AMD is investigating claims that its processors are affected by more than a dozen serious vulnerabilities, and the company that found the flaws is facing backlash over its disclosure method.
Israel-based CTS Labs on Tuesday published a report claiming that it has found 13 critical vulnerabilities and backdoors in AMD’s EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors over the course of six months. Only a high level description of the security holes has been made public, but AMD was informed of the flaws only one day before disclosure.
CTS Labs has set up a dedicated website and assigned names to each type of vulnerability it has found. According to the company, the security holes mostly affect AMD’s Secure Processor technology and they can be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.
The vulnerability class dubbed MASTERKEY by CTS Labs can reportedly be exploited to deploy persistent malware inside the AMD Secure Processor, but exploitation involves installing a malicious BIOS update. These flaws can be used to bypass firmware and software security features, including the Firmware Trusted Platform Module (FTPM), Secure Encrypted Virtualization (SEV), Windows Defender Credential Guard, and Microsoft’s Virtualization-based Security (VBS) technologies. MASTERKEY can be leveraged to steal network credentials and cause physical damage to targeted devices, CTS said.
The RYZENFALL vulnerabilities, which affect Ryzen processors from AMD, in the worst case scenario, can be exploited to take complete control of the Secure Processor. Attackers can leverage this to plant malware that cannot be removed by traditional security solutions, researchers said.
FALLOUT vulnerabilities affect the boot loader component of the Secure Processor in EPYC CPUs. Exploitation requires a digitally-signed driver supplied by the vendor. Attackers can leverage FALLOUT to plant highly persistent malware, disable BIOS protections, steal network credentials, and bypass security mechanisms.
The last class of vulnerabilities has been dubbed CHIMERA. These are backdoors in AMD’s Promontory chipsets, which are used in Ryzen and Ryzen Pro workstations. The backdoors, found in both the firmware and the hardware, can be exploited to execute malicious code inside the chipset’s internal processor, CTS said. These backdoors were reportedly introduced by ASUS subsidiary ASMedia.
Exploitation of all the vulnerabilities requires elevated privileges to the targeted machine.
Impact and comparison to Meltdown/Spectre
Security firm enSilo, which published an FAQ shortly after CTS Labs made available its report, compared the vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.
Dan Guido, CEO of Trail of Bits, said his company reviewed CTS Labs’ technical report and confirmed that the vulnerabilities exist and that the proof-of-concept (PoC) exploits work, but admitted that all flaws require administrator privileges for exploitation. Trail of Bits was paid by CTS Labs to review the findings.
Researcher Arrigo Triulzi called CTS’s report “over-hyped beyond belief” and a “whitepaper worthy of an ICO.” Triulzi pointed out that if an attacker obtains elevated privileges and is able to perform malicious BIOS updates and load unauthorized code, they would not need to exploit these vulnerabilities in order to gain complete control over a system.
Triulzi admitted that the CHIMERA vulnerability could pose a problem, but only “if you are a government agency.” CTS noted in its report that it may not be possible to directly fix this bug, and it may require a workaround or a recall of the product.
AMD was only given one day to prepare for CTS Labs’ disclosure and the company says it has launched an investigation. Vendors are typically given months to fix or mitigate these types of flaws; in the case of Meltdown and Spectre, affected companies were given roughly half a year to work on patches.
“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated.
While CTS Labs has not released any details and claims no technical information will be made available any time soon to prevent abuse, its methods have been called into question.
“The way that CTS Labs chose to publicly identify vulnerabilities they discovered in AMD chips is a case study in what not to do when you discover a software or hardware weakness in the wild,” Jon Bottarini, Technical Program Manager at HackerOne, told SecurityWeek. “Responsible disclosure should be the prime directive for security researchers, and by only allowing AMD 24 hours to respond before CTS Labs notified the press, CTS stood to do more harm than good.”
Many potentially serious vulnerabilities have been found in similar Intel technologies over the past year, but in most cases they were responsibly disclosed to Intel and the company started working on patches before disclosure.
On the other hand, CTS’s unorthodox disclosure method may have been driven by financial motives.
“Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” CTS Labs noted in its report.
A controversial company named Viceroy Research published its own report following CTS Labs’ disclosure in an apparent effort to short AMD stock.
“In light of CTS’s discoveries, the meteoric rise of AMD’s stock price now appears to be totally unjustified and entirely unsustainable. We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries,” Viceroy Research said.
In addition to the findings, some have called into question the credibility of CTB Labs, a company founded in 2017, and its founders’ claims regarding other firms they launched and worked for.
This would not be the first time a report describing vulnerabilities in a product is used as part of an investment strategy. In 2016, investment research firm Muddy Waters used a report from medical cybersecurity firm MedSec to short-sell St. Jude Medical.