A few days ago CTS Labs, an Israeli security firm, claimed that they have found serious vulnerabilities in AMD’s Ryzen and EPYC line up of processors. Though AMD is currently investigating the accuracy of these flaws, Dan Guido, the founder of security firm Trail of Bits, received early access to the full technical details and PoC exploits, have independently confirmed that all 13 AMD flaws are accurate and works as described in the paper.
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works. -Dan Guido
CTS Labs contacted Trail of Bits and invited them to do an independent review of their research. They decided to take it on as a favor and out of curiosity, but after taking a look at the scale of the research, they realized that it went beyond the favor and asked to get paid for their services. They were expecting only 1 bug, not 13.
Dan Guido said that they have no previous relationship with CTS Labs and they were only introduced through a mutual friend.
Trail of Bits published a technical summary of their findings on their blog after concluding that these flaws are legitimate.
They explained how the AMD Flaws work and what would the requirements would be for an attacker to perform an exploit, what would be affected and how. But to give you some peace of mind, here’s what they said about the exploit:
There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers.
So with that, basically for regular AMD users, there is nothing to worry about as of the moment as all relevant companies are working together to create patches and fixes to these vulnerabilities.
A lot of speculation came regarding the motives of CTS Labs as to why they gave AMD less than 24 hours to respond before making their report public. A lot of people say that it was a smear campaign against AMD, others say that it was a way to manipulate the stock price of AMD against it’s competitors through exaggerating, or indeed fabricating a security risk.
Standard vulnerability disclosure in the industry calls for at least 90 days notice so that companies will have time to address flaws properly. Looking at this, disclosing vulnerabilities to the public without giving a company enough time to fix it can be irresponsible, as it makes them open for attackers to exploit.
CTS Labs said that no technical details were revealed to the public; only AMD, Microsoft and relevant companies have the technical details so they can create patches and fixes for the vulnerabilities.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise,” AMD said in response to the research.
Though there were a lot of skepticism towards CTS Labs because of the way they announced these flaws, we still think it should still be taken into consideration because anything can happen.
This is a developing story and we’ll keep this post updated.
AMD has acknowledged the security risks presented by CTS labs and have confirmed that they have responded rapidly to these claims to complete an initial assessment and plan for mitigations, as detailed in a blog by AMD CTO Mark Papermaster today. Security patches are on the works and will be deployed in the coming weeks.