AMD REBUFFS RYZEN FLAWS
Zen cores are sound; CTS-Labs takes heat
ON MARCH 12, a little-known research company called CTS-Labs issued a security warning about AMD Ryzen and EPYC chips. It claimed to have found 13 flaws, which could let attackers install malware into protected parts of the processor, exposing passwords and encryption keys. This was hard on the heels of Meltdown and Spectre, and people were understandably twitchy. It received a good deal of coverage, and sounded scary.
Things were odd from the start, though. It is best practice for a security company to give at least 90 days’ notice before going public. This gives enough time for patches and fixes to be put in place before alarming the public. Typically, the vulnerability and the patch become public on the same day. CTS-Labs only gave AMD 24 hours before going public.
It took AMD nine days to sift through the report and issue a response. It says all the problems lie with firmware and chipsets, not with the Zen core. It also points out that you need administrative access to employ any of the vulnerabilities; not easy for an attacker to get in the first place, and if they do, you’ve probably got bigger things to worry about. AMD distilled the flaws into three “issues,” and promised BIOS updates and firmware patches to fix any potential problems. Basically, there’s little to worry about.
This is an odd one, and the actions of CTSLabs look reckless. It’s a small company, barely a year old. The bugs are real, they’ve been independently verified, although hardly easy to exploit. CTS-Labs did exaggerate them, including coming up with menacing names such as Master Key and Fallout.
This has ruffled feathers in the industry, and CTS-Labs has been taking heat. There have been accusations of financial gain being a motivation. Linus Torvalds suggested that it looked “more like stock manipulation than a security advisory.” Whatever the motivation, the company certainly made a mess of revealing what it had found.