Maybe it was the exaggerated threats against AMD’s business or the semi-unprofessional way the threats were brought to light but no matter — security start-up CTS-Labs claims of security holes in the chipmaker’s Ryzen and Epic processor lines are now being lambasted across the security community.

Earlier this week Threatpost wrote of the CTS-Labs report that its researchers had discovered 13 critical vulnerabilities and exploitable backdoors in AMD’s EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile offerings.  Among the most egregious problems CTS-Labs wrote about in a white paper included:

-The AMD Secure Processor, the gatekeeper responsible for the security of AMD processors, contains critical vulnerabilities that could let attackers permanently install malicious code inside the Secure Processor itself.

-Secure Encrypted Virtualization, a key security feature that AMD advertises as one of its main offerings to cloud providers–could be defeated as soon as attackers obtain malicious code execution on the EPYC Secure Processor.

“In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD,” CTS wrote.

“The Ryzen and Ryzen Pro chipsets, currently shipping with exploitable backdoors, could not have passed even the most rudimentary white-box security review. The Secure Processor, currently shipping with no fewer than ten critical vulnerabilities that bypass most of its security features, is afflicted with basic security design errors. Furthermore, neither the Security Processor nor the Chipset offer any significant mitigations against exploitation should vulnerability be discovered,” CTS said.

While such harsh observations are not completely unusual, a number of red flags have popped up since the company released the report.

For example, AMD was apparently notified about the CTS findings only about 24 hours before they were made public. Many researchers, upon discovering vulnerabilities give the vendor in question weeks, sometimes months to look into the situation and even let the develop a patch for the problem. Of course there is industry argument over that procedure as well. In this case though AMD was taken aback.

AMD wrote: “This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.”

AMD says it is looking into the situation.

Others questioned the motive of disclosing the vulnerabilities so quickly. Reports from PC Gamer and The Register noted the link between the connection between CTS and others connected with the company. PC Gamer wrote:

“What is suspect, however, is that a separate website called Viceroy Research put out a report based on the startup’s findings, with the ridiculous conclusion that ‘AMD is worth $0.00 and will have no choice but to file for Chapter 11 bankruptcy in order to effectively deal with the repercussions of recent discoveries.’ According to The Register, Viceroy Research confirmed it has a short position on AMD’s stock and intends to increase that position—meaning that Viceroy has a direct financial stake in driving AMD’s stock price down. Viceroy founder John Perring also said he received a copy of the report via an anonymous source and found it ‘credible.'”

A video report from Gamers Nexus on other suspect issues around the CTS findings entitled “Assassination Attempt on AMD by Viceroy Research & CTS Labs” can be found here.

Even Linux’s creator Linus Torvalds, had an opinion on the CTS-AMD report.  He wrote in a Google+ discussion,

“When was the last time you saw a security advisory that was basically ‘if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?’ Yeah.”

The response from the twitterverse has been just as dismissive — a typical example: “Is CTS-Labs legit? 24 hours’ notice & a professional website on a flaw which can seemingly be fixed by firmware seems like someone wanting to make quick cash on a short stock play.”

Perhaps one of the problems in this case is that this report comes on the heels of the Intel Spectre and Meltdown vulnerabilities in that CPU security issues impact everyone so they get lots of attention, Richard Stiennon chief research analyst at IT-Harvest told Threatpost.  “It doesn’t help that vendors like Intel have been so slow to respond to these problems either.”

Disclosed earlier this year, Threatpost wrote Spectre and Meltdown, “are far reaching and impact a wide range of microprocessors used in the past decade in computers and mobile devices including those running Android, Chrome, iOS, Linux, macOS and Windows. While Meltdown only affects Intel processors, Spectre affects chips from Intel, AMD, ARM and others.”

