AMD Grapples with Its Own Processor Security Flaw

Chip maker AMD is working to develop firmware updates in the wake of recently publicized security issues affecting its processors.

Described last week by CTS Labs, the security issues mostly concern the Platform Security Processor that's present on AMD processors, as well as a Promontory chipset. However, attackers would need to have administrative access to exploit the flaws -- a difficult feat to carry out.

Independent consultancy Trail of Bits, which tested and affirmed the exploits on behalf of CTS Labs, downplayed the security risks.

"There is no immediate risk of exploitation of these vulnerabilities for most users," Trail of Bits indicated in an announcement. "Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities."

CTS Labs, a security consultancy for chip manufacturers, had published a whitepaper (PDF) describing the exploits, but it indicated that "all technical details that could be used to reproduce the vulnerabilities have been redacted." It tested the flaws on "AMD's latest Zen processors for the past six months, including EPYC, Ryzen, Ryzen Pro and Ryzen Mobile," according to the whitepaper. The whitepaper claimed that organizations were at "significantly increased risk of cyber-attacks" from the flaws. It also was unsparing about AMD's security oversight.

"In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles," the whitepaper stated. "This raises concerning questions regarding security practices, auditing, and quality controls at AMD."

This week, AMD described the vulnerabilities and its mitigation plans in an announcement. The flaws aren't associated with the Meltdown and Spectre issues identified in early January by Google's Project Zero, according to Mark Papermaster, AMD's chief technology officer and senior vice president of technology and engineering. He indicated that AMD will release firmware updates in the coming weeks to address the flaws. Papermaster also downplayed the security threats.

"It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings," he wrote. "Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."

Papermaster added that there are additional controls, "such as Microsoft Windows Credential Guard in the Windows environment," to ward off unauthorized administrative access.

AMD was informed about the flaws by CTS Labs on March 12, 2018, but it was given just one day before CTS Labs published its findings, according to Papermaster. Some organizations, such as Google, have suggested that coordinated disclosure of security flaws should be about 90 days.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Nvidia Buys Chip Maker Arm for $40 Billion

    Nvidia has entered into a "definitive agreement" to acquire U.K.-based chip design company Arm Ltd. from the SoftBank Group in a stock-and-cash deal valued at $40 billion.

  • Oracle, Not Microsoft, Wins TikTok Buyout Bid

    Oracle's proposal to acquire TikTok's U.S. social media operations emerged victorious over the weekend, putting an end to Microsoft's competing buyout bid.