AMD Details Ryzen, EPYC And Chipset Mitigation Plan For Masterkey, Fallout And Ryzenfall Vulnerabilities
At the time, AMD provided the following statement:
We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.
AMD has had over a week to scour over the whitepaper and determine the veracity of these supposed exploits, and has reported back with its findings. The company acknowledges that these are indeed exploits, and will rollout mitigation strategies for each of the four primary attack vectors. However, AMD rightfully points out that a person would need administrative access to a system in order to carry out any attacks, and with such permissions, they have a wide range of tools at their disposal beyond the vulnerabilities discovered by CTS Labs.
"[This is] a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings," write's AMD's Mark Papermaster. "All modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues."
With that said, the company has outlined that firmware patches will be released to address Masterkey, Ryzenfall and Fallout via BIOS updates in the coming weeks. AMD is quick to note that there will be no performance hit associated with these fixes. In addition, there will also be a BIOS update with mitigations in place for the Chimera exploit that affects the supporting “Promontory” Ryzen chipset.
"AMD is working with the third-party provider that designed and manufactured the 'Promontory' chipset on appropriate mitigations," said AMD. In this case, that third-party provider is allegedly ASUSTeK subsidiary ASMedia.
In the end, we must applaud AMD for reacting so quickly and announcing that fixes will shortly be in place for customers -- even if it doesn't share the same security concerns as CTS Labs.