Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



CTS Labs Provides Clarifications on AMD Chip Flaws

As a result of massive backlash from the industry, Israel-based security firm CTS Labs has provided some clarifications about the recently disclosed AMD processor vulnerabilities and its disclosure method.

As a result of massive backlash from the industry, Israel-based security firm CTS Labs has provided some clarifications about the recently disclosed AMD processor vulnerabilities and its disclosure method.

CTS Labs this week published a report providing a brief description of 13 critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The flaws can allegedly be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

The vulnerabilities affect AMD’s Secure Processor, an environment where critical tasks are executed in order to secure the storage and processing of sensitive data and applications. The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine.

AMD was only notified 24 hours before the vulnerabilities were disclosed, but no technical details have been published in order to prevent exploitation for malicious purposes.

CTS Labs was only launched recently and its founders’ work experience has raised some questions. This, combined with the lack of technical details in the report has made many people doubt that the vulnerabilities exist or that they are as critical as the company claims.

However, Dan Guido, CEO of Trail of Bits, and Alex Ionescu, a reputable researcher and Windows security expert, have confirmed CTS Labs’ findings after reviewing technical information provided by the company. Guido was paid to review the work, but Ionescu said he wasn’t.

CTS Labs has come under fire for not giving AMD time to release patches before its disclosure. A disclaimer from the firm and a report from a controversial company named Viceroy Research suggest that the existence of the vulnerabilities was made public as part of an investment strategy, similar to the 2016 incident involving MedSec, Muddy Waters and St. Jude Medical.

Advertisement. Scroll to continue reading.

In response to criticism, CTS Labs CTO Ilia Luk-Zilberman argued that the company’s approach to “responsible disclosure” is more beneficial for the public. He proposes that instead of notifying vendors and giving them a certain amount of time to release patches before disclosing full technical details, researchers should notify the public and the vendor at the same time without ever making technical details public, unless the flaws have been patched.

Luk-Zilberman admitted that CTS should have asked several third-parties to confirm its findings before going public in order to convince everyone that their claims are true.

While the CTO’s argument might make sense, many members of the industry are not convinced, particularly due to CTS’s disclaimer claiming that it may have, “either directly or indirectly, an economic interest in the performance of the securities [of AMD].” There is also the report from Viceroy, which attempts to persuade that “AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.”

CTS Labs has not provided any clarifications regarding its financial interests related to the disclosure.

Regardless of CTS Labs’ motives, Ionescu and Guido have confirmed the vulnerabilities and warned that they should not be ignored.

Alex Ionescu confirms vulnerabilities found by CTS in AMD processors

Dan Guido confirms vulnerabilities found by CTS in AMD processors

In an update posted on its website, CTS claimed that exploitation of the vulnerabilities does not require physical access; executing a file with local admin privileges on the targeted machine is enough.

“The only thing the attacker would need after the initial local compromise is local admin privileges and an affected machine,” CTS said. “To clarify misunderstandings — there is no need for physical access, no digital signatures, no additional vulnerability to reflash an unsigned BIOS. Buy a computer from the store, run the exploits as admin -– and they will work.”

After the news broke, AMD told customers and the media that it’s investigating CTS Labs’ claims.

AMD is one of the major processor makers affected by Meltdown and Spectre, and while the company has confirmed that the flaws impact some of its products, it has insisted that the risk of attacks is small.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...