CTS, an Israeli research company, has disclosed that it detected 13 vulnerabilities in a range of Advanced Micro Devices processors just a day after informing AMD about it.
This move—publically disclosing the vulnerability so soon after informing the vendor—is somewhat unusual for cybersecurity firms.
The practice followed so far has been that the person or institution that first finds any bug or vulnerability, should share the details first with the vendor or developer, after which a certain number of days are given to them to work on mitigations and issue the updates and patches to fix the vulnerabilities or backdoors.
Only if there is no remedial action coming forth, the details are placed in the public domain after the completion of the time given for such mitigation activity. This could be 35 days to 75 days depending on the severity of the bug.
That’s why this decision by CTS, in the case of AMD, has therefore come in for some criticism from different quarters of the cybersecurity community.
A Total of 13 Vulnerabilities & Backdoors
According to a whitepaper and dedicated informative webpage published by CTS, the backdoors and vulnerabilities detected are 13 in total and have been found in Advanced Micro Devices’ Ryzen and EPYC processors.
These are: Ryzenfall (four vulnerabilities), Chimera (two vulnerabilities), Masterkey (three vulnerabilities), Fallout (three vulnerabilities) and PSP Privilege Escalation.
After publically disclosing the vulnerabilities, CTS defended its action by saying it has not exposed specific details to the public and will wait for AMD to initiate action on addressing the vulnerabilities before making those details public.
And, according to a response letter written by CTS’ CTO, the company opposes the standard “responsible disclosure” model used by many in the cybersecurity community.
The post goes on to indicate that CTS does not encourage giving time limits to vendors to rectify the flaws reported.
Are They All Serious Bugs?
The jury is still out on that; some experts feel these vulnerabilities are not so serious in nature and that in most cases, the permission of the admin will have to be obtained before any actions could be executed.
It is also believed these vulnerabilities are less harmful than bugs like Spectre and Meltdown, which have already created a storm this year.
Others are even suggesting that some of these bugs, described as backdoors, have been purposefully fixed on the chipsets. But most experts also agree that the flaws in the chipsets cannot be ignored.
Some Suggest There Is a Conspiracy Angle
There are experts in these fields who feel the action of the Israeli research team in not giving AMD sufficient time to take up mitigation work is a deliberate one and could be part of a larger conspiracy.
Does it have anything to do with the sudden drop of Advanced Micro Devices’ share prices this month? Largely, this has not been said explicitly, but the ultimate hit is taken by the vendor of the flawed component.
This is where some people are questioning the way CTS has gone about disclosing the bugs and backdoors in the AMD processors.
Some have even gone on to pose several questions to CTS, to make the point that the firm may have had some ulterior motive behind the way the entire issue was handled.
Some suggest that by the way the presentation was made, it was clear that more than anything else, the forces behind the disclosure appeared to be keen on damaging AMD’s reputation.
AMD’s Response to the Issue
In a news release, Advanced Micro Devices stated that it has already taken note of the bugs detected by CTS and is working on the mitigation process.
Upon receiving the report from CTS, they have said they are studying the details of the vulnerabilities in question and will investigate them thoroughly before making any further observations.
What Lies Ahead for Computer Users?
The concerns from average computer users would be how the flaws would affect them and what steps need to be taken to avoid getting hacked.
It is to be noted that there can never be a guarantee that hacking will not take place. One can only put in place the best security systems and consider that the firewalls will take care of any such attempts.
But it is being clarified in a follow-up notice published by CTS that cloud providers and large enterprises using the affected AMD processors on their servers could be the most vulnerable.
Run of the mill users of PCs and laptops should have very little to worry about.