Report Claims AMD Ryzen, EPYC CPUs Contain 13 Security Flaws (Updated)

Update, 3/13/18, 12:45pm PT: AMD issued a statement on its site regarding the report. The statement is more or less what we already posted below, although it does note what we highlighted, which is that it's quite odd to brief analysts and media and then publish security findings all before before notifying the company in question. AMD said it will post further updates on this blog.

We have a detailed breakdown of the alleged flaws here.

Original article, 3/13/18, 10:16am PT:

CTS-Labs, an Israel-based security company, released a "severe security advisory on AMD processors" that alleges AMD's Ryzen and EPYC processors are susceptible to 13 critical security vulnerabilities that span four different classes. The company has classified the categories as Ryzenfall, Masterkey, Fallout, and Chimera.

CTS-Labs released the information in an unusual fashion. Typically, semiconductor vendors are given 90 days to respond to vulnerabilities before they're disclosed to the public, but CTS-Labs provided AMD with only a 24-hour notice. CTS-Labs states:

To ensure public safety, all technical details that could be used to reproduce the vulnerabilities have been redacted from this document. CTS has privately shared this information with AMD, select security companies that can develop mitigations, and the U.S. regulators. What follows is a description of the security problems we discovered and the risks they pose for users and organizations.

The unusual nature of the disclosure, and the lack of any supporting evidence, makes it difficult to asses the impact (be it real or imagined) of the alleged AMD security flaws. It is noteworthy that the three different groups of researchers that discovered the Spectre/Meltdown vulnerabilities provided the industry with 200 days of notice to prepare mitigations, which was unraveled by The Register.

CTS-Labs published the information at amdflaws.com, which is a new site created by the small company. The company claims that it discovered the vulnerabilities while studying the impact of what it characterizes as known backdoors in ASMedia chipsets. The company claims these backdoors have existed for six years.

AMD uses ASMedia as its third-party chipset supplier, and CTS-Labs claims to have found the same backdoors on the Ryzen and EPYC chipsets. These backdoors purportedly allow hackers to inject malicious code directly into the Platform Secure Processor (PSP), which is a separate and secure processor that provides global management functionality.

The PSP (also called AMD Secure Processor) functions much like Intel's Management Engine (ME), which has proven in the past to have vulnerabilities. Neither AMD nor Intel open-source the code that runs on the processors, instead opting to run closed-source Linux distros.

CTS-Labs claims the chipset vulnerabilities led it to conduct an investigation into AMD's broader security practices, whereupon it discovered additional vulnerabilities. Head to our Breaking Down The New Security Flaws In AMD's Ryzen, EPYC Chips companion article for more details on the individual vulnerabilities.

We reached out to AMD for comment and received the following statement:

At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.

AMD's statement is somewhat vague, but it's clear the company has obviously had little time to assess the situation. AMD also had several lawsuits lodged against it after its initial statements on the Spectre/Meltdown vulnerabilities, which the Plaintiffs claim were misleading, so the company is obviously (and wisely) exercising some caution.

We're digging deeper to find out more information about the vulnerabilities, but given the lack of information, it is best to be cautious. Much like the initial few days of the Spectre/Meltdown vulnerabilities, there is likely to be quite a bit of misinformation circulating in regards to potential performance impacts. Currently the information that CTS-Labs has posted is unverified and is presented without evidence, and the company has several strong disclaimers regarding its "disclosures." We've pasted a partial outtake of the disclaimers from the whitepaper (PDF) below.

We have spoken with AMD, and the company has said it will provide further information as it becomes available. We expect a more detailed assessment of these alleged vulnerabilities will emerge as third-party security researchers study them. 

The CTS-Labs disclaimer, in part:

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

Paul Alcorn
Managing Editor: News and Emerging Tech

Paul Alcorn is the Managing Editor: News and Emerging Tech for Tom's Hardware US. He also writes news and reviews on CPUs, storage, and enterprise hardware.

  • bit_user
    CTS-Labs provided AMD with only a 24-hour notice.
    This is extremely shady. What could be the purpose of making such an announcement, except to spread FUD in the market and put the brakes on AMDs sales momentum?

    These guys are most likely funded by Intel or individuals with a strong financial stake in Intel.
    Reply
  • fball922
    I thought the same thing... Hit piece. Intel is so full of sh*t I would not be surprised one bit if they funded this.
    Reply
  • madmatt30
    Covered themselves with that disclaimer big time.

    Whilst thats sensible for a firm like cts (nier a necessity) I would say the whole thing has very very suspicious undertones.

    I hope they have good lawyers if theyre wrong , bringing asus into the mix by name/brand aswell is a very risky decision.
    Reply
  • theunnerd
    The lack of comprehensive tech detail of these flaws compared to Spectre and Meltdown, even in the white paper, plus the lack of notice to AMD to look into the claim of flaws, sounds fishy to me. It was not released in good faith and the disclaimer of "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." speaks for itself. Economic interest. They likely have friends trading the stock and pushing conveniently for a short situation, seems like manipulation. Walks like fake news, talks like fake news...What is it?
    Reply
  • JoeNM84
    Sounds like a rumor if there has been no evidence or sources listed. And given the short 24 hour notice it makes the whole thing a bit shady. Possibly to manipulate stock prices? Hopefully it's all false, or the vulnerabilities are easy/quick to fix.
    Reply
  • bit_user
    There's already a lot out there on debunking these overblown claims.

    Interestingly, they registered the domain 19 days ago, so they surely could have started informing AMD of some of the issues back then.

    One conjecture I've read is that it could be a simple stock market play - bet on AMD's share price to drop, then release a bunch of bad news.

    I hope AMD has some grounds to sue them on the basis of misleading statements.
    Reply
  • rwinches
    Shame on Tom's for not having a huge, bold type, disclaimer at the top of this stating there is no real data to back this up.
    Not even their tired 'grain of salt'
    Reply
  • Finstar
    "an Israel-based security company"
    Aaaand that's more than i need to tell this is bs.
    Reply
  • techy1966
    I was like LMAO at this crap....This is pure fud at it's best. All they or who ever is paying them to do this wants is AMD stocks to fall and sales drop off as well seems a bit timely that this happens just before AMD's new CPU launch/ refresh of Ryzen in April. I am thinking Intel or someone that has a stake in Intel is behind this. Problem is the damage is already done because all news sites and tubers will cover this like it is the Holy Gospel and plat the seed of fud into everyone's minds. By the way if this was true they would have been forced to give AMD the proper amount of time to get their crap together not this 24 hour crapola...I really hope who ever is behind this get sued big time and go to jail.
    Reply
  • tslot05qsljgo9ed
    Quote: Possibly to manipulate stock prices?

    That is exactly what it was and from todays headlines for AMD and initial sell off you can see that it worked for a while. But then common sense and analysis showed that this was purely a figment of CTS-Labs imagination.

    The 24 hour notice along with the amdflaws.com web site clearly shows the skeeviness of CTS-Labs.
    Reply