AMD finalizing fixes for Ryzen, EPYC security vulnerabilities

Subject: Processors | March 20, 2018 - 04:33 PM |
Tagged: ryzenfall, masterkey, fallout, cts labs, chimera, amd

AMD’s CTO Mark Papermaster released a blog today that both acknowledges the security vulnerabilities first shown by a CTS Labs report last week, while also laying the foundation for the mitigations to be released. Though the company had already acknowledged the report, and at least one other independent security company validated the claims, we had yet to hear from AMD officially on the potential impact and what fixes might be possible for these concerns.

In the write up, Papermaster is clear to call out the short period of time AMD was given with this information, quoting “less than 24 hours” from the time it was notified to the time the story was public on news outlets and blogs across the world. It is important to detail for some that may not follow the security landscape clearly that this has no relation to the Spectre and Meltdown issues that are affecting the industry and what CTS did find has nothing to do with the Zen architecture itself. Instead, the problem revolves around the embedded security protocol processor; while an important distinction moving forward, from a practical view to customers this is one and the same.

View Full Size

AMD states that it has “rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations.” Rapidly is an understatement – going from blindsided to an organized response is a delicate process and AMD has proven its level of sincerity with the priority it placed on this.

Papermaster goes on to mention that all these exploits require administrative access to the computer being infected, a key differentiator from the Spectre/Meltdown vulnerabilities. The post points out that “any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.” I think AMD does an excellent job threading the needle in this post balancing the seriousness of these vulnerabilities with the overzealous hype that was created upon their initial release and the accompanying financial bullshit that followed.

AMD provides an easy to understand table with a breakdown of the vulnerabilities, the potential impact of the security risk, and what the company sees as its mitigation capability. Both sets that affect the secure processor in the Ryzen and EPYC designs are addressable with a firmware update for the secure unit itself, distributed through a standard BIOS update. For the Promontory chipset issue, AMD is utilizing a combination of a BIOS update and further work with ASMedia to further enhance the security updates.

View Full Size

View Full Size

That is the end of the update from AMD at this point. In my view, the company is doing a satisfactory job addressing the problems in what must be an insanely accelerated time table. I do wish AMD was willing to offer more specific time tables for the distribution of those security patches, and how long we should expect to wait to see them in the form of BIOS updates for consumer and enterprise customers. For now, we’ll monitor the situation and look for other input from AMD, CTS, or secondary security firms to see if the risks laid out ever materialize.

For what could have been a disastrous week for AMD, it has pivoted to provide a controlled, well-executed plan. Despite the hype and hysteria that might have started with stock-shorting and buzzwords, the plight of the AMD processor family looks stable.

Source: AMD

Video News

March 20, 2018 | 05:17 PM - Posted by GivenThePodiumToTheStockMinipulatorsMrPapermaster (not verified)

Big mistake not Obtaining and Using the proper CVE numbers for these security vulnerabilities. CTS-Labs security vulnerabilitiy naming/nomenclature is definitely biased! Way to play into these nefarious folk's hands AMD.

Linus Torvalds was very correct about the "Security" Industry as its media whore best with this one.

March 20, 2018 | 05:43 PM - Posted by pdjblum

first you say "In my view, the company is doing a 'satisfactory' job addressing the problem in what must be an 'insanely' accelerated time table."

immediately thereafter, you say "I do wish AMD was willing to offer more specific timetables ..."

so they have an insanely accelerated time table to address these allegations, as we all know, and they are doing a 'satisfactory job,' according to almighty you, but somehow they are still not doing enough

man, you are a master of propaganda against amd, no doubt

March 20, 2018 | 06:04 PM - Posted by CrooksEnHooksMinipulatorsAndBrandLandGrabs (not verified)

It's all corrupt and now the GPP Gaming Branding land Grab begins also. Just watch those Fat Brown Envelopes change hands as the Technology World Turns! Welcome to the Gilded Age of Technology, it's been that way for 40 odd years now.

Big Oil or Big Technology the same sorts of swindlers at a different time(Now). It's Just more of the same for all who choose to disregard history(Antitrust history).

Vote with your wallet, is about the only power the consumer has at the moment with the Govenment sold to the highest bidder.

March 21, 2018 | 12:41 PM - Posted by Mihai Bica (not verified)

@pdjblum satisfactory means good enough, it could be better if they would provide something more concrete, like a timetable. I don't see any bias here.

March 21, 2018 | 01:14 PM - Posted by TheWholeIssueIsWrappedInSubterfugeAndBias (not verified)

The bias comes from that only 24 hours notice and do not for a New York Nanosecond think that there is no bias going on with respect to CTS-Labs and its other nefarious finincial market minipulator assoicates. And any of the onlne Press needs to be vary careful not to be seen as aiding any such entities intentionally or unintentionally.