In trying to settle down some of the dust-up, a post by Ilia Luk-Zilberman, CTO of CTS-Labs perhaps stoked it further:

“I know there are many questions, and a whole lot of confusion. We are trying our best to answer reporters, update our site with Q&A, and clarify what’s going on. So far the media focus was on CTS, and I think I understand this, but very soon we will have to deal with the fact that a huge company with products spread throughout millions of computers in the world, is riddled with so many problems that it’s unclear how to even address this.”

(This article was written by guest author Michael Cooney. He can be reached at @Mcooney59

Categories: Critical Infrastructure, Hacks, Mobile Security, Vulnerabilities

Comments (11)

  1. ItsDeadJim
    1

    AMD should above all not respond to CTS-Labs’ alleged AMD Security Vulnerabilities using any of CTS Labs’ concocted Vulnerability Naming/Nomencalture(Ryzenfall, Etc.) or concocted graphics used to represent these claimed Vulnerabilities .

    AMD/others should require that all these alleged Vulnerabilities be Re-listed/Re-Classified under their proper Common Vulnerabilities and Exposures(CVE) Headings and not those obviously nefariously concocted CTS-Labs’ Vulnerability Classification “Names” or Graphics Images.

    AMD must not lend any credence towards the legitimacy of those CTS-Labs Questionable Vulnerability Classification Scheme Names(Ryzenfall, Etc.) and Graphics that are obviously there to Pander to Fear Uncertainty and Doubt.

    The entire Security Community Must only use the Common Vulnerabilities and Exposures(CVE) Headings and not allow their industry to be fruther shamed(See the Linus Torvalds Comments on that Matter). These Names/Graphics chosen BY CTS-Labs are not objective by any streatch of the imagination and should never be used to describe any security Vulnerabilities. These Vulnerabilities must have CVE headings and all makers’ processors/platforms need to be tested outside of the sphere of influnce surrounding CTS-Labs’ and any of its paid/contracted representatives or CTS-Labs’ Clients(Viceroy Research, etc).

    Do not pander to the stock minipulators that these folks are acting in collusion with. This has all the hallmarks of a snow job regardless of any merits these folks claims may have. CTS-Labs are not concered with any security threats reduction they are only taking advantage of any threats, actual or not actual, to target AMD/AMD’s reputation.

    That kind of behavior must never be rewarded, ever!

    Reply
    • Judge Chip
      2

      So your pathetic misplaced priorities are on, “Vulnerability Naming/Nomencalture” and NOT on the actual numerous security vulnerabilities? Get your priorities right with the end user, CTS Labs should be applauded for exposing these issues no matter what they call them many of which are processor specific. Since when does the finder of said vulnerabilities not have the right to name their findings, NEVER. If more and more veriferfied results of CTS Labs are reported end users will be happy that CTS Labs is hard at work exposing these security flaws, and their is no reason at all that CTS Labs or any other security vulnerabilities testing lab not benefit from a ROI.

      Reply
    • salty0n3
      3

      you must not have dealt with many “large” organizations and vuln disclosures.

      Every org i have dealt with treats us researchers like a bag of crap. They attack us. They are demeaning to us.

      So sorry to be an A$$ but screw the big man, they have ignored security far too long and don’t deserve any kind of advanced notice anymore… that train left the station (long before equish*t) and some trust has to be restored in researchers before we give 2 ****’s about their stock prices.

      Personally never shorted a stock before sending a vuln disclosure but you are going to attack researchers when the problem is wall street and the big boys that think they are too large to fall.

      F THEM ALL
      /rant

      Reply
  2. Judge Chip
    4

    Still, Dan Guido, a chip security expert and the CEO of security firm Trail of Bits, told Ars that whatever ulterior motives it may have, the paper accurately describes a real threat. After spending much of last week testing the proof-of-concept exploits discussed in the paper, he said, he has determined that the vulnerabilities they exploit are real.

    “All the exploits work as described,” he said. “The package that was shared with me had well-documented, well-described write-ups for each individual bug. They’re not fake. All these things are real. I’m trying to be a measured voice. I’m not hyping them. I’m not dismissing them.”

