AMD CPU vulnerabilities published by unknown security firm after 24 hours notice

AMD Vulnerabilities Map

AMD has found itself dragged into a security controversy of its own this week, after a questionable research firm known as CTS Labs published a paper claiming to detail four vulnerabilities in Zen-based processors, which was immediately followed up by a report from Viceroy Research.

The second, dubbed Ryzenfall, consists of four "design and implementation flaws" inside the AMD Secure OS, which powers the AMD Secure Processor found in Ryzen, Ryzen Pro and Ryzen Mobile products.

AMD says that the chips for Secure Processor are impenetrable.

Moreover, they claim the vulnerabilities lie in the "secure" part of the processor - a place where your chip stores things like encryption keys, or checks on boot, to see if you have any malicious code running.

By exploiting the FALLOUT flaws, attackers could steal network credentials protected by the Windows Credential Guard and could disable BIOS flashing protections, allowing for the exploitation of the MASTERKEY flaws on systems where BIOS flashing is blocked, CTS Labs said.

Ryzenfall is a threat that allows for malware to completely hijack a Secure Processor allowing access to secure data that would normally be out of the reach of attackers. If the hacker gains access to the low-level target network, then they can collect the data they required.

Some of these attacks are created to exploit loopholes in safeguard mechanisms to "steal network credentials, and then potentially spread through even highly secure Windows corporate networks".

The backdoors, one located in firmware and one in hardware, allows the execution of malicious code inside the chipset and would give attackers a man-in-the-middle position to spy on all USB, SATA, LAN, WiFi and other traffic passing through the chipset.

More news: Pre-registration Started for Westworld the Mobile Game

"The chipset links the CPU to USB, SATA, and PCI-E devices".

As is the case with many security exploits, these could theoretically allow hackers access to personal credentials and provide an opportunity to spread malware, but the white paper also warns of the potential for "long-term industrial espionage".

So in a nutshell, this suite of vulnerabilities looks to be pretty bad news for AMD. The AMD version of the co-processor has series of critical flaws which make the task of attackers easy.

"The Ryzen chipset, a core system component that AMD outsourced to a Taiwanese chip manufacturer, ASMedia, is now being shipped with exploitable manufacturer backdoors inside", reads the whitepaper put out by CTS Labs, the company that discovered the vulnerabilities.

AMD has been notified and is looking into the issue: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise", an AMD spokesman said. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.

CTS Labs said that the Ryzen chipset, a new line from AMD, was being shipped with exploitable backdoors, which had come about as a result of obtaining technology from ASMedia, an outsourcing partner.

Nevertheless, CTS-Labs researchers don't want the flaws to be brushed off lightly. All we can say is the situation feels fishy. According to CTS Labs, it has still not heard anything from AMD, and researchers claim it could take months to fix the vulnerabilities, notes CNET. "An attacker could sit there for years without ever being detected".

This had raised suspicions that CTS Labs may have a commercial motive for disclosing the AMD vulnerabilities so soon after notifying the chip maker. The supplied whitepaper from CTS-Labs has so far not offered much detail into the specifics of the vulnerabilities - a stark contrast to the level of detail offered by Google's Project Zero report with the Spectre and Meltdown vulnerabilities, which were also made public many months after being disclosed to those potentially affected.

Related News:



Most liked

Margot Robbie Confirmed for Once Upon a Time in Hollywood
Once Upon A Time In Hollywood will be released on 9 August next year, marking exactly 50 years since Tate's death. Robbie is coming off of her own Oscar-nominated turn, for I, Tonya , her first nomination.

Shadow Of The Tomb Raider Details Leaked
A film based on the rebooted gaming series will release in the United States on March 16, starring Alicia Vikander as Lara Croft . However, there are some people who apparently think there is one, or two, things holding her back from her full Croft-potential.

Ben Carson Lied About His Dining Room Set For No Reason
The spokesman, who asked that his name not be used, even denied that Candy Carson had any interest in redecorating the suite. Carson picked out", Rodriguez wrote, referring to Allison Mills, Carson's executive assistant.

France to Sue Google, Apple Over 'Abusive Trade Practices' - Economy Minister
Earlier this year, French regulators launched an investigation into the firm's "deliberate" slowing down of older iPhones .

FBI officials recommend former #2 at FBI Andrew McCabe be fired
The McCabe-linked source shot down an allegation that McCabe tried to stymie an investigation into the Clinton family charity. McCabe first joined the Federal Bureau of Investigation in 1996, investigating organized crime cases in NY .

Winter Storm Warning In Effect Tuesday Evening
Orange and Ulster will see high temperatures in the upper 30s on Tuesday , while Sullivan can expect highs in the mid to low 30s. Scattered snow showers will continue on and off through the day Wednesday , with most areas seeing well under an inch of snow.

Forecast: Warm and windy today in the Omaha area
Blustery, with a west wind 16 to 20 miles per hour , with gusts as high as 39 miles per hour . West, southwest wind 10 to 18 miles per hour with gusts as high as 25 miles per hour .

Enyeama condemns Lille pitch invaders
Lille is in danger of being relegated from the French Ligue 1 and sit second from bottom with 28 points from 29 games. But, instead, Lille is in 19th place and fighting to avoid relegation with only nine games left.

Oil up, but Opec sees rapid growth in rival supply
Output has been helped by the 25% rise in oil prices over the past year, along with improvements in efficiency and technology. Gasoline stocks fell by 6.3 million barrels, compared with analysts' expectations in a poll for a 1.2 million-barrel drop.

Meghan McCain calls Clinton family 'virus' in Democratic politics
Another former aide told the publication that it seems "the party has moved on from Hillary Clinton ". In other words, Reines knows that Trump's messages resonated deeply in the heartland of America.

Miley Cyrus sued for $300 million over 'We Can't Stop' copyright infringement
May is seeking a trial by jury, plus a halt to sales and performances of Cyrus' song as well as damages and legal fees. Listen to both songs below and judge the alleged similarities for yourself.

YouTube To Use 'Information Cues' To Combat Fake News
Expect to see Wikipedia links in videos promoting conspiracy theories and issues that are very likely to spark heated debates. Essentially, these "information cues" will be small cards that appear directl below videos in the YouTube app.

McTominay called up to Scotland squad
Speaking at Hampden Park after announcing his squad, he said: "They are definitely prepared". He added: "It was enormously flattering, there's a huge interest in the national team".

Microsoft's more inclusive Xbox avatars finally arrive in April
Nothing has been confirmed about what will be revealed at E3 but previous year Microsoft revealed the Xbox One X and games for it. Now, they seem to be ready to make this year's E3 the biggest ever stating "it will be our biggest showing ever".

California: Teacher's Gun Accidently Goes Off in Class Injuring Three Students
Fragments from the bullet ricocheted off the ceiling lodged in the neck of a 17-year-old student, KSBW Channel 8 reports . A single shot was sacked from a semi-automatic handgun into the ceiling, according to the Seaside Police Department.