AMD has confirmed today the security flaws discovered by the researchers from CTS Labs last week in some of its processors, promising that they will all be fixed in the coming days.
Last week, on March 12, security researchers from CTS Labs have publicly disclosed not one but 13 critical vulnerabilities in some of AMD’s products, including AMD Secure Processor or “PSP” firmware, which manages the embedded security control processor, as well as the “Promontory” chipset used in several socket AM4 and TR4 desktop platforms.
The CPU flaws are categorized in four groups, MasterKey, RyzenFall, Fallout, and Chimera, and could allow attackers to bypass the platform security controls and install hard-to-detect malware in SMM (x86) or access the computer’s physical memory through the chipset. However, AMD says that all these vulnerabilities required administrative privileges, which means they have limited impact.
“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings,” said Mark Papermaster, Senior Vice President and CTO at AMD.
Among the affected processors families, we can mention that the AMD Ryzen, AMD Ryzen Pro, and AMD Ryzen Mobile series are affected by RyzenFall, the AMD Ryzen and AMD Epyc series are affected by MasterKey, the AMD Ryzen and Ryzen Pro series using the “Promonotory” chipset are affected by Chimera, and only the AMD Epyc chips are affected by Fallout.”
AMD promises fixes for all issues in a few days
It took more than a week for AMD to respond to CTS Labs’ report because the third-party security researchers gave the well-known semiconductor company only a day to read it. But despite this, AMD promises mitigations for all these CPU flaws in just a few days from the moment of publishing through BIOS updates, so all affected users are encouraged to update the BIOS of their systems as soon as possible.
The company also noted the fact that these newly disclosed flaws aren’t related to the Meltdown and Spectre security vulnerabilities unearthed earlier this year by security researchers from Google Project Zero and various universities, nor the AMD “Zen” CPU architecture. AMD has assured users that the patches for these flaws won’t affect the performance of their systems.