AMD sould have recieved its nominal 90 days notice but that would have made these minor issues unable to be utilized in a smear campaign is such an egregiously nefarious manner such as what was, and is, still being done by CTS-Labs and its co-conspirators.

AMD get's its 90 days before anyone can rightfully have the rights to expect that any timetables be announced.

" I don't see any bias here." It's been bias from before day one on this nefarious attack against AMD by CTS-Labs and Viceroy Research(Their Modus Operandi is well Known and infamous).

March 22, 2018 | 06:11 PM - Posted by Mihai Bica (not verified)

I was talking about how the article was written; i don't see any bias in the article, quite balanced actually.

March 21, 2018 | 01:52 PM - Posted by OnlinePressAndJournalisticIntegrity (not verified)

If you want to see an example of some not so fine journalistic integrity just go read this article(1).
Where the article's author actually expects that the sane security community will ever rely on CTS-Labs for any proper vetting of any security isssues now and forever. CTS-Labs should never be trusted by anyone.

This one quote is a keeper for any academic text on Journalistic Integrity. Where are the press that should be asking for and using the proper CVE numbers for these security issues, how about that for impartiality of the online press.

"Presumably, CTS Labs will test those mitigations independently and determine whether those customers are, in fact, safe. We'll continue to keep an eye on this story as it develops."(1)

Really, "Independently" from CTS-Labs, the ones that are assoicated with a known stock market minipulator and the ones that only gave AMD 24 hours notice. CTS-Labs the ones that apparently spent some time creating their slick grahics and other slick vulnerability naming/nomenclature that directly attacks AMD's Ryzen brand by name and other such things that came right out of Viceroy Research's play book.

"AMD says CTS Labs vulnerabilities can be patched with new firmware"

March 22, 2018 | 02:11 AM - Posted by Johan Steyn (not verified)

To me AdoredTV has proven that Intel is behind this and not as much stock manipulation. It is clear that these very vulnerabilities are more in Intel systems containing these security chips, yet Intel paid PCPer does not mention Intel in this. Please stop this PCPer and be real journalists.

Just compare your response and heading to what HardOCP posted. You should be ashamed of yourself. You are mixing yourselves with pig food, you will be eaten by pigs.

March 22, 2018 | 06:04 PM - Posted by Mihai Bica (not verified)

Stop trusting everything AdoredTV says as a fact, many are speculations. If it were so simply to prove don't you think a court would rule that? Or is the whole world in Intel's pocket. Not that i'm defending Intel, i know they are scummy.

March 20, 2018 | 06:05 PM - Posted by Anonymouse (not verified)

I wonder how many "vulnerabilities" CTS is holding back for the next stock short.

March 20, 2018 | 07:20 PM - Posted by Anonymouse (not verified)

Has AMD provided a timeline for distributing their SPECTRE fixes yet? These exploits require privelege escalation to use, which SPECTRE would provide.

March 20, 2018 | 07:59 PM - Posted by ShortSellersHatchetJobbersForHire (not verified)

Well CTS-labs smear job appears to be little more than thinking up some intentionally damaging names and graphics that are nefariously designed to make some flaws found in AMD's PSP(require administrative access to exploit) appear like the end of the world compered to some much nastier compared to flaws in Intel's ME(remotely exploitable).

CTS-Labs sure dedicated much of their time developing fancy targeted graphics to represent these minor PSP issues and spin some nefarious themes. That falling Tower Iconography from CTS-Labs now appears to be more representational of CTS-Labs' story falling apart under massive press scrutiny rather than AMD's stock prices falling as Viceroy Research had hoped would happen once Viceroy Research published its 25 page apoplectic apocalyptic diatribe against AMD. But Most of the Press(1) appear to be not falling for that CTS-Labs' line of thinking or their non industry standard security reporting rules(24 hours, really, compared to 90 days).

"The nature of these problems does not seem substantially different from an earlier PSP flaw publicized in January; that flaw concerned the firmware TPM and, again, allowed the execution of attacker-controlled code on the PSP. That bug appeared to receive little fanfare or attention. Neither do they seem to be significantly different from the numerous flaws that have been found in Intel's equivalent to PSP, the Management Engine (ME). Indeed, some of the Intel ME bugs are rather worse, as they can in some situations be exploited remotely."(1)


"AMD promises firmware fixes for security processor bugs

All bugs require administrative access to exploit."

March 20, 2018 | 09:39 PM - Posted by hj343 (not verified)

You're all AMD fanboys. Admit it. I know why: you hate Intel (and who can blame you?), and you hope for some golden age of competition between Intel and AMD so you can buy better and cheaper CPUs, and you hope AMD becomes strong so they can challenge nVidia's dominance. As noble as that may sound, the ends doesn't justify the dishonest shilling by what's supposed to be an information source. Those of you who don't have this as your motive are mentally ill fanboys. Also, nice job by pdjblum, who knows full well that Shrout is a big time AMD supporter (either because of fanboyism, or he's getting paid), but by doing a fake "call-out" against the author (Shrout), it directly contradicts the tone of the article, making some people doubt what they just read. The pro-AMD bias from PCper is obvious to anyone with a functioning brain. Just look at their hardware leaderboard. That proves my point.