    Once hackers gain low-level access to a targeted network, they typically collect as much data as they can as quickly as they can in hopes of elevating their privileges. All that’s required to exploit the AMD chip vulnerabilities, Guido said, is a single administrator credential inside the network.

    “Once you have administrative rights, exploiting the bugs is unfortunately not that complicated,” he said.

    Reply
    • Judge Chip
      5

      Another source,

      Kanter agreed with Guido that the vulnerabilities were a major embarrassment for AMD, particularly because most of them reside in the Platform Secure Processor, which is AMD’s version of the secure enclave in the iPhone. Unlike Apple, which custom-designed its secure enclave, AMD relies on a 32-bit Cortex A5 processor designed by ARM.

      AMD’s Secure Processor, Guido said, “is intended to be the one defensible part of the processor. The fact that you can upload unsigned code and get it to pass validation and the fact that you can manipulate all the mail slot handlers is not what I would expect as someone who needs to trust this component.”

      These are expert’s results doing validation testing of AMD’s vulnerabilities exposed by CTS-Labs analysis so sorry you AMD Advocate Firemen can put down the fire extinguisher and take off your Nomex AMD fire coat.

      Why are experts able to verify CTS-Labs analysis results in a week and AMD is silent, are they playing Dodgeball again like they did with Meltdown and Spectre?

      VERDICT: CTS-Labs analysis results are looking more and more credible as actual testing not attacking is being reported by unbiased experts.

      Reply
  3. jean-michel
    6

    You’re beating a dead horse. This is old news now no matter how much you regurgitate. Fact of the matter was that CTS labs were desperate to release any FUD because they had a financial state in the short position. These findings are nothing new, every microprocessor system had vulnerabilities if you take a scanner and probe and have access to the BIOS. In fact, there are 10 times more Intel systems in the world that are vulnerable to these attacks than AMD…yet CTS wanted to attack AMD.

    Reply
  4. Uchiha
    8

    I think I understand this, but very soon we will have to deal with the fact that a huge company with products spread throughout millions of computers in the world, is riddled with so many problems that it’s unclear how to even address this.” Don’t we have this problem? It’s called Intel more than 20 years of vulnerable processors in most computers of the world.

    Reply
  5. Judge Chip
    9

    Live in the past much? 20 years ago the malware proliferation was next to nothing, in the here and now malware is everyware. So what was AMD doing 20 years ago, are you saying AMD processors didn’t have vulnerable processors back then and how many of those processors are in use today?

    It’s not up to you to figure out how to address these security flaws, these companies have full time professionals and outsourced testing to figuring out how to address these issues.

    Reply
  6. Judge Chip
    10

    salty0n3,
    Absolutely positively agree, you nailed it with your sledgehammer post, thanks for swinging it.

    Times are changing FAST, security researchers are a unfortunate but necessary part of today’s world and should’ve been for many years. Malware is here there everywhere and it’s getting worse not better, big org better embrace the change or pay big bucks one way or another. CTS-Labs knew this and fully disclosed its short position to benefit from its costly testing with a ROI which is very reasonable but AMD’s Advocates Firefighters attack with Factless FUD to fling on AMD’s security flaws fires. If CTS-Labs is right on with their analysis it’s going to backfire on AMD, just like when AMD played lie cry deny Dodgeball with Meltdown and Spectre only worse.

    Reply
  7. Noitu
    11

    I do love the fact that AMD offers a good product and after reading all this tread I have a few things to mention.
    1- CTS should have given a grace time before making it public.
    2- AMD should really review their security team and whoever is certifying it if a third party company was used for it.
    3- The chips situation today is the same as Internet in the early stages, before it was based on trust, abd just recently we are finding bugs, backdoors and loopholes in all kind of systems and protocols. So if you want to take your time to dig on amd old chips please take your time and do so for intel and under manufacturers and I hope your lifespam is long enough for it.
    4- I will still loving AMD.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>