News

AMD Readies Patches for Its Own Processor Security Hole

• By Kurt Mackie
• 03/27/2018

Recently publicized processor security issues have chip maker AMD scrambling to develop firmware updates.

The security issues, described this month by CTS Labs, mostly concern the Platform Security Processor that's present on AMD processors, as well as a Promontory chipset. However, attackers would need to have administrative access to exploit the flaws, and it's considered difficult to carry out.

Independent consultancy Trail of Bits, which tested and affirmed the exploits on behalf of CTS Labs, downplayed the security risks.

"There is no immediate risk of exploitation of these vulnerabilities for most users," Trail of Bits indicated in an announcement. "Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities."

CTS Labs, a security consultancy for chip manufacturers, had published a white paper (PDF) describing the exploits, but it indicated that "all technical details that could be used to reproduce the vulnerabilities have been redacted." It tested the flaws on "AMD's latest Zen processors for the past six months, including EPYC, Ryzen, Ryzen Pro and Ryzen Mobile," according to the white paper. The white paper claimed that organizations were at "significantly increased risk of cyber-attacks" from the flaws. It also was unsparing about AMD's security oversight.

"In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles," the white paper stated. "This raises concerning questions regarding security practices, auditing, and quality controls at AMD."

Last week, AMD described the vulnerabilities and its mitigation plans in an announcement. The flaws aren't associated with the Meltdown and Spectre issues identified in early January by Google's Project Zero, according to Mark Papermaster, AMD's chief technology officer and senior vice president of technology and engineering. He indicated that AMD will release firmware updates in the coming weeks to address the flaws. Papermaster also downplayed the security threats.

"It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings," he wrote. "Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."

Papermaster added that there are additional controls, "such as Microsoft Windows Credential Guard in the Windows environment," to ward off unauthorized administrative access.

AMD was informed about the flaws by CTS Labs on March 12, 2018, but it was given just one day before CTS Labs published its findings, according to Papermaster. Some organizations, such as Google, have suggested that coordinated disclosure of security flaws should be about 90 days.