An Israeli security firm may have found 13 security flaws in AMD processors. The problem? It only gave the chipmaker 24 hours to fix the vulnerabilities before making them public.
On Tuesday, CTS-Labs decided to disclose the bugs with a splashy website and stylish graphics to boot. However, the short disclosure time means that AMD itself is still trying to confirm whether the vulnerabilities are real.
“We are investigating this report, which we just received, to understand the methodology and merit of the findings,” AMD said in an email.
The situation is certainly not ideal and raises questions over whether the Israeli security firm had the public’s best interest in mind with Tuesday’s disclosure. But to be clear, the vulnerabilities may indeed be legit.
One respected security researcher Dan Guido has verified the findings, however CTS-Labs did pay him for the work. These vulnerabilities have been found in AMD’s Ryzen, EPYC branded chips, which are used in servers, desktops and laptop devices.
The most serious flaw deals with a security protection built into the processors. CTS-Labs claims a bad actor could exploit this vulnerability to permanently install malware on to the chips.
Other flaws can let a hacker move from one compromised computer to another, gain access over the entire system, and execute malicious code. In addition CTS-Labs accused the Ryzen chipsets of being shipped with manufacturer-created backdoors that can let a bad actor inject malware like a keylogger on to the affected computer.
Fortunately, there is some good news. Guido tweeted that all the vulnerabilities require a hacker to first gain administrative privileges (or root access) to the computer. This can be done if the attacker can trick you into installing some malware.
The other piece of good news is that the security firm CTS-Labs decided to redact the technical information around the vulnerabilities. This will help prevent hackers from exploiting the flaws. But on the flip side, outside experts have had no way to quickly reproduce and confirm the findings.
CTS-Labs so far hasn’t responded to questions from PCMag about Tuesday’s disclosure. The company is relatively unknown and was founded only in 2017.
But what’s clear is that CTS-Labs took some time to develop its slick website about the vulnerabilities, which says the security firm revealed the problems to warn the public. It goes on to claim that AMD may need several months to fix the flaws.
However, that same website also includes a disclaimer that suggests the CTS-Labs may stand to benefit financially from the Tuesday’s disclosure, by betting against AMD’s stock.
“We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” the disclaimer says. (On the same day, one short seller also published a report, calling the uncovered flaws fatal to AMD’s business.)
The whole episode is raising eyebrows across the IT security community. Jon Bottarini, a technical program manager at bug bounty program provider HackerOne, said the incident has been a case study in “what not to do” when it comes to reporting security vulnerabilities.
“Responsible disclosure should be the prime directive for security researchers, and by only allowing AMD 24 hours to respond before CTS-Labs notified the press, CTS stood to do more harm than good,” he said in an email.
Others have pointed out that CTS-Labs tried to leverage press coverage to promote the vulnerabilities, even as the flaws have yet to be fully verified and understood.
“The only real public exploit here at the moment is a press exploit. This situation should not be happening,” wrote Kevin Beaumont, a UK-based security expert, in a blog post.