Update, 3/13/18, 12:45pm PT: AMD issued a statement on its site regarding the report. The statement is more or less what we already posted below, although it does note what we highlighted, which is that it's quite odd to brief analysts and media and then publish security findings all before before notifying the company in question. AMD said it will post further updates on this blog.
We have a detailed breakdown of the alleged flaws here.
Original article, 3/13/18, 10:16am PT:
CTS-Labs, an Israel-based security company, released a "severe security advisory on AMD processors" that alleges AMD's Ryzen and EPYC processors are susceptible to 13 critical security vulnerabilities that span four different classes. The company has classified the categories as Ryzenfall, Masterkey, Fallout, and Chimera.
CTS-Labs released the information in an unusual fashion. Typically, semiconductor vendors are given 90 days to respond to vulnerabilities before they're disclosed to the public, but CTS-Labs provided AMD with only a 24-hour notice. CTS-Labs states:
To ensure public safety, all technical details that could be used to reproduce the vulnerabilities have been redacted from this document. CTS has privately shared this information with AMD, select security companies that can develop mitigations, and the U.S. regulators. What follows is a description of the security problems we discovered and the risks they pose for users and organizations.
The unusual nature of the disclosure, and the lack of any supporting evidence, makes it difficult to asses the impact (be it real or imagined) of the alleged AMD security flaws. It is noteworthy that the three different groups of researchers that discovered the Spectre/Meltdown vulnerabilities provided the industry with 200 days of notice to prepare mitigations, which was unraveled by The Register.
CTS-Labs published the information at amdflaws.com, which is a new site created by the small company. The company claims that it discovered the vulnerabilities while studying the impact of what it characterizes as known backdoors in ASMedia chipsets. The company claims these backdoors have existed for six years.
AMD uses ASMedia as its third-party chipset supplier, and CTS-Labs claims to have found the same backdoors on the Ryzen and EPYC chipsets. These backdoors purportedly allow hackers to inject malicious code directly into the Platform Secure Processor (PSP), which is a separate and secure processor that provides global management functionality.
The PSP (also called AMD Secure Processor) functions much like Intel's Management Engine (ME), which has proven in the past to have vulnerabilities. Neither AMD nor Intel open-source the code that runs on the processors, instead opting to run closed-source Linux distros.
CTS-Labs claims the chipset vulnerabilities led it to conduct an investigation into AMD's broader security practices, whereupon it discovered additional vulnerabilities. Head to our Breaking Down The New Security Flaws In AMD's Ryzen, EPYC Chips companion article for more details on the individual vulnerabilities.
We reached out to AMD for comment and received the following statement:
At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.
AMD's statement is somewhat vague, but it's clear the company has obviously had little time to assess the situation. AMD also had several lawsuits lodged against it after its initial statements on the Spectre/Meltdown vulnerabilities, which the Plaintiffs claim were misleading, so the company is obviously (and wisely) exercising some caution.
We're digging deeper to find out more information about the vulnerabilities, but given the lack of information, it is best to be cautious. Much like the initial few days of the Spectre/Meltdown vulnerabilities, there is likely to be quite a bit of misinformation circulating in regards to potential performance impacts. Currently the information that CTS-Labs has posted is unverified and is presented without evidence, and the company has several strong disclaimers regarding its "disclosures." We've pasted a partial outtake of the disclaimers from the whitepaper (PDF) below.
We have spoken with AMD, and the company has said it will provide further information as it becomes available. We expect a more detailed assessment of these alleged vulnerabilities will emerge as third-party security researchers study them.
The CTS-Labs disclaimer, in part:
The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.