A security startup called CTS-Labs made waves yesterday when it claimed to have discovered 13 critical security flaws classified into four types of vulnerabilities, each one specific to AMD's Ryzen and Eypc processor lines. The 13 different vulnerabilities affect processors found in desktops, laptops, and servers.
The report from CTS Labs is intentionally light on the exploits' details; a measure meant to stop anyone from using the alleged exploits while AMD is given the time to investigate them. While this appears to be bad news, let's leave the exact fix criteria to AMD, of which, has not responded (as of the writing of this post) to the annoucement from CTS-Labs (reportedly, the time-frame was a 24-hour notice, rather than the industry standard notification of 90 Calendar Days...). AMD says it's studying the findings and is committed to protecting its customers.
It continues: "The vulnerabilities allow malicious actors to install persistent malware inside the Secure Processor, running in kernel-mode with the highest possible permissions". AMD is now facing another big security headache, with no immediate cure available. Again, CTS-Labs unloads on ASMedia saying that while it is unaware of any of vulnerabilities being exploited in the wild, "similar vulnerabilities in other ASMedia products have been known in hardware hacking circles for several years".
Researchers normally give the chipmakers months ahead of time to fix the vulnerability before announcing it publicly, and while AMD is most likely aware of Masterkey, Ryzenfall, Fallout, and Chimera, it'll be months and months from now that they'll have a patch ready.
However, hackers will still need to do some work before they can actually exploit this vulnearbility. Potentially, if AMD had the chance to respond to the flaws before they had been made public, they may have never seen the light of day.
Just months after Meltdown and Spectre were disclosed to the public, security researchers have uncovered another set of critical processor vulnerabilities. The chip maker also took umbrage with CTS Labs for not giving proper notice before the research was published. AMD said, "We are actively investigating and analysing its findings".
CTS-Labs, a security research company which says it specializes in vulnerabilities within ASICs and other chips, has said it's discovered four potential attacks, code-named Masterkey, Ryzenfall, Fallout, and Chimera.
While redacting precise technical details from the white paper, CTS-Labs claims to have shared this with AMD and "select security companies". It's also worth noting that AMD has been made aware of the issues, as have "select security companies" that could help mitigate the fallout and USA regulators.
On top of that, a number of commentators have questioned financial links between CTS-Labs - which has no address and no landline telephone number - and investment professionals citing it and financial positions in AMD itself. And it's that CTS-Labs concocted naming/nomenclature and graphics symbolism that CTS-Labs/co-conspirators wish to use against AMD, in spite of any real or nonreal security issues that there may be.
It is also worth noting that CTS Labs is a relatively unknown player in the security world.
There's legitimate debate over just how much control big companies should exert over the publicity of their own shortcomings, but generally speaking in the interest of protecting users the convention tends to be adhered to.
AMD shares are down 1.2% to $11.38. Because CTS Labs won't release more detailed information about the vulnerabilities to the public-a wise choice, technically, if they are indeed actually easy to exploit-we won't have concrete confirmation of their existence until AMD has had a chance to examine the problem.
The disclosure is the first release by Israeli security startup CTS Labs, which was founded previous year.