AMD on Tuesday acknowledged several vulnerabilities that had been previously reported in its Ryzen and EPYC chips, and said that it would roll out firmware patches for those flaws in the coming weeks.
The response comes a week after Israel-based CTS-Labs said that it has discovered 13 critical vulnerabilities and exploitable backdoors that impact AMD’s EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile lineups.
AMD’s Senior Vice President and Chief Technology Officer, Mark Papermaster, said in a statement that the chip company plans to issue firmware patches for these vulnerabilities through an upcoming BIOS update.
“At AMD, security and the protection of users’ data is of the utmost importance. We believe that each of the issues cited can be mitigated through firmware patches and a standard BIOS update, which we plan to release in the coming weeks. These patches and updates are not expected to impact performance,” according to the statement.
Papermaster stressed that all the vulnerabilities were extremely difficult to exploit because attackers would first need administrative access to the system.
“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings,” he said. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
AMD said that “no performance impact is expected” after releasing its patches for systems being powered by its processors.
CTS-Labs had said that the flaws stem from the design of AMD’s “security gatekeeper” Secure Processor, which is the area of the processor where devices store sensitive data including passwords and encryption keys; and the design of AMD’s Ryzen chipset, which links the processor with hardware devices such as Wi-Fi and network cards.
The research company also said that there are four primary types of vulnerability variants that can leveraged to attack the AMD processors – Chimera, Ryzenfall, Fallout, and Masterkey.
Through Chimera, “an attacker could leverage the chipset’s middleman position to launch sophisticated attacks,” according to CTS-Labs, and could install malware to leverage the Direct Memory Access engine to attack the operating system. Ryzenfall, meanwhile, enables malicious code to take complete control over the AMD Secure Processor and leverage the technology’s privileges to read and write protected memory areas (such as SMRAM and the Windows Credential Guard isolated memory). Fallout impacts AMD’s EPYC server chips and allows attackers to read from and write to protected memory areas including SMRAM and Windows Credential Guard isolated memory (VTL-1), said CTS-Labs. Finally, the Masterkey flaw breaks down into three separate vulnerabilities found in AMD’s Secure Processor firmware, allowing hackers to infiltrate the Secure Processor in EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile chips.
When CTS-Labs first revealed the vulnerabilities last week, the research company came under scrutiny for reportedly notifying AMD about its findings 24 hours before they were made public.
“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD had said in an initial statement to Threatpost.
The vulnerability announcements come as another hit for the chip market after Spectre and Meltdown flaws were disclosed by Google Project Zero in early January – but AMD was quick to stress that the vulnerabilities did not relate to these flaws, but instead are linked to the AMD Secure Processor.
“The security issues identified by the third-party researchers are not related to the AMD ‘Zen’ CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018,” said AMD’s statement.
