Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Zen CPUs Might Be Hit By 4 New Flaws UPDATED
Quote:Security researchers with Israel-based CTS-Labs, have discovered a staggering thirteen critical security vulnerabilities affecting AMD "Zen" CPU microarchitecture, which are as damning the three recent "Meltdown" and "Spectre" vulnerabilities that affect various CPU manufacturers at varying degrees (Intel, AMD, and ARM). The thirteen new CVEs are broadly classified into four groups based on the similarity in function of the processor that they exploit: "Ryzenfall," "Masterkey," "Fallout," and "Chimera."

The researchers have redacted their whitepapers on each of the 13 new vulnerabilities, and have given AMD for a response, before threatening to publish their whitepapers. The laws call for a 90-day notice period before a vulnerability is made public, so hardware/software manufacturers have time to address it. The Google Project Zero teams behind Meltdown/Spectre CVEs entered NDAs with chipmakers that lasted months, before they could make their findings public, earlier this year.
Quote:We're digging deeper to find out more information about the vulnerabilities, but given the lack of information, it is best to be cautious. Much like the initial few days of the Spectre/Meltdown vulnerabilities, there is likely to be quite a bit of misinformation circulating in regards to potential performance impacts. Currently the information that CTS-Labs has posted is unverified and is presented without evidence, and the company has several strong disclaimers regarding its "disclosures." We've pasted a partial outtake of the disclaimers from the whitepaper (PDF) below.
Quote:If these security flaws are real, AMD has a lot of work to do to fix them. It absolutely deserves criticism for failing to catch them in the first place, and there is at least one security researcher who has seen the code and believes the matter to be serious. But even if CTS-Labs findings are genuine, it has communicated them in a manner completely at odds with best practices in the security community. Its manner and method of communicating its findings have much more in common with a PR firm hired to do a hit job on a competitor or a company looking to make a financial killing by shorting stock than a reputable security firm interested in establishing a name for itself. Finding 13 major security flaws in a major microprocessor was guaranteed to make the news all on its own.

It’s entirely possible that CTS-Labs is a relatively new company comprised of researchers who decided to debut with a splash and sacrificed the best practices of security disclosures to do it. It’s also possible it isn’t. The company has done itself no favors with these shenanigans.


CTS-Labs has acknowledged to Reuters that it shares its research with companies that pay for the data and that it’s a firm with just six employees. Meanwhile, Viceroy Research, a short-seller firm, has published a 25-page “obituary” for AMD based on this data in which it declares AMD is worth $0.00 and believes no one should purchase AMD products on any basis, for any reason whatsoever. It also predicts AMD will be forced to file for bankruptcy on the basis of this “report.”

We stand by what we said regarding the flaws themselves — we’ll wait to hear from AMD on how that shakes out and what the risks are — but the actual reporting of the flaws appears to have been done in profound bad faith and with an eye towards enriching a very particular set of clients. ExtremeTech denounces, in the strongest possible terms, this scheme’s apparent perversion of the security flaw disclosure process.
Torvalds is unhappy:
And it looks like the vulnerabilities are real, even if AMD was given only 24 hours before the issue was disclosed:
Quote:CTS Labs' CTO, Ilia Luk-Zilberman, has now posted a letter on the AMDflaws site that says much of what he told us. It's a somewhat curious screed in which he expounds on his distaste for the 90-day response window and his views on why it's not helpful. Partly, he said that he thinks alerting everyone at once (that is, consumers, media, and companies) puts public pressure on the companies to fix the vulnerabilities (it certainly does), and that by doing so without disclosing the actual technical details, no one is actually at risk. But that creates obvious problems, such as causing widespread FUD, and it invites backlash upon the security researchers, all of which he alluded to in the letter. The salient passage reads in part:
Quote:This model has a huge problem; how can you convince the public you are telling the truth without the technical details. And we have been paying that price of disbelief in the past 24h. The solution we came up with is a third party validation, like the one we did with Dan from trailofbits. In retrospect, we would have done this with 5 third party validators to remove any doubts. A lesson for next time.
Altogether, it seems that AMD customers may be justified in worrying about these vulnerabilities. If CTS Labs' description of them is accurate, they are remotely exploitable flaws that could allow attackers to install persistent malware in the deepest recesses of a system. That puts consumers at risk, and it could also undermine businesses' secure networks simply because they rely on Ryzen or EPYC processors.

