Much Ado About Nothing?

CTS-Labs has released a report detailing potential AMD CPU flaws

We live in a world seemingly fueled by explosive headlines. This morning we were welcomed with a proclamation that AMD has 13 newly discovered security flaws in their latest Ryzen/Zen chips that could potentially be showstoppers for the architecture, and AMD’s hopes that it can regain lost marketshare in mobile, desktop, and enterprise markets. CTS-Labs released a report along with a website and videos explaining what these vulnerabilities are and how they can affect AMD and its processors.

This is all of course very scary. It was not all that long ago that we found out about the Spectre/Meltdown threats that seemingly are more dangerous to Intel than to its competitor. Spectre/Meltdown can be exploited by code that will compromise a machine without having elevated privileges. Parts of Spectre/Meltdown were fixed by firmware updates and OS changes which had either no effect on the machine in terms of performance, or incurred upwards of 20% to 30% performance hits in certain workloads requiring heavy I/O usage. Intel is planning a hardware fix for these vulnerabilities later on this year with new products. Current products have firmware updates available to them and Microsoft has already implemented a fix in software. Older CPUs and platforms (back to at least 4th Generation Core) have fixes, but they were rolled out a bit slower. So the fear of a new exploit that is located on the latest AMD processors is something that causes fear in users, CTOs, and investors alike.

CTS-Labs have detailed four major vulnerabilities and have named them as well as have provided fun little symbols for each; Ryzenfall, Fallout, Masterkey, and Chimera. The first three affect the CPU directly. Unlike Spectre/Meltdown, these vulnerabilities require elevated administrative privileges to be run. These are secondary exploits that require either physical access to the machine or logging on with enhanced admin privileges. Chimera affects the chipset designed by ASMedia. It is installed via a signed driver. In a secured system where the attacker has no administrative access, these exploits are no threat. If a system has been previously compromised or physically accessed (eg. force a firmware update via USB and flashback functionality), then these vulnerabilities are there to be taken advantage of.

In every CPU it makes AMD utilizes a “Secure Processor”. This is simply a licensed ARM Cortex A5 that runs the internal secure OS/firmware. The same cores that comprise ARM’s “TrustZone” security product. In theory someone could compromise a server, install these exploits, and then remove the primary exploit so that on the surface it looks like the machine is operating as usual. The attackers will still have low level access to the machine in question, but it will be much harder to root them out.

AMD has addressed the submission from CTS-Labs, but it does not provide any more insight or potential fixes for these vulnerabilities:

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.

What AMD does say is that they had not heard of this group before and find it odd that they would talk to the press about it before going to the company whose products are affected by this. Google Project Zero was created to find zero-day exploits, but they typically contact manufacturers first and wait 90 to 180 days before detailing their findings to the public. This gives manufacturers the ability to head off attacks before they are widely known about and to integrate solutions into upcoming products.

CTS-Labs was formed in 2017 in Israel. Very little was known about this group before today. When they announced the news they already had a website (AMDFlaws.com) along with several videos and presentations pertaining to these AMD vulnerabilities. Possibly unrelated to the group we saw Viceroy Research, a South African firm that has a history of releasing bad news about companies while shorting their stocks, quickly put up their “AMD Obituary” page that claims they expect AMD’s share price to drop to $0 and they will be forced to go into bankruptcy proceedings. Now, we do not know if these two entities are connected, but Viceroy put up their findings very quickly if not at the same time as CTS-Labs released their findings.

There are rumors that Intel hired the group, but those are incredibly unlikely. So far there is no concrete evidence for this type of relationship and I am pretty doubtful that any will be found. We must also consider that Intel has already been under the microscope by multiple groups around the world when it comes to AMD and I am inclined to think that Intel Legal would not look kindly upon this.

In the end AMD will likely patch up the “vulnerabilities” that they detail here, but it may not be soon. Some of these issues may simply be working as intended rather than a real flaw. Once an attacker gains administrative access, then the machine is at their beck and call. This will be true of any machine whether it is run by Intel or AMD. The scenario that could be the most troublesome is that of retaining control at a low level all the while the machine looks fine to anti-virus software and system administrators.