Maybe it was the exaggerated threats against AMD’s business or the semi-unprofessional way the threats were brought to light but no matter — security start-up CTS-Labs claims of security holes in the chipmaker’s Ryzen and Epic processor lines are now being lambasted across the security community.
Earlier this week Threatpost wrote of the CTS-Labs report that its researchers had discovered 13 critical vulnerabilities and exploitable backdoors in AMD’s EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile offerings. Among the most egregious problems CTS-Labs wrote about in a white paper included:
-The AMD Secure Processor, the gatekeeper responsible for the security of AMD processors, contains critical vulnerabilities that could let attackers permanently install malicious code inside the Secure Processor itself.
-Secure Encrypted Virtualization, a key security feature that AMD advertises as one of its main offerings to cloud providers–could be defeated as soon as attackers obtain malicious code execution on the EPYC Secure Processor.
“In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD,” CTS wrote.
“The Ryzen and Ryzen Pro chipsets, currently shipping with exploitable backdoors, could not have passed even the most rudimentary white-box security review. The Secure Processor, currently shipping with no fewer than ten critical vulnerabilities that bypass most of its security features, is afflicted with basic security design errors. Furthermore, neither the Security Processor nor the Chipset offer any significant mitigations against exploitation should vulnerability be discovered,” CTS said.
While such harsh observations are not completely unusual, a number of red flags have popped up since the company released the report.
For example, AMD was apparently notified about the CTS findings only about 24 hours before they were made public. Many researchers, upon discovering vulnerabilities give the vendor in question weeks, sometimes months to look into the situation and even let the develop a patch for the problem. Of course there is industry argument over that procedure as well. In this case though AMD was taken aback.
AMD wrote: “This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.”
AMD says it is looking into the situation.
Others questioned the motive of disclosing the vulnerabilities so quickly. Reports from PC Gamer and The Register noted the link between the connection between CTS and others connected with the company. PC Gamer wrote:
“What is suspect, however, is that a separate website called Viceroy Research put out a report based on the startup’s findings, with the ridiculous conclusion that ‘AMD is worth $0.00 and will have no choice but to file for Chapter 11 bankruptcy in order to effectively deal with the repercussions of recent discoveries.’ According to The Register, Viceroy Research confirmed it has a short position on AMD’s stock and intends to increase that position—meaning that Viceroy has a direct financial stake in driving AMD’s stock price down. Viceroy founder John Perring also said he received a copy of the report via an anonymous source and found it ‘credible.'”
A video report from Gamers Nexus on other suspect issues around the CTS findings entitled “Assassination Attempt on AMD by Viceroy Research & CTS Labs” can be found here.
Even Linux’s creator Linus Torvalds, had an opinion on the CTS-AMD report. He wrote in a Google+ discussion,
“When was the last time you saw a security advisory that was basically ‘if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?’ Yeah.”
The response from the twitterverse has been just as dismissive — a typical example: “Is CTS-Labs legit? 24 hours’ notice & a professional website on a flaw which can seemingly be fixed by firmware seems like someone wanting to make quick cash on a short stock play.”
So, CTS-Labs gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report but took their time to create website, graphics and even videos to promote their findings? What an unprofessional shitshow! #amdflaws #infosec
— Henrik Johansen (@HenrikJohansen) March 13, 2018
Perhaps one of the problems in this case is that this report comes on the heels of the Intel Spectre and Meltdown vulnerabilities in that CPU security issues impact everyone so they get lots of attention, Richard Stiennon chief research analyst at IT-Harvest told Threatpost. “It doesn’t help that vendors like Intel have been so slow to respond to these problems either.”
Disclosed earlier this year, Threatpost wrote Spectre and Meltdown, “are far reaching and impact a wide range of microprocessors used in the past decade in computers and mobile devices including those running Android, Chrome, iOS, Linux, macOS and Windows. While Meltdown only affects Intel processors, Spectre affects chips from Intel, AMD, ARM and others.”
In trying to settle down some of the dust-up, a post by Ilia Luk-Zilberman, CTO of CTS-Labs perhaps stoked it further:
“I know there are many questions, and a whole lot of confusion. We are trying our best to answer reporters, update our site with Q&A, and clarify what’s going on. So far the media focus was on CTS, and I think I understand this, but very soon we will have to deal with the fact that a huge company with products spread throughout millions of computers in the world, is riddled with so many problems that it’s unclear how to even address this.”
(This article was written by guest author Michael Cooney. He can be reached at @Mcooney59)