But that brings us back to the curious fact that AMD had little time to respond to these allegations. Even if you take CTS Labs' stated reasoning for ignoring the industry standard 90-day windows at face value, it doesn't seem to make much sense. Because CTS Labs won't release more detailed information about the vulnerabilities to the public--a wise choice, technically, if they are indeed actually easy to exploit--we won't have concrete confirmation of their existence until AMD has had a chance to examine the problem. If CTS Labs did provide all the research it has to AMD, that shouldn't take long. We expect to learn more about the issue over the coming days--and to witness its potential aftermath over the coming weeks, months, and years.
Quote:By its own statements, CTS Labs tested and developed a proof of concept exploit for Asmedia controllers before it was aware these controllers were incorporated into Ryzen chipsets. Where, then, is the website Where’s the notification to tell Intel motherboard customers that the chips on their motherboards can be similarly backdoored and abused? This isn’t a theoretical; I’m writing this article from an Ivy Bridge-E system powered by an Asus X79-Deluxe motherboard with an Asmedia 1042 controller. In its white paper, CTS Labs describes the offending Asmedia controllers as follows:
If CTS Labs has accurately characterized these flaws, the problems in Asmedia controllers affect millions of Intel motherboards worldwide going back six years. In the early days of USB 3.0, before Intel added its own native chipset support, Asmedia was one of the most common third-party providers. Chips like the ASM1142 are still used on Intel motherboards today. When we looked at Newegg, nearly every USB 3.0 PCI Express card we spot-checked used an Asmedia solution — typically the ASM1042 or ASM1142.

If these Asmedia flaws are common to Intel, AMD, and standalone cards, Intel users and expansion card users absolutely should’ve been notified. If they’re unique to AMD users, CTS Labs needed to explain why. It has not. Again, when security researchers describe flaws, they typically describe them across the entire set of hardware on which they are known to occur. Failing that, they at least acknowledge the use of these broken solutions in other contexts. CTS Labs did neither.
While we’re still waiting for AMD or another third party to release more details, it’s clear there’s a real problem here. But the question raised by CTS Labs behavior isn’t whether there are flaws in AMD’s chipsets or Ryzen CPUs. It’s a question of whether those flaws were fairly or accurately characterized given the company’s scaremongering, and a further question of whether the disclosure was targeted and timed as part of a scheme to harm AMD’s stock price, as opposed to a straightforward, good-faith security disclosure.

On these issues, Zilberman is silent.

There’s nothing illegal about paying a security firm to research a product or the manner in which CTS Labs disclosed its findings. But just because something isn’t illegal doesn’t make it a good idea — and we can think of few ideas worse than short sellers and security firms teaming up to weaponize disclosures. Zilberman’s letter may have been intended to clear the air, but it only raises more questions about the nature of the company’s findings and its framing of its work.
CTS Labs does a Q&A:
Tom's analysis raises further questions:
First proof-of-concept video released:
Quote:AMD has finally issued a full response to CTS Labs’ report that Ryzen and EPYC processors contain a total of 13 security flaws. Here’s the short version of the chipmakers’ response:
  • Exploitation of the vulnerabilities requires admin access
  • The vulnerabilities have to do with firmware and chipsets, not the x86 architecture
  • Patches are coming in the form of BIOS updates and firmware patches only--no microcode updates are required--via OEMs and ODMs
  • All issues will be addressed within “weeks,” but we strongly infer that AMD is aiming for 90 days or less
  • There is no expected performance impact
Note that in AMD’s response, it condensed CTS Labs’ four threat categories into three. In all three, AMD stated that admin access is required, and all the attacks would require that the system’s security has already been compromised.

Expect all patches to arrive via AMD’s ODM and OEM partners within the next 90 days.
AMD confirms that it has sent out patches:

Forum Jump:

Users browsing this thread: 1 Guest(s)