AMD has announced 13 critical vulnerabilities and exploitable backdoors in its processors. The flaws were detected in AMD Ryzen and EPYC processors by the CTS Labs, company based in Israel. The CTS Lab has promised to create patches for millions of impacted devices.
Security researchers at CTS Labs provided information that the critical vulnerabilities named RyzenFall, MasterKey, Fallout, and Chimera affect AMD’s Platform Security Processor (PSP) potentially enable cybercriminals to access private and sensitive data, inject persistent malware inside the chip, and take over the control of the infected systems.
Even though in order to exploit AMD vulnerabilities hackers need admin access, it also could allow cybercriminals to avoid some security features such as Windows Credential Guards or TPMs.
AMD has published a press release which indicates that “an attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
The coming patches and upgrades for mentioned vulnerabilities are not expected to improve device performance.
It is worth to mention that experts and journalists at Infosec embroiled CTS Labs into controversy. Researchers at CTS Labs did not reveal any technical details about the vulnerabilities, as a result, experts at Infosec raised questions about details of the flaws.
Ilia Luk-Zilberman chief technology officer at CTS Labs said that the present process of ‘Responsible Disclosure’ has two issues:
- Firstly, if the researcher provides a 30/45/90-day time period to the impacted vendor, it is not likely that the provider alerts its customers about the unfixed flaws during this period of time.
- Secondly, if providers do not fix or respond to the flaw during the 90-day period of time, researchers are able to prefer to go public with full technical information of the vulnerabilities. This way, the customers can be put at risk by the vendor.
The chief officer claims to understand the necessity of these steps but the style of revealing AMD vulnerabilities, the vendor proposes an alternative disclosure process which notifies impact customers about the incident; makes sure to put public pressure on the provider in order to fix issues as soon as possible; to get third-party experts in order to verify the flaws; do not put customers at risk.
I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together. And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk.
CTS Labs also noted that AMD could take up to several months to fix and release patches for the most recent issues.