Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

Sponsored by, Intel! (R)

... someone needs to dig (deep) into who registered the amdflaw domain and who is funding this.

Re:Sponsored by, Intel! (R)

[sinij]

Yes, couple days to respond is a hit job and not a responsible disclosure. However, if AMD and Intel get into "flaw disclosure" wars, the only winner will be consumers. This is not a bad thing.

Not a vulnerability

[FeelGood314]

This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity. This happens way to often, just this time it got more publicity than usual. What happens is researchers looking to make a name for themselves finds what they think could sound like exploit, the fact that it might already be public knowledge or hell even the way a device is supposed to work (e.g. exploit needs signed drivers and physical access) doesn't matter. Usually the "researchers" aren't very good. They use automated tools to scan for a vulnerability that they don't really understand and when you respond that "yeah, that 32 bit signed/unsign error might be exploitable if you send me a buffer with 2^31 + 7 bytes of data to a processes on an old 32 bit server but since the process only has 2GB of memory good luck.* The researches intentionally published right away so that the organization they are attacking doesn't have time to respond. The researchers didn't want a response because they knew the response would be "fuck off, this isn't a vulnerability!"

*yes, I had this conversation.