AMD investigating report on critical security vulnerabilities in Ryzen and EPYC chips


Meltdown and Spectre are two most major security flaws that affected most of the modern computing chipsets, and today CTS-Labs, a security company based in Israel researchers says that it has found 13 security flaws in AMD’s Ryzen and EPYC chipsets. These security flaws could allow attackers install malware on highly guarded parts of the processor.

It could also let intruders access sensitive data across millions of affected devices. Whats more alarming is that these vulnerabilities lie in what’s designed to be the secure part of the processors where passwords and encryption keys are present. For these vulnerabilities to work, they first need to gain administrative access. Despite the need for access, these malware present on the key section of processors creates a higher potential for damage than a normal attack would.

AMD’s Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. Whatsmore worrisome is that researchers gave just 24 hours for AMD to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure requires at least 90 days for the company to address flaws properly as it gives the attackers a chance to exploit. Back when Intel and ARM chips were affected by the Meltdown and Spectre, AMD claimed that because of design differences, its chips weren’t affected.

According to CTS-Labs co-founder and Chief Financial Officer Yaron Luk-Zilberman, these security vulnerabilities are divided into four categories. Other security researchers are finding faults in CTS-Labs for publishing the white paper lacking any technical details describing the vulnerabilities.

CTS-Labs said to have sent the technical report to Dan Guido, an independent security researcher and the CEO of Trail of Bits; Guido to which he responded in a Tweet saying that these threats were legitimate. CTS Labs has also shared this information with AMD, Microsoft, HP, Dell, and select security companies

An in a blogpost said:

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.

Source 1, 2