDATES March 13: We didn't notice a link in tiny print on the AMDFlaws.com site that leads to a "Legal Disclaimer." The text of the  disclaimer raises some concerns about the ethical practices of CTS.

"Although we have a good faith belief in our analysis and believe it to be objective and unbiased," the disclaimer says. "you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

"CTS does not accept responsibility for errors or omissions," the disclaimer adds. "CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."

In plain English, the disclaimer says that CTS would not consider it unethical, hypothetically, if it were to have taken a short position on AMD stock before the release of its report. It also says that if anything in the report is wrong, it's not CTS' fault.

Soon after CTS posted its report at 10 a.m. Eastern time Tuesday, a market-research firm called Viceroy Research posted its own 25-page PDF based on the CTS report and proclaiming the "obituary" for AMD. Viceroy specializes in short-selling stock of companies it declares to have hidden flaws.

Needless to say, such disclaimers are highly unusual within the security-research community, and the timing and length of the Viceroy report suggests that the market-research firm had advance notice of CTS' report. 

Still, some experts think that despite the motives, the flaws could be real.

Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works. — Dan Guido (@dguido) March 13, 2018

We still think CTS' security-research report passes the smell test, but we'll be watching this one closely.

UPDATE March 14: Through a representative, Yaron Luk, co-founder of CTS-Labs, provided us with a statement.

"We have verified our results carefully both internally and with a third-party validator, Trail of Bits," the statement said in part, referring to Dan Guido's company. "We delivered a full technical description and proof of concept of the vulnerabilities to AMD, Microsoft, Dell, HP, Symantec and other security companies.

"Disclosing full technical details would put users at risk. We are looking forward to AMD’s response to our findings."

Image: AMD

Windows 10 Security and Networking