As a result of massive backlash from the industry, Israel-based security firm CTS Labs has provided some clarifications about the recently disclosed AMD processor vulnerabilities and its disclosure method.
CTS Labs this week published a report providing a brief description of 13 critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The flaws can allegedly be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.
The vulnerabilities affect AMD’s Secure Processor, an environment where critical tasks are executed in order to secure the storage and processing of sensitive data and applications. The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine.
AMD was only notified 24 hours before the vulnerabilities were disclosed, but no technical details have been published in order to prevent exploitation for malicious purposes.
CTS Labs was only launched recently and its founders’ work experience has raised some questions. This, combined with the lack of technical details in the report has made many people doubt that the vulnerabilities exist or that they are as critical as the company claims.
However, Dan Guido, CEO of Trail of Bits, and Alex Ionescu, a reputable researcher and Windows security expert, have confirmed CTS Labs’ findings after reviewing technical information provided by the company. Guido was paid to review the work, but Ionescu said he wasn’t.
CTS Labs has come under fire for not giving AMD time to release patches before its disclosure. A disclaimer from the firm and a report from a controversial company named Viceroy Research suggest that the existence of the vulnerabilities was made public as part of an investment strategy, similar to the 2016 incident involving MedSec, Muddy Waters and St. Jude Medical.
In response to criticism, CTS Labs CTO Ilia Luk-Zilberman argued that the company’s approach to “responsible disclosure” is more beneficial for the public. He proposes that instead of notifying vendors and giving them a certain amount of time to release patches before disclosing full technical details, researchers should notify the public and the vendor at the same time without ever making technical details public, unless the flaws have been patched.
Luk-Zilberman admitted that CTS should have asked several third-parties to confirm its findings before going public in order to convince everyone that their claims are true.
While the CTO’s argument might make sense, many members of the industry are not convinced, particularly due to CTS’s disclaimer claiming that it may have, “either directly or indirectly, an economic interest in the performance of the securities [of AMD].” There is also the report from Viceroy, which attempts to persuade that “AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.”
CTS Labs has not provided any clarifications regarding its financial interests related to the disclosure.
Regardless of CTS Labs’ motives, Ionescu and Guido have confirmed the vulnerabilities and warned that they should not be ignored.
In an update posted on its AMDflaws.com website, CTS claimed that exploitation of the vulnerabilities does not require physical access; executing a file with local admin privileges on the targeted machine is enough.
“The only thing the attacker would need after the initial local compromise is local admin privileges and an affected machine,” CTS said. “To clarify misunderstandings — there is no need for physical access, no digital signatures, no additional vulnerability to reflash an unsigned BIOS. Buy a computer from the store, run the exploits as admin -– and they will work.”
After the news broke, AMD told customers and the media that it’s investigating CTS Labs’ claims.
AMD is one of the major processor makers affected by Meltdown and Spectre, and while the company has confirmed that the flaws impact some of its products, it has insisted that the risk of attacks is small.