Update | Previously unheard-of company claims AMD chips are full of vulnerabilities, does not provide details
Update: the article has been updated to reflect the suspicious nature of CTS-labs's alleged discovery. The company's website provides no details on the microcode affected, which is a standard procedure found in all other security disclosures. The company's website includes a disclaimer that states CTS may have "an economic interest" in the securities of the companies they are reporting on. We will closely follow this story and update it as necessary.
CTS-Labs has created a website and published a Whitepaper listing the vulnerabilities the firm has discovered in AMD products. According to the researchers, 13 critical issues have been found in the AMD Ryzen and EPYC product lines. The cyber-security company has even produced a brief information video which details the classes of vulnerability and what products they apparently affect:
- EPYC Server is affected by Fallout and Masterkey
- Ryzen workstation is affected by Chimera, Masterkey and Ryzenfall
- Ryzen Pro is affected by Chimera and Ryzenfall
- Ryzen mobile is affected by Ryzenfall
Now before you go hurling your AMD-powered devices out of the nearest window and taking cover under the kitchen table, it is important to keep in mind that the vulnerabilities can only be exploited by a hacker who has obtained administrative privileges. However, CTS has stated the flaws can potentially allow backdoor entry into the secure parts of the processor, which could lead to passwords and sensitive data being stolen, or malware being inserted into the CPU.
Criticism has been aimed at the way the Israeli firm has publicized its findings. It is typical for cyber-security researchers to give manufacturers 90-day notices to deal with bugs, whereas CTS gave AMD less than 24 hours warning. Regardless of the research company’s motives for dealing with the issue in such a questionable manner, the revelation of more than a dozen vulnerabilities is a serious problem for AMD to deal with.
AMD has issued a statement in regard to CTS' discoveries:
We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.