CTS Labs, an Israeli security research firm, purports to have discovered 13 separate security vulnerabilities related to AMD hardware across four categories of exploits. This surprise news arrives without any form of coordinated disclosure or pre-developed vendor mitigations.
The firm claims that flaws in AMD's Secure Processor, a separate ARM processor on AMD Zen CPUs that performs various encryption and root-of-trust functions, can be exploited to run arbitrary code. The "Masterkey" vulnerability requires the attacker to install a modified BIOS containing the exploit payload, either through physical access or—as CTS Labs claims—exploiting another one of the vulnerabilities the firm discovered to write to system flash in system management mode.
CTS Labs goes on to describe three other classes of vulnerabilities that it's branded "Ryzenfall," "Fallout," and "Chimera." Both the Ryzenfall and Fallout vulnerabilities require a local user account with administrator or root privileges to run the required malware, a level of access that generally would suggest that all bets are off on a system's security to begin with. Chimera purports to exploit undescribed "hardware backdoors" in ASMedia intellectual property that apparently makes up the Promontory chip powering AMD AM4 chipsets.
From what little we have to go on, Ryzenfall might allow an attacker to bypass virtualization sandboxes, install malware in privileged memory locations or on the Secure Processor itself, and gain access to privileged firmware or memory locations. Fallout describes a similar vulnerability related to the boot loader in AMD's Epyc server processors. The thrust is that Ryzenfall and Fallout could lead to rootkits installed in firmware or in privileged memory locations beyond the reach of endpoint security applications.
CTS claims that the Chimera vulnerability has allowed it to run arbitrary code on AMD client chipsets like the X370, including key loggers, man-in-the-middle attacks, and protected memory access. In assessing the scope of this vulnerability, CTS only says that one of the "backdoors" in the Promontory chip is implemented in firmware, while the other "is inside the chip's ASIC hardware."
For its part, AMD provided the following statement this morning:
At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.
Since AMD was not given much, if any, advance notice regarding these exploits, the company and its partners have not offered guidance regarding the mitigation of any of these exploits as of this writing.
CTS Labs suggests that Masterkey could be mitigated by preventing unauthorized BIOS updates, but that mitigation could be undone by the other exploits it's disclosed today. The firm didn't offer any proposed ways around Ryzenfall or Fallout, and it suggests that hardware-level vulnerabilities in AMD's Promontory chipset silicon may not be able to be worked around.
The chaotic nature of today's disclosure has led to many questions about the source and motivations of the firms behind this research. Astute social-media users have noted that Viceroy Research, a financial-analysis group that reportedly engages in short selling of various companies' securities, appears to have coordinated the release of a report provocatively titled "The Obituary" alongside the CTS Labs whitepaper. Viceroy posits that AMD will have no choice but to file for Chapter 11 bankruptcy as a result of the news and that its stock is ultimately worthless, claims that seem vastly out of proportion with the magnitude of the purported vulnerabilities that CTS Labs has discovered.
CTS Labs' disclaimer on its AMD vulnerability website also exposes a potential conflict of interest. The firm notes that it "may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." If that's the case, it might explain why CTS Labs didn't engage in any form of coordinated disclosure of these vulnerabilities with AMD or give the company an opportunity to develop and deploy patches for those vulnerabilities.
Compare this approach to the (admittedly accelerated) release of information on the Spectre and Meltdown vulnerabilities, where several groups of security researchers informed Intel and other vendors of their findings well in advance of public disclosure, obtained CVE numbers that allow for easy tracking of the issues across various vendor websites, and published technical details of the vulnerabilities without providing proof-of-concept code.
We don't mean to downplay the potential seriousness of the vulnerabilities that CTS Labs claims to have uncovered, but the lack of technical details and the manner in which these vulnerabilities have been disclosed could suggest a less-than-altruistic motive. We'll update this article as we hear more from AMD and other sources regarding this news.