Update | Previously unheard-of company claims AMD chips are full of vulnerabilities, does not provide details

It has been standard practice to give companies 60-90 days to react to newly found exploits.
It has been standard practice to give companies 60-90 days to react to newly found exploits.
Researchers at a cyber-security consulting company in Israel have claimed that they have found 13 serious vulnerabilities in AMD processors. CTS-Labs has published details about the flaws after only giving AMD 24 hours to comply. More oddities regarding the previously unhead-of company are elaborated below and in the attached video.

Update: the article has been updated to reflect the suspicious nature of CTS-labs's alleged discovery. The company's website provides no details on the microcode affected, which is a standard procedure found in all other security disclosures. The company's website includes a disclaimer that states CTS may have "an economic interest" in the securities of the companies they are reporting on. We will closely follow this story and update it as necessary.

CTS-Labs has created a website and published a Whitepaper listing the vulnerabilities the firm has discovered in AMD products. According to the researchers, 13 critical issues have been found in the AMD Ryzen and EPYC product lines. The cyber-security company has even produced a brief information video which details the classes of vulnerability and what products they apparently affect:

  • EPYC Server is affected by Fallout and Masterkey
  • Ryzen workstation is affected by Chimera, Masterkey and Ryzenfall
  • Ryzen Pro is affected by Chimera and Ryzenfall
  • Ryzen mobile is affected by Ryzenfall

Now before you go hurling your AMD-powered devices out of the nearest window and taking cover under the kitchen table, it is important to keep in mind that the vulnerabilities can only be exploited by a hacker who has obtained administrative privileges. However, CTS has stated the flaws can potentially allow backdoor entry into the secure parts of the processor, which could lead to passwords and sensitive data being stolen, or malware being inserted into the CPU.

Criticism has been aimed at the way the Israeli firm has publicized its findings. It is typical for cyber-security researchers to give manufacturers 90-day notices to deal with bugs, whereas CTS gave AMD less than 24 hours warning. Regardless of the research company’s motives for dealing with the issue in such a questionable manner, the revelation of more than a dozen vulnerabilities is a serious problem for AMD to deal with.

AMD has issued a statement in regard to CTS' discoveries:

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.


Read all 2 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2018 03 > Previously unheard-of company claims AMD chips are full of vulnerabilities, does not provide details
Notebookcheck, 2018-03-14 (Update: 2018-04-20)
Daniel R Deakin
Daniel R Deakin - Managing Editor News
My interest in technology began after I was presented with an Atari 800XL home computer in the mid-1980s. I especially enjoy writing about technological advances, compelling rumors, and intriguing tech-related leaks. I have a degree in International Relations and Strategic Studies and count my family, reading, writing, and travel as the main passions of my life. I have been with Notebookcheck since 2012.