Advanced Micro Devices (AMD) will release firmware patches and a BIOS update in the coming weeks to fix the chipset vulnerabilities exposed by researchers earlier this month but the firm says the flaws aren't as severe as they've been portrayed.
Earlier this month CTS Labs accused the chip manufacturer of disregarding "fundamental security principles" and overlooking "poor security practices and insufficient quality controls," after reportedly finding serious vulnerabilities in the company's Zen line of processors.
Independent researchers and security professionals were critical of the Israel-based cyber-security firm for reportedly only giving AMD 24 hours advance notice of the vulnerabilities before going public.
Some have also noted that CTS issued a disclaimer that it "may have, either directly or indirectly, an economic interest in the performance” of AMD, which suggests at least the possibility that the company could stand to financially benefit from revealing news about AMD.
AMD addressed vulnerabilities CTS Labs found in a 21 March blog post announcing that the firm will release patches while adding the flaws could only be exploited by a hacker with administrative access, noting:
“Any attacker gaining administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
In addition, AMD said that all modern operating systems and enterprise-quality hypervisors today have many effective security controls in place to prevent unauthorised administrative access before they could affect the named security issues.
The firm went on to say that the issues identified by CTS Labs aren't related to the firms' AMD “Zen” CPU architecture or the Google Project Zero exploits made public 3 January, 2018 but instead are associated with the firmware managing the embedded security control processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
AMD said there are four primary types of vulnerability variants that can be leveraged to attack the AMD processors which are Chimera, Ryzenfall, Fallout, and Masterkey.
The Chimera vulnerability would allow an attacker to leverage the chipset's middleman position to launch sophisticated attacks to install malware. Ryzenfall enables malicious code to take complete control over the AMD Secure Processor and leverage the technology's privileges to read and write protected memory areas.
Fallout impacts AMD's EPYC server chips and allows attackers to read from and write to protected memory areas while the Masterkey flaw breaks down into three separate vulnerabilities that allow attackers to infiltrate the Secure Processor in EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile chips.
AMD said that there are no expected performance issues with the new updates.