AMD CPU vulnerabilities published by unknown security firm after 24 hours notice

AMD Vulnerabilities Map

AMD has found itself dragged into a security controversy of its own this week, after a questionable research firm known as CTS Labs published a paper claiming to detail four vulnerabilities in Zen-based processors, which was immediately followed up by a report from Viceroy Research.

The second, dubbed Ryzenfall, consists of four "design and implementation flaws" inside the AMD Secure OS, which powers the AMD Secure Processor found in Ryzen, Ryzen Pro and Ryzen Mobile products.

AMD says that the chips for Secure Processor are impenetrable.

Moreover, they claim the vulnerabilities lie in the "secure" part of the processor - a place where your chip stores things like encryption keys, or checks on boot, to see if you have any malicious code running.

By exploiting the FALLOUT flaws, attackers could steal network credentials protected by the Windows Credential Guard and could disable BIOS flashing protections, allowing for the exploitation of the MASTERKEY flaws on systems where BIOS flashing is blocked, CTS Labs said.

Ryzenfall is a threat that allows for malware to completely hijack a Secure Processor allowing access to secure data that would normally be out of the reach of attackers. If the hacker gains access to the low-level target network, then they can collect the data they required.

Some of these attacks are created to exploit loopholes in safeguard mechanisms to "steal network credentials, and then potentially spread through even highly secure Windows corporate networks".

The backdoors, one located in firmware and one in hardware, allows the execution of malicious code inside the chipset and would give attackers a man-in-the-middle position to spy on all USB, SATA, LAN, WiFi and other traffic passing through the chipset.

More news: California: Teacher's Gun Accidently Goes Off in Class Injuring Three Students

"The chipset links the CPU to USB, SATA, and PCI-E devices".

As is the case with many security exploits, these could theoretically allow hackers access to personal credentials and provide an opportunity to spread malware, but the white paper also warns of the potential for "long-term industrial espionage".

So in a nutshell, this suite of vulnerabilities looks to be pretty bad news for AMD. The AMD version of the co-processor has series of critical flaws which make the task of attackers easy.

"The Ryzen chipset, a core system component that AMD outsourced to a Taiwanese chip manufacturer, ASMedia, is now being shipped with exploitable manufacturer backdoors inside", reads the whitepaper put out by CTS Labs, the company that discovered the vulnerabilities.

AMD has been notified and is looking into the issue: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise", an AMD spokesman said. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.

CTS Labs said that the Ryzen chipset, a new line from AMD, was being shipped with exploitable backdoors, which had come about as a result of obtaining technology from ASMedia, an outsourcing partner.

Nevertheless, CTS-Labs researchers don't want the flaws to be brushed off lightly. All we can say is the situation feels fishy. According to CTS Labs, it has still not heard anything from AMD, and researchers claim it could take months to fix the vulnerabilities, notes CNET. "An attacker could sit there for years without ever being detected".

This had raised suspicions that CTS Labs may have a commercial motive for disclosing the AMD vulnerabilities so soon after notifying the chip maker. The supplied whitepaper from CTS-Labs has so far not offered much detail into the specifics of the vulnerabilities - a stark contrast to the level of detail offered by Google's Project Zero report with the Spectre and Meltdown vulnerabilities, which were also made public many months after being disclosed to those potentially affected.

Related News:

Most liked

Margot Robbie Confirmed for Once Upon a Time in Hollywood
Once Upon A Time In Hollywood will be released on 9 August next year, marking exactly 50 years since Tate's death. Robbie is coming off of her own Oscar-nominated turn, for I, Tonya , her first nomination.

Met Office issues snow and ice warning for Derbyshire
Cold air from the Arctic is heading to the United Kingdom - and we're set to see more snow and ice in the region this weekend. The Met Office has issued a warning for the region on Friday and Saturday - as the Beast from the East is set to return.

FBI officials recommend former #2 at FBI Andrew McCabe be fired
The McCabe-linked source shot down an allegation that McCabe tried to stymie an investigation into the Clinton family charity. McCabe first joined the Federal Bureau of Investigation in 1996, investigating organized crime cases in NY .

Forecast: Warm and windy today in the Omaha area
Blustery, with a west wind 16 to 20 miles per hour , with gusts as high as 39 miles per hour . West, southwest wind 10 to 18 miles per hour with gusts as high as 25 miles per hour .

Venus Williams advances to the last eight in Indian Wells
It was the match of the tournament as with Venus taking the first set 7-5 before Serena bounced back to take the second 6-4. It was also their first duel at Indian Wells , 17 years after Venus pulled out of their semifinal with a knee injury.

Oil up, but Opec sees rapid growth in rival supply
Output has been helped by the 25% rise in oil prices over the past year, along with improvements in efficiency and technology. Gasoline stocks fell by 6.3 million barrels, compared with analysts' expectations in a poll for a 1.2 million-barrel drop.

Apple buys 'Texture' Magazine Subscription App
Previously, Apple had a Newsstand app of its own, but the service never took off, and Apple chose to just terminate the service. The Apple logo is pictured inside the newly opened Omotesando Apple store at a shopping district in Tokyo June 26, 2014.

Miley Cyrus sued for $300 million over 'We Can't Stop' copyright infringement
May is seeking a trial by jury, plus a halt to sales and performances of Cyrus' song as well as damages and legal fees. Listen to both songs below and judge the alleged similarities for yourself.

Microsoft to set up two data centres in the UAE
Etisalat is also consulting on migration and managed services to see to the smooth transition of business customers to the cloud. The new announcement expands Azure regions to 50 regions across the globe, which includes plans for 12 new regions.

YouTube To Use 'Information Cues' To Combat Fake News
Expect to see Wikipedia links in videos promoting conspiracy theories and issues that are very likely to spark heated debates. Essentially, these "information cues" will be small cards that appear directl below videos in the YouTube app.

Jeff Goldblum is back in Frontier's Jurassic World Evolution
Jurassic World Evolution will feature an all-new story that will mention key characters and events from the Jurassic World series. Goldblum is also reprising his role of Malcolm for Jurassic World: Fallen Kingdom , which releases in movie theaters on June 22.

Slovakia may face early parliamentary elections
The junior nationalist coalition party SNS said on Monday that it could accept either early elections or a cabinet reshuffle. A coalition partner had made Robert Kalinak's resignation a condition for continued support in government.

Erdogan hopes Afrin to be captured by Wednesday evening
It's a major issue of conflict for Turkey and the US that is expected to be discussed between the two countries later this month. Damascus has dubbed the Turkish campaign as "aggression", however, refrained from sending armed forces to the area.

Microsoft's more inclusive Xbox avatars finally arrive in April
Nothing has been confirmed about what will be revealed at E3 but previous year Microsoft revealed the Xbox One X and games for it. Now, they seem to be ready to make this year's E3 the biggest ever stating "it will be our biggest showing ever".

Blaze pizzas for $3.14 for National Pi Day on Wednesday
Coco's Bakery Restaurant: Members of Coco's email club can get a coupon for a $3.14 slice of pie, according to representatives. Locations not participating in Pi Day are Disney Springs, Houston Airport, UCLA, Staples Center, and George Mason University.