A white paper published by an Israeli security firm on Tuesday describes 13 vulnerabilities allegedly affecting AMD chips currently being shipped to customers.
In a statement, AMD said it is investigating the report “by a company called CTS Labs” but raised concerns over the way in which the firm disseminated its white paper, which was admittedly light on technical details. “We are actively investigating and analyzing its findings,” AMD said. “This company was previously unknown to AMD and we find it unusual for a security firm to publish research to the press without providing a reasonable amount of time for the company to investigate and address its findings.”
Emails to AMD and CTS-Labs were not immediately returned. AMD’s media contact line went to voicemail.
The vulnerabilities—all of which require administrative (or root) access to exploit—reportedly give one the ability to compromise EPYC servers and Ryzen and Ryzen Pro workstations. (Both the AMD Ryzen chipset and AMD Secure Processor are said to be vulnerable, with the latter supposedly containing backdoors affecting “virtual all Ryzen and Ryzen Pro workstations on the market today,” CTS wrote in its report.)
According to the company’s website, CTS was founded in 2017 by Ido Li On, Yaron Luk-Zilberman, and Ilia Luk-Zilberman, respectively, CTS’s chief executive officer, chief financial officer, and chief technology officer. At least two of the CTS executives appear to have previously worked for Israeli intelligence, according to company bios and LinkedIn profiles.
Regarding the company’s lack of technical specificity, CTS wrote that it provided a summary of the reported flaws, but purposefully did not provide a complete description to avoid enabling a person with malicious intent to “actually exploit the vulnerabilities and try to cause harm to any user of the products described herein.”
Dan Guido, CEO of the security firm Trail of Bits, said on Twitter that CTS had contacted his company and provided a full technical report last week. “Regardless of the hype around the release,” he said, “the bugs are real, accurately described in their technical report, and their exploit code works.” (According to Guido’s tweets, Trial of Bits was paid to conduct the review.)
According to CTS, the flaws would allow malicious code to be run on the AMD Secure Processor, which would enable attackers to nab credentials and potentially spread malware throughout a Windows corporate network. According to CTS, when used in conjunction with another class of vulnerabilities, this may expose customers to “covert and long-term industrial espionage” via the installation of persistent malware.
Another flaw affecting EPYC servers would similarly allow attackers to read from and write to protected memory areas, which may be used to steal credentials protected by Windows Credential Guard, according to CTS. The company also described a flaw that takes advantage of firmware and hardware backdoors, enabling attackers to inject malicious code into the AMD Ryzen chipset.
“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise,” AMD said. “We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
This is a developing story.
Update, 4:12pm: Gizmodo has learned that CTS-Labs provided AMD less than 24-hours notification before disclosing its report to the public, according to a source with knowledge of the exchange.