AMD confirmed chipset patches are currently being tested by ecosystem partners to fix multiple vulnerabilities...
first disclosed in March.
The vulnerabilities were disclosed under unconventional circumstances when CTS Labs, a cybersecurity company based in Tel Aviv, Israel, publicly announced them just 24 hours after the researchers told AMD about the issues, far less than the standard 90-day disclosure window. Despite the controversial announcement, AMD patches for the issues were promised "in the coming weeks" in a statement from March 21.
CTS Labs was skeptical that the timeline was realistic, and Ido Li On, CEO of CTS, reiterated that skepticism just six weeks after the vulnerabilities were first reported.
"Despite AMD promising to release PSP [Platform Security Processor] firmware patches for MasterKey, RyzenFall and Fallout within 'the coming weeks,' no patches have been released," Li On wrote in an email to SearchSecurity. "Not only have no patches been rolled out, there have been no updates or communication from AMD on progress or on when these patches can be expected. Furthermore, as we pointed out in our previous statement, not so much as a projected timeline has yet been provided for Chimera."
CTS Labs initially claimed it would take "many months" for the AMD patches to be released. However, AMD has a much shorter planned timeline, and a spokesperson confirmed the AMD patches are still on track.
"Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC platform, as well as patches mitigating Chimera across all AMD platforms," AMD told SearchSecurity. "These patches are in final testing with our ecosystem partners in advance of being released publicly. We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month. We expect these patches to be released publicly as our ecosystem partners complete their validation work."
In addition to questioning the timeline of the AMD patches, CTS Labs also raised concerns regarding AMD deciding to encrypt parts of its PSP firmware. CTS claimed this is little more than "security through obscurity" and will prevent researchers from auditing AMD code.
An AMD spokesperson refuted this idea and said the company "developed firmware patches to mitigate the identified vulnerabilities," adding that "the firmware is now encrypted in line with industry best practice," as a way to make it more difficult for malicious actors to reverse-engineer attacks from the firmware code.