March 20, 2018 | 09:51 PM - Posted by EarnedBadKarmaOverManyYears (not verified)

Go do some reading and Intel, like Standard Oil, Like Ma Bell, has earned that hate. And all folks should hate abusive monopolies that are bad for competition! And competition is what drives(Forces) companies to compete and forces them to innovade or die rather than sit back on their fat A$$E$$ and just milk the consumer.

"Intel and the x86 Architecture: A Legal Perspective"

March 22, 2018 | 02:16 AM - Posted by Johan Steyn (not verified)

Are you even serious? PCPer is paid by Intel. You are so clueless. This article is so slanted and skilfully making AMD look bad, even while complimenting AMD a bit. More Intel PC's have chips in them with these bugs, yet it is not mentioned once.

People are so gullible to be conned by Intel.

March 20, 2018 | 11:26 PM - Posted by 0156 (not verified)

Actually the leaderboard was Intel for the longest time, years at that. Get a grip or at least act like you have been here a while....

March 20, 2018 | 11:39 PM - Posted by Hood

Ryan said, "For what could have been a disastrous week for AMD, it has pivoted to provide a controlled, well-executed plan. Despite the hype and hysteria that might have started with stock-shorting and buzzwords, the plight of the AMD processor family looks stable."

How does this make him "a master of propaganda against AMD"?

March 21, 2018 | 12:23 AM - Posted by pdjblum

don't know how that does

what i quoted does

odd question

March 21, 2018 | 02:38 AM - Posted by John Blanton (not verified)

pdjblum must be getting paid by Intel .. you keep on screaming but no one is listening anymore .. just shut the hell up already

March 21, 2018 | 03:31 AM - Posted by pdjblum

you have to pay me more than intel is paying me in order to have me shut up

sorry for being so annoying to you

March 21, 2018 | 12:12 PM - Posted by Randy Black (not verified)

I believe that CTS Labs has managed to get themselves a lot of free publicity by demanding that AMD repair these bugs in a day. Anyone given enough time can always find their way into something that they want. And anyone who gets on the Internet without any kind of protection is not dealing with a full deck. And then the media chips in with their PMS(PreMeditated Stupidity)and blows it all out of proportion. CTS Labs was banking on that to happen and it did. AMD and Intel produce CPUs with faults. People look for faults to take advantage of your product, your computer,anything of value that you have. The best you can do is to stay offline? No, that is not the answer. You protect what you have with a little bit of research and apply it. Besides, Microsoft has fixed things to where you cannot keep your computer offline because it cannot phone home and it shuts your computer down. And I agree that people will spend their money their way. And opinions are know, everyone has one. I will spend my money my way and you can spend your money your way. AMD and Intel will issue their fixes in a timely manner and we can wait.

March 21, 2018 | 03:52 PM - Posted by Tantor (not verified)

This effort to smear AMD is a group effort by Israeli Intel fans.

Right after the Meltdown/Spectre issue, two Jewish law firm, Rosen and Pomerantz, filed baseless class action lawsuits against AMD.

Now CTS, another Israeli group, attacks AMD, and they also intentionally time it to make things as difficult for AMD as possible. Intel has a very significant presence in Israel.

Anyone who doesn't believe that Intel fans are capable of this kind of manipulation simply doesn't understand human nature. There is probably enormous resentment that little AMD has been kicking Intel's ass this year. They regard Intel as their champion, and they're going to step up to help Intel out. Plus it might help their investment portfolio.

The media should have blasted this nonsense from day one and exposed CTS as a purveyor of fabricated garbage. Papermaster essentially called it that when he said: “...any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”

March 22, 2018 | 02:22 AM - Posted by Johan Steyn (not verified)

This is what I was talking about and proves that PCPer is playing Intel's game again.

You think this article is nice to AMD yet you miss the point, they do exactly the same as CTS, not mentioning Intel having the same issues. I have lost my respect for PCPer. At least Kyle at HARDOCP does a more respectable job of not speaking out of two mouths.

March 22, 2018 | 04:21 AM - Posted by WhyMe (not verified)

Some articles really seem to draw out the nutters, i wish i had some of what they're smoking.

March 22, 2018 | 09:30 AM - Posted by Anonymously Anonymous (not verified)

March 26, 2018 | 07:07 AM - Posted by Max Settings (not verified)

If an attacker needs physical/admin access to perform these exploits then you're pwned already.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.