Endpoint

3/23/2018
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

AMD Will Release Fixes for New Processor Flaws in a Few Weeks

Security firm that disclosed flaws accuses chipmaker of downplaying flaws; says timeline is overly optimistic.

Less than 10 days after getting blindsided by a report about purportedly severe vulnerabilities in some of its products, AMD on Wednesday confirmed the issues and said it would have fixes for them in the next several weeks.

In an alert Wednesday, AMD said it had completed an initial technical assessment of the flaws that Israeli security research firm CTS-Labs had reported to it on March 12 and then controversially released publically just one day later.

The assessment confirmed issues associated with the firmware for AMD Secure Processor and the Promontory Chipset used in AMDs Ryzen and EPYC platforms.

However, exploiting the flaws that CTS identified requires an attacker to already have full administrative access to a system, AMD's CTO Mark Papermaster said. An attacker would need to overcome multiple OS-level controls such as Microsoft's Windows Credential Guard to gain the administrative access needed to exploit the flaws, he said.

AMD is working on a firmware update for the Secure Processor issue and will release it in coming weeks, Papermaster said, without offering any specific dates. AMD is also working with the third-party manufacturer of the Promontory chipset on appropriate mitigations, he said. No timeline was given for when those mitigations might become available.

AMD's advisory is its first public update after CTS released details on the vulnerabilities March 13.

It evoked an immediate response from the Israeli firm. In a statement posted on a website describing the AMD flaws, CTS criticized the chipmaker for attempting to downplay the severity of the flaws. It called AMD's promise to deliver fixes in a few weeks as overly optimistic and said that some of the flaws would take months to fix. The central idea behind Secure Process in fact is to prevent administrators from gaining access to certain data on systems, the company noted.

CTS has come under considerable criticism for its decision to publicly disclose the vulnerabilities without giving AMD the opportunity to review them fully or issue any fixes for them. In a March 13 release, CTS said it had discovered 13 critical security vulnerabilities and manufacturer backdoors in AMD's Ryzen and EPYC product sets.

The research firm grouped the vulnerabilities under four broad categories and described them as affecting millions of devices, users and organizations worldwide. Among other things, the flaws give attackers a way to permanently install malicious code in AMD Secure Processor and to steal credentials for moving laterally through compromised networks - including those protected by Microsoft's Credential Guard.

CTS also warned that ASMedia, a Taiwanese company from which AMD sources some of its chipsets, was shipping products with exploitable manufacturer-installed backdoors in them that could allow attackers to inject malware into the chip.

Many faulted CTS for disclosing the flaws without giving AMD proper notice and also for overblowing the severity of the threat posed by them. An independent security research firm that CTS hired to validate its findings described the flaws as extremely hard to exploit even if complete exploit details were available. Others have maintained that the vulnerabilities are a threat only if a system has already been fully compromised, at which point an attacker would be able to do pretty much what they wanted on the system, anyway.

CTS' decision to go public with its discovery just weeks after the storm over the Spectre and Meltdown vulnerabilities in Intel chips also prompted wide-ranging questions about the motives and the timing behind the vulnerability disclosure.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20165
PUBLISHED: 2019-03-22
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
CVE-2019-1716
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability ...
CVE-2019-1763
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exist...
CVE-2019-1764
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections for the ...
CVE-2019-1765
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an authenticated, remote attacker to write arbitrary files to the filesystem. The vulnerability is due to insufficient input validation and file-level permis...