Advanced Micro Devices (AMD) has released a statement following CTS Labs’ discovery of a set of vulnerabilities that affect some of its processors. This is the second time in recent months that a CPU vendor has had to deal with security flaws in its products: Meltdown and Spectre processor vulnerabilities were made public in January, which potentially affects desktops, laptops, and smartphones, as well as cloud-computing, virtual environments, and multiuser servers.
AMD's initial statement acknowledged the existence of vulnerabilities. It also provided technical assessment of the issues alongside planned mitigation actions.
What were the discovered vulnerabilities?
There are 13 vulnerabilities found in EPYC, Ryzen, Ryzen Pro and Ryzen Mobile processors. The exploits affect the firmware managing the AMD Secure Processor, as well as the chips used in some socket AM4 and socket TR4 desktop platforms running AMD silicon.
AMD grouped these vulnerabilities into three major categories: MASTERKEY and PSP Privilege Escalation (AMD Secure Processor or “PSP” firmware), RYZENFALL and FALLOUT (AMD Secure Processor firmware), and CHIMERA.
What’s the potential impact?
In MASTERKEY and PSP Privilege Escalation, an attacker who has already breached the security of a system can update flash to corrupt its contents. AMD Secure Processor (PSP) checks do not detect the corruption.
In RYZEN and FALLOUT, an attacker who has already compromised the security of a system writes to AMD Secure Processor registers to exploit vulnerabilities in the interface between x86 and AMD Secure Processor.
In CHIMERA, an attacker who has already compromised the security of a system installs a malicious driver that exposes certain Promontory functions.
Are the vulnerabilities critical?
According to AMD Chief Technology Officer Mark Papermaster, an attacker will have to gain administrative access to the system to exploit the vulnerabilities. Attackers gaining unauthorized administrative access would have a wide range of attacks at their disposal — well beyond the exploits identified in the cybersecurity firm’s research.
Trail of Bits researchers, who were contracted by CTS Labs, stated that there is no immediate risk of exploitation of these vulnerabilities for most users, and that attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities.
When will the fixes become available?
AMD is already developing firmware patches and BIOS updates to address the vulnerabilities, which they will release within weeks. The company noted that these updates will not affect processor performance.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).