Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public (cnet.com)

Posted by msmash on from the stranger-things dept.

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

5 of 195 comments (clear)

  1. Requires complete takover first? by Anonymous Coward · · Score: 2, Informative

    So it appears an attacker would have to have gained root/admin access over the OS before they could then install some persistent backdoor?

    Attacking the TPM could be bad, but once you have kernel level access you pretty much have anything you need to steal data anyway.

    This one seems to have higher barrier to entry and a lot of assumptions versus just drive-by JavaScript executing code or a malicious guest VM breaking out of a hypervisor.

    I expect the CVSSv3 score to be medium.

  2. trying to make a name for themselves... by jmdevince · · Score: 5, Informative

    CTS Labs only registered their domain (cts-labs.com) 6 months ago. They registered amdflaws.com 2018-02-22. So they spent time tweaking the marketing material. This is nothing but a new company trying to make a name for themselves and have instead pissed off true security researchers by not following responsible disclosure. From CTS' own site: "Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy". ... Horseshit.

  3. They all have insane requirements by Anonymous Coward · · Score: 5, Informative

    All of those "vulnerabilities" have insane requirements like being able to defeat OEM BIOS flash protections or Windows' driver signing...

    MASTERKEY:

            Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update. This update would contain Secure Processor metadata that exploits one of the vulnerabilities, as well as malware code compiled for ARM Cortex A5 – the processor inside the AMD Secure Processor.

    RYZENFALL:

            Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    FALLOUT:

            Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    CHIMERA:

            Prerequisites for Exploitation: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

  4. Re:Sponsored by, Intel! (R) by Carewolf · · Score: 5, Informative

    Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

    The place this hole is, is the AMD version of IME, a useless piece of malware designed to remote-controlled your computer, which Intel and AMD puts there for enterprise purposes. Get rid of it from or make it default off and these issues goes away...

    I have no fucking clue why they installed those crappy Internet-of-shit operating systems in there by default in the first place.

  5. Re:Follow the money by slack_justyb · · Score: 5, Informative

    They literally spell it out on their disclaimer page.

    Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

    So while these exploits might be real, they just straight up fess to being shady as shit. This is some blackballing level of unethical behavior. They literally hit and run AMD for profit. Whoever these engineers are, this whole episode should be the end of any future career they might have had and it just stops short of what I would think would constitute an outright FTC investigation.

    Twenty-four hour notice and then posting publicly the exploits isn't research, that's a willful attack.