7 Replies Latest reply on Apr 9, 2018 7:38 AM by paulmarc

    CTS-Labs Claims Bulldozer, Ryzen, EPYC Vulnerable to 13 critical security vulnerabilities

    black_zion

      Take it with a grain of salt. Same company found Meltdown and Spectre, but gave the industry 200 days to respond, but they gave AMD fewer than 24 hours. The problems lie in the outsourced AsMedia components and AMD Secure Processor, NOT the chips themselves. AMD has faced the same calls as Intel to open source their reply to Intel ME citing security concerns, they have not. "Vanilla" Ryzen does not feature PSP, so they are not affected.

       

      Report Claims AMD Ryzen, EPYC CPUs Contain 13 Security Flaws (Updated)

       

       

      01

      03

      02

      04

       

      CTS-Labs published the information at amdflaws.com, which is a new site created by the small company. The company claims that it discovered the vulnerabilities while studying the impact of what it characterizes as known backdoors in ASMedia chipsets. The company claims these backdoors have existed for six years.

       

       

      AMD uses ASMedia as its third-party chipset supplier, and CTS-Labs claims to have found the same backdoors on the Ryzen and EPYC chipsets. These backdoors purportedly allow hackers to inject malicious code directly into the Platform Secure Processor (PSP), which is a separate and secure processor that provides global management functionality.

       

      The PSP (also called AMD Secure Processor functions much like Intel's Management Engine (ME), which has proven in the past to have vulnerabilities. Neither AMD nor Intel open-source the code that runs on the processors, instead opting to run closed-source Linux distros.