AMD finalized its investigation on the vulnerabilities recently discovered by CTS Labs and announced that security patches will be released soon.
AMD acknowledged 13 critical vulnerabilities and exploitable backdoors in its Ryzen and EPYC processors that were first disclosed earlier March by the information security training researchers at the firm CTS Labs.
The CTS Labs researchers did not disclose any technical details about the vulnerabilities to avoid abuses. AMD plans to roll out firmware updates in the incoming weeks to address the flaws affecting millions of devices worldwide.
The vulnerabilities could be potentially exploited to steal sensitive data, install malicious code on AMD-based systems, and gain full access to the compromised systems, as per statement of an information security training analyst said. The vulnerabilities expose servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors to attacks.
It has to be noted that CTS-Labs promptly reported the flaws to AMD, Microsoft and “a small number of companies that could produce patches and mitigations.”
The analysis conducted by the information security training experts revealed four classes (RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY) of vulnerabilities affecting the AMD Zen architecture processors and chipsets that usually contain sensitive information such as passwords and encryption keys.
The vulnerability could allow bypassing AMD’s Secure Encrypted Virtualization (SEV) technology and also Microsoft Windows Credential Guard.
This week AMD published a press release. “It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.” reads the press release published by AMD. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
Differently from Meltdown and Spectre attacks, AMD patches are not expected to impact system performance, information security training researchers said.
CTS Labs are skeptical about a rapid fix of the issues, they claimed that AMD could take several months to release patches for most of the vulnerabilities, even some of them could not be fixed.