January’s disclosure of serious flaws in mainly Intel microprocessors – Meltdown and Spectre – put the issue of vulnerabilities in hardware microcode and firmware front and centre.
Those were, of course, serious issues the industry has been working flat out to mitigate ever since.
But has an unknown Israeli company called CTS Labs tried to exploit worries over this type of flaw for financial gain?
On 13 March, researchers working for CTS Labs published what quickly turned into one of the most contentious security disclosures ever made.
The company said it had uncovered 13 individual flaws, including backdoors, in AMD’s Ryzen chip family which “put networks that contain AMD computers at a considerable risk.”
Echoing the publicity over January’s Meltdown and Spectre proof-of-concept mega-vulnerabilities in mainly Intel designs, the Ryzen flaws were even grouped into families with dramatic-sounding names – Masterkey, Ryzenfall, Fallout and Chimera.
CTS Labs had of course…
…privately shared this information with AMD, select security companies that can develop mitigations, and the US regulators.
While this is correct, it should be noted that AMD were given only 24 hours notice ahead of the disclosure. Responsible disclosure for security flaws should be months not one day, inviting accusations that CTS Labs was behaving unethically.
Scorn quickly followed from many experts, with Linus Torvalds of Linux fame musing about ulterior motives:
It looks more like stock manipulation than a security advisory to me.
A serious accusation, of course, prompted by CTS Labs’ report disclaimer that:
We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.
And there was another problem – all of the flaws CTS Labs found required admin access. As numerous experts pointed out, any attacker with this access would already have control of the system even without exploiting security flaws.
A third-party hired by CTS Labs to assess the flaws confirmed it had received proof-of-concept code to exploit them while still concluding:
There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities.
Two weeks on, and AMD this week published its own assessment of the vulnerabilities that should reassure alarmed users.
All four classes of flaw would be fixed through BIOS updates “within the coming weeks,” none of which were expected to hurt performance, while systems running on hypervisors would afford an additional layer of protection, the company said.
It would be easy to conclude that this isn’t as big a deal as Meltdown or Spectre because it can be fixed fairly easily.
That might be too complacent. However hyped, the fact that a small research outfit was able to find serious flaws in recent microprocessors, including the Secure Processor that is supposed to carry out integrity checks, is hardly reassuring.
And the issue of having to gain admin access to take advantage of them ignores the fact that should that happen, an attacker wielding one of these flaws might have another avenue to achieve persistence (i.e. the ability to hide on a system without being detected).
A lot now hinges on how quickly and simply AMD mitigates these flaws. As with any security vulnerability, the clock is always ticking.