AMD ships CTS Labs vulnerability patches to ecosystem partners

AMD ships CTS Labs vulnerability patches to ecosystem partners

AMD ships CTS Labs vulnerability patches to ecosystem partners

In Mid-March a group called CTS Labs released a report which detailed 13 vulnerabilities in AMD’s new Ryzen series of processors, affecting products from their Ryzen, Threadripper and EPYC product lineups. 

Going against standard procedure, CTS Labs publically announced their findings without providing AMD with a 90-day notice between the vulnerability’s discovery and its public disclosure. This game AMD no time to validate CTS’ discoveries or implement any fixes, creating a PR nightmare for the company. 

It took AMD a week to respond to CTS Labs’ findings, confirming that all attack types required administrative access to exploit. In short, each attack could only be taken advantage of after an “Attacker already has compromised the security of a system”, minimising the impact of the vulnerabilities. 

After being contacted by CTS Labs, Tom’s Hardware contacted AMD for a progress update for their planned firmware mitigations. Over a month has passed since AMD’s response to CTS Labs, though it seems that AMD is well on the way to addressing “all of the CTS identified vulnerabilities” in their EPYC lineup and patching Chimera across all platforms. Below is AMD’s official response. 

 
 

   Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly.  We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month.  We expect these patches to be released publicly as our ecosystem partners complete their validation work.

 

AMD ships CTS Labs vulnerability patches to ecosystem partners

 

While AMD’s response here is vague, the company has confirmed that they are working on the problem and are set to release platform mitigations when they are ready for public use. AMD doesn’t want to repeat Intel’s mistakes with Spectre, where early BIOS mitigations caused stability issues on both desktop and server platforms, forcing a recall for their firmware fixes and several significant delays. 

Less than 90 days have passed since CTS Labs went public with their findings, the time that AMD should have rightfully been given to address the issue before CTS Labs’ public disclosure. Regardless, CTS Labs’ vulnerabilities are much less concerning than they were initially advertised, acting as a secondary attack instead of a level 1 vulnerability like Spectre/Meltdown. 

You can join the discussion on AMD’s release of CTS Labs vulnerability fixes to ecosystem partners on the OC3D Forums.Â