AMD CTO Mark Papermaster has responded to new CPU vulnerabilities revealed by CTS Labs in a recent white paper.
Highlighting the fact that CTS Labs gave AMD less than 24 hours notice before going public with its findings, Papermaster announced that patches will be released in the coming weeks to shore up the defences. In the company’s first public update since the vulnerabilities were revealed, Papermaster said that performance should not be impacted by the upcoming patches.
“On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings,” he wrote in a blog post.
He added: “We believe that each of the issues cited can be mitigated through firmware patches and a standard BIOS update, which we plan to release in the coming weeks. These patches and updates are not expected to impact performance. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed.”
Papermaster confirmed that the security issues identified are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public January. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
CTS Labs white paper listed 13 vulnerabilities that allegedly affect all products in the Ryzen, Ryzen Pro and EPYC server CPU ranges. What the vulnerabilities give access to is pretty damning. Like with a lot of exploits, the as of yet unnamed flaw could allow access to personal credentials and malware-spreading potential. The white paper goes one further however, claiming that the vulnerabilities could ‘expose AMD customers to industrial espionage that is virtually undetectable by most security solutions’.
It might sound particularly bad, but the potential positive is that the flaws require root-level operating-system access to be exploited. In other words, a hacker would need to be granted full access to your system.