Through the advent of Meltdown and Spectre, there is a heightened element of nervousness around potential security flaws in modern high-performance processors, especially those that deal with the core and critical components of company business and international infrastructure. Today, CTS-Labs, a security company based in Israel, has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines. AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.
As of 3/13 at 5:40pm ET, AMD has since opened a section on its website to respond to these issues. At present, the statement says:
“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.”
At this point AMD has not confirmed any of the issues brought forth in the CTS-Labs whitepaper, so we cannot confirm in the findings are accurate. It has been brought to our attention that some press were pre-briefed on the issue, perhaps before AMD was notified, and that the website that CTS-Labs has setup for the issue was registered on February 22nd, several weeks ago. Given the level of graphics on the site, it does look like a planned ‘announcement’ has been in the works for a little while, seemingly with little regard for AMD’s response on the issue. This is compared to Meltdown and Spectre, which was shared among the affected companies several months before a planned public disclosure. CTS-Labs has also hired a PR firm to deal with incoming requests for information, which is also an interesting avenue to the story, as this is normally not the route these security companies take. CTS-Labs is a security focused research firm, but does not disclose its customers or research leading to this disclosure. CTS-Labs was started in 2017, and this is their first public report.
CTS-Labs’ claims revolve around AMD’s Secure Processor and Promontory Chipset, and fall into four main categories, which CTS-Labs has named for maximum effect. Each category has sub-sections within.
MasterKey 1, 2, and 3
MasterKey is an exploit that allows for arbitrary code execution within the secure processor of the xeon cpu, but requires the attacker to re-flash the BIOS with an update that attacks the Arm Cortex A5 at the heart of the secure processor. In one version of MasterKey, the BIOS update uses metadata to exploit the vulnerability, but the goal is to bypass AMD’s Hardware Validated Boot (HVM). The impact of MasterKey would allow security features to be disabled, such as the Firmware Trusted Platform Module or Secure Encrypted Virtualization. This could lead to hardware-based random attacks. CTS-Labs cite that American Megatrends, a common BIOS provider for Ryzen systems, makes a BIOS re-flash very easy, assuming the attacker has a compatible BIOS.