AMD CPU vulnerabilities published by unknown security firm after 24 hours notice

Published by Israeli security firm CTS Labs, the AMD chip flaws require significant work to exploit.

Predicting 2018's biggest cyber-threats
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Though AMD was only given 24 hours notice of the vulnerabilities, the domain publicizing the disclosure was registered on February 22nd.
  • The vulnerabilities require affected systems to already be compromised through some other means.

The allure of wall-to-wall coverage from technology media, particularly after high-profile, highly-produced vulnerability disclosures such as Meltdown and Spectre, Heartbleed, and POODLE may be attracting groups with ulterior motives, as shown by the highly irregular release of a series of exploits which affect AMD's EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors.

The disclosure is the first release by Israeli security startup CTS Labs, which was founded last year. The vulnerabilities, which are examined at length at TechRepublic's sister site CNET, center around the implementation of the AMD Platform Security Processor (PSP). All of the vulnerabilities require an attacker to already have gained administrator access to a machine, and the "MasterKey" vulnerability requires BIOS flashing in order to exploit. Real-world use of the exploits requires attackers to find some other means to compromise a system. While the vulnerabilities on their own merit are not good, they fall far short of the urgency which surrounded Meltdown and Spectre.

Typically, security researchers give companies 90 days to address a vulnerability before it is disclosed to the public. Given the complexity of Meltdown and Spectre, public disclosure was withheld for half a year to give the companies more time to diagnose the problem and develop a solution. CTS Labs appears to have given AMD only 24 hours notice before publicly announcing the vulnerabilities on, which WHOIS records indicate was registered on February 22nd. The release itself provides no proof of concept or specific technical details that would enable others to write proof of concept code.

SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)

CTS Labs approached security researcher Dan Guido last week with full details of the vulnerabilities. While Guido asserts in a series of tweets that the vulnerabilities are real, he noted that he only accepted the initial request out of curiosity, and wound up billing CTS Labs the "week rate" after their questions about the vulnerabilities had increased.

AMD released a brief statement on the disclosure:

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.

The peculiarity of the circumstances surrounding the release do not end there, however. An organization called " Viceroy Research Group" published a document titled "AMD - The Obituary," which bandies about terms like "negligent," "fatal," "glaring oversight," and "outright dangerous" and concludes with the staggeringly heavy-handed proclamation that "the meteoric rise of AMD's stock price now appears to be totally unjustified and entirely unsustainable. We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries."

Viceroy is undoubtedly part of the story, in the disclosure of these vulnerabilities. The Viceroy website lists no contacts or organization members, and appears to be hosted by The 33-page document itself raises questions, as it was published within hours of the disclosure by CTS. This would not be possible without significant advance access, though AMD only received one day of notice.

This is not the first document produced by Viceroy, however. Viceroy previously published a document detailing accounting irregularities with the South African retail conglomerate Steinhoff. This situation has led to the resignation of the CEO, and the loss of almost 90% of market valuation, according to Bloomberg.

An investigation by the South African financial news website Moneyweb indicated that Viceroy is operated by Gabriel Bernarde, a former analyst at restructuring firm Ferrier Hodgson, his classmate Aidan Lau, and Fraser John Perring, a social worker who was struck off the HCPC register in 2014 following misconduct and falsifying of records.

Security researcher Arrigo Triulzi ‏summarized the disclosure report on Twitter:

TechRepublic contacted both AMD, but did not receive a response by press time.

Update: CTS Labs cofounder Yaron Luk provided this statement:

I am very proud of the work our team has done. We have been able to identify critical flaws in processors that could put millions of consumers at risk. We have verified our results carefully both internally and with a third-party validator, Trail of Bits. We delivered a full technical description and proof of concept of the vulnerabilities to AMD, Microsoft, Dell, HP, Symantec and other security companies. Disclosing full technical details would put users at risk. We are looking forward to AMD's response to our findings.

Meanwhile, Linus Torvalds wrote an excoriating post about the disclosure on Google+.

Also see

Image: AMD