AMD Ships Vulnerability Patches To Ecosystem Partners

Remember when the sky--or at least Ryzen--was falling? You should, because it was only a few months ago, when the CTS Labs security company revealed numerous vulnerabilities in AMD's new Ryzen and EPYC processor lines. AMD has been largely quiet about these vulnerabilities in the time since, but the company assured Tom's Hardware that it hasn't forgotten about CTS Labs' report or neglected to address the flaws in its processors.

A quick recap: In March, CTS Labs released information on a collection of vulnerabilities in AMD's latest chips that it dubbed "Ryzenfall." These security flaws were said to be present in the most basic aspects of the Ryzen and EPYC processors, and after consulting with other researchers, CTS Labs decided to publish its findings without giving AMD the customary 90-day notice between a vulnerability's discovery and its public disclosure.

Earlier this week, CTS Labs emailed us to express concern about the lack of updates from AMD regarding these vulnerabilities. The company said it believed many of the vulnerabilities would take months to fix, with the Chimera issues requiring a hardware change that couldn't be implemented in products that have already shipped. AMD's relative silence and lack of updates apparently led CTS Labs to believe the company had stalled out.

We reached out to AMD for comment and received the following in response:

Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC™ platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly. We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month. We expect these patches to be released publicly as our ecosystem partners complete their validation work.

That's still vague--we don't know to what "ecosystem partners" these patches have been delivered nor when they should be expected to roll out--but it does show that AMD hasn't simply forgotten about CTS Labs' report. We expect to hear more about these patches and how AMD plans to address them as the company and its partners get them ready to ship. In the meantime, it seems that much like the sky, Ryzen has yet to fall.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • drinkingcola86
    What bothers me the most about what CTS labs posted in the vulnerabilities within the AMD systems, required admin and for some things physical access to the hardware to modify things.

    Remote access with admin privileges and the ability to remotely install/update the bios is something that can happen on almost any pc. At the place I work, we are almost an Intel exclusive environment and we edit and install new bios' remotely all the time. There have been people showing what CTE labs released happening on Intel and Qualcomm run devices.
    Reply
  • redgarl
    ROFL... now I am laughing hard... years to patch my ***.
    Reply
  • redgarl
    20935593 said:
    What bothers me the most about what CTS labs posted in the vulnerabilities within the AMD systems, required admin and for some things physical access to the hardware to modify things.

    Remote access with admin privileges and the ability to remotely install/update the bios is something that can happen on almost any pc. At the place I work, we are almost an Intel exclusive environment and we edit and install new bios' remotely all the time. There have been people showing what CTE labs released happening on Intel and Qualcomm run devices.

    It was not a remote issue, it was a local exploit in a context where Admin Access Rights were available. It was like saying a car could have a direction problem while exploding.

    They employed a PR firm to advertise their company and had created a doom and gloom story to drive the stock price. it didn`t worked at first, however 1 month later the stock was at 9.60$. basically, they succeeded and this is revolting.
    Reply
  • SkyBill40
    Is CTS Labs getting antsy on their short sell of AMD stock? Not getting quite the ROI they were expecting from their ploy? This just goes to show what we all suspected from the start: This whole thing was overblown and sketchy at best.
    Reply
  • redgarl
    Unfortunately skybill40, the stock went from 12$ to 9.60$ during the last month. If they sold and waited to 10$, then they made quite the money.
    Reply
  • SkyBill40
    20935804 said:
    Unfortunately skybill40, the stock went from 12$ to 9.60$ during the last month. If they sold and waited to 10$, then they made quite the money.

    I see your point and that's problematic, for sure. Last I heard, the SEC was investigating what it saw as abnormal trading of AMD stock that occurred right around the time of CTS Labs's disclosure. I'm hopeful that the SEC cuts their legs out from under them given that the problems that they brought to light were vastly overstated in terms of vulnerabilities are concerned.
    Reply
  • King_V
    I remember it . . the "we *FEEL* like they won't address this in a timely manner" excuse.

    Really? That's what they went with as their reasoning?
    Reply
  • LORD_ORION
    Intel's CPU flaws (Spectre / Meltdown) gets discovered and Intel is forced to reveal.
    These Intel products with the flaws were designed in a certain country that you need to look up yourself.
    A certain hedge company, also located in the same country, spreads information equivalent to "the sky is blue" as "the sky is falling!" squarely at Intel's competition. They also short sell the competition's stock.
    Shortly thereafter, patches for the Spectre / Meltdown vulnerabilities are released by Microsoft, that wreak havoc with Intel's competition, and they don't seem to exist in Linux.

    Disclaimer:
    In no way am I am implying that Spectre/Metldown is an NSA back door.
    There is absolutely NO proof of collusion between CTS labs and Intel.
    Radeon black screens, strange voltage regulation problems on systems, and system instability are entirely coincidental in Windows 1709 and Spectre/Meltdown patches.
    These instabilities may not occur with opensource drivers in Linux performing the same tasks, but hey, Linux is hard and it's only a matter of time until they get fixed.
    For example, perhaps these problems START to go away in Windows 1803, as long as you update to the latest drivers and bios from AMD.
    Also, old hardware tends to fail. Sandybridge, Ivybridge and AMD hardware failures are just bad luck combinations of legacy hardware, new hardware, old software and new software.

    I have NOT decided if I am getting an AMD system next.
    But let me reiterate, I don't feel Intel let me down. My Intel Ivybridge motherboard is not getting a BIOS patch because it is old, not because they want me to buy new Intel hardware.
    I am also sure that the new lidless Intel CPUs DO NOT have a shorter lifespan than CPUs like the i7 3xxx and 2xxx series. There is PR everywhere about the reasons for this.
    Reply