AMD Grapples with Its Own Processor Security Flaw

Chip maker AMD is working to develop firmware updates in the wake of recently publicized security issues affecting its processors.

Described last week by CTS Labs, the security issues mostly concern the Platform Security Processor that's present on AMD processors, as well as a Promontory chipset. However, attackers would need to have administrative access to exploit the flaws -- a difficult feat to carry out.

Independent consultancy Trail of Bits, which tested and affirmed the exploits on behalf of CTS Labs, downplayed the security risks.

"There is no immediate risk of exploitation of these vulnerabilities for most users," Trail of Bits indicated in an announcement. "Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities."

CTS Labs, a security consultancy for chip manufacturers, had published a whitepaper (PDF) describing the exploits, but it indicated that "all technical details that could be used to reproduce the vulnerabilities have been redacted." It tested the flaws on "AMD's latest Zen processors for the past six months, including EPYC, Ryzen, Ryzen Pro and Ryzen Mobile," according to the whitepaper. The whitepaper claimed that organizations were at "significantly increased risk of cyber-attacks" from the flaws. It also was unsparing about AMD's security oversight.

"In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles," the whitepaper stated. "This raises concerning questions regarding security practices, auditing, and quality controls at AMD."

This week, AMD described the vulnerabilities and its mitigation plans in an announcement. The flaws aren't associated with the Meltdown and Spectre issues identified in early January by Google's Project Zero, according to Mark Papermaster, AMD's chief technology officer and senior vice president of technology and engineering. He indicated that AMD will release firmware updates in the coming weeks to address the flaws. Papermaster also downplayed the security threats.

"It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings," he wrote. "Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."

Papermaster added that there are additional controls, "such as Microsoft Windows Credential Guard in the Windows environment," to ward off unauthorized administrative access.

AMD was informed about the flaws by CTS Labs on March 12, 2018, but it was given just one day before CTS Labs published its findings, according to Papermaster. Some organizations, such as Google, have suggested that coordinated disclosure of security flaws should be about 90 days.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

  • Microsoft Partners with NIST To Improve Enterprise Security 'Hygiene'

    Microsoft will "soon" kick off an effort to help organizations better patch their software, with help from the National Institute of Standards and Technology.

  • Microsoft, Pivotal Collaborate on Azure Spring Cloud

    Azure Spring Cloud, a developer service jointly built and operated by Pivotal Software and Microsoft, debuted as a private preview this week.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.