AMD has finally acknowledged 13 critical vulnerabilities, and exploitable backdoors in its Ryzen and EPYC processors disclosed earlier this month by Israel-based CTS Labs and promised to roll out firmware patches for millions of affected devices ‘in the coming weeks.’
According to CTS-Labs researchers, critical vulnerabilities (RyzenFall, MasterKey, Fallout, and Chimera
) that affect AMD's Platform Security Processor (PSP) could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
Although exploiting AMD vulnerabilities require admin access, it could help attackers defeat important security features like Windows Credential Guard, TPMs, and virtualization that are responsible for preventing access to the sensitive data from even an admin or root account.
In a press release published
by AMD on Tuesday, the company downplays the threat by saying that, "any attacker gaining unauthorised administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."
However, AMD claims patches and updates for these critical flaws are not expected to impact device performance.
Responsible Disclosure Controversy
Infosec experts and journalists embroiled CTS Labs into controversies by raising questions over the way it disclosed vulnerabilities details to the public in less than 24 hours after notifying AMD.
However, it's important to note that CTS Labs researchers did not disclose any technical information about the flaws to the public that could harm AMD users in any way.
According to Ilia Luk-Zilberman, CTO of CTS-Labs, the current process of 'Responsible Disclosure' has two significant problems:
- If researcher gives a 30/45/90 days limit to the affected vendor, it's extremely rare that the vendor would notify its customers about the unpatched security vulnerabilities during this period, leaving them unaware of potential risks.
- If vendors do not respond or patch the vulnerability during this 90-day disclosure period, researchers can proudly prefer to go public with full technical details of the flaws, ultimately putting their customers at risk.
Zilberman understands the need for both steps, but with his style of disclosing "AMD flaws," the company proposes an alternative 'Responsible Disclosure' process that:
- notifies affected customers about the impact,
- ensures public pressure on the vendor to get patches as soon as possible,
- involves third-party experts to verify the flaws, and
- at the same time never put customers at risk.
"I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together. And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk," Zilberman said.
Anyway, CTS Labs also claimed that AMD could take several months to release patches for most of the issues, where some of them cannot be fixed.
For more details about RyzenFall, MasterKey, Fallout, and Chimera vulnerabilities, you can head on to our previous article.