'Critical' firmware and hardware flaws found in AMD chips

An Israeli security firm says it has discovered 13 "critical" vulnerabilities and "manufacturer backdoors" in AMD processors, but security researchers have cast doubt over the claims.

AMD's Ryzen chips are among those said to be impacted.

CTS-Labs today published what it called a “severe security advisory” alleging it had identified serious Meltdown-like vulnerabilities affecting AMD chips.

AMD said in a statement it was "actively investigating and analysing [the] findings".

But already there are doubts being raised about the severity of the alleged flaws, as well as criticism over the way they were disclosed.

Rendition InfoSec founder Jake Williams did not dispute whether the flaws were real but raised concerns via Twitter that “AMD had 24h to respond to the notice before public announcement” by CTS-Labs.

If true, it would break with the usual responsible disclosure protocol of giving companies 90 days notice to fix flaws before they were made public.

AMD did not say how much notice it had been given, though it alluded to the time being less than standard.

"This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings," the chipmaker said.

"At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise."

Intel, AMD and ARM, by contrast, were given the standard 90 days by Google researchers to address the Meltdown and Spectre flaws that finally surfaced in January. That was pushed out twice to grant more time to find fixes.

CTS-Labs was also criticised in forums for a “legal disclaimer” on its disclosure, which warned that “although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports".

Swiss-based security researcher Arrigo Triulzi panned the disclosure for its lack of technical detail and the prerequisites required to exploit the alleged vulnerabilities.

For three out of four classes of vulnerability - codenamed Ryzenfall, Fallout and Chimera - “local-machine elevated administrator privileges” are required to exploit them, the CTS-Labs white paper says.

The other alleged vulnerability, which CTS-Labs calls Masterkey, “requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update”.

“If you allow unauthorised BIOS updates you are screwed,” Triulzi said, similarly panning the other alleged vulnerabilities.

"These vulnerabilities require admin privileges and are limited to the specified processors," security vendor Ensilo said in an FAQ. 

"Meltdown/Spectre, on the other hand, don’t require admin privileges and exists on almost every Intel/AMD/ARM processor in one form or another, and required massive software patches."

CTS-Labs said it had purposely “redacted ... all technical details that could be used to reproduce the vulnerabilities” but had “shared this information with AMD, Microsoft, and a small number of companies that could produce patches and mitigations".

It said it did not know when - or if - fixes could actually be produced.

“Firmware vulnerabilities such as Masterkey, Ryzenfall and Fallout take several months to fix,” it said.

“Hardware vulnerabilities such as Chimera cannot be fixed and require a workaround.”