AMD wasn't given the normal disclosure period before CTS Labs announced vulnerabilities found across various chips,...
but the company has taken on the challenge and has promised the AMD patches in the coming weeks.
CTS Labs notably only gave AMD 24 hours' notice before announcing 13 flaws in AMD's Ryzen and EPYC chipsets. AMD has confirmed CTS Labs' research -- 10 days after first learning of the vulnerabilities -- and has set forth a plan for BIOS firmware patches to mitigate three of the four flaw classes detailed by CTS. The fourth related to issues with third-party manufacturers of AMD chips, which AMD said are still being investigated.
The AMD patches should remediate the flaws, but AMD also noted "that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system."
"Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research," Mark Papermaster, CTO at AMD, wrote in the announcement. "Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues."
Dan Guido, co-founder of security firm Trail of Bits, based in New York -- who was given early access to the CTS Labs report -- said he believed the AMD patch schedule could be met.
AMD describes the patches being "released in the coming weeks ... through a BIOS update." I deferred to AMD in our blog on the subject of mitigations, but the delivery method and that amount of time (April/May?) seem reasonable.— Dan Guido (@dguido) March 20, 2018
However, CTS Labs called the schedule for the AMD patches "dramatically optimistic" because of the difficulties in BIOS firmware fixes.
"These vulnerabilities require not a regular update, but a BIOS update. Mistakes in BIOS or chip firmware can have severe implications on system stability, so there are naturally strict requirements in terms of quality assurance," CTS Labs told SearchSecurity, adding that the time for OEMs to do their own QA would again add time. "After that, distribution of patches to customers is a lengthy process as well. When we put this together, it is our estimate that 'weeks' is unrealistic for customers."
CTS also claimed the AMD flaws do allow attackers to bypass the Windows Credential Guard protections and posted a video demonstrating this type of security bypass.
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., confirmed this proof of concept and said the Windows Credential Guard bypass was a specific example of a more general threat posed by the AMD flaws.
Jake Williamsfounder, Rendition InfoSec LLC
"The issue is that on a vulnerable processor any user with admin on any OS can leak data from any other OS running on the same processor. The only thing stopping this from being a bigger issue is the low market share of AMD Ryzen processors in public shared hosting environments," Williams told SearchSecurity. "If anything the video is actually helping people take the vulnerability seriously. There's no new information in the video that would help attackers replicate the exploit, so the only thing it is doing is helping defenders -- some of whom expressed doubt about the vulnerabilities -- understand the impact."