Security researchers announced the Ryzen vulnerability and only notified AMD 24 hours in advance.

Security researchers announced the Ryzen vulnerability and only notified AMD 24 hours in advance.

 

Due to the emergence of Meltdown and Spectre, there is a shortage of potential security vulnerabilities for modern high-performance processors, especially those that handle the core and key components of the company's business and international infrastructure. Today, CTS-Labs, an Israeli security company, published a white paper stating that there are potential vulnerabilities in four product lines: Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processors. CTS-Labs only notifies AMD 24 hours in advance, instead of the typical 90 days of standard vulnerability disclosure. There was almost no time for the company to clarify the issue, and there was no formal reason to shorten the time.

AMD has not yet confirmed any issues raised in the CTS-Labs White Paper, so we cannot confirm whether these findings are accurate. We have noticed that some news media have been notified of this issue in advance, maybe before AMD was notified, and the website set up by the CTS lab for this issue was registered on July 6, February 22 a few weeks ago. Given the graphic level of the website, it looks like a planned 'announcing 'that has been working for a while, and it seems that AMD's response to this issue is seldom considered. This is a comparison with Meltdown and Spectre, which were shared by the affected companies several months before the planned public disclosure. CTS-Labs also hired a PR company to process incoming information requests, which is also an interesting way because it is not usually the path these security companies use. CTS-Labs is a security-focused research company that did not disclose its customers or research that led to this disclosure. CTS-Labs started in October 2017. This is their first public report.

The CTS lab statement revolves around AMD's security processor and Cape chipset and falls into four categories. The CTS lab has named it the most effective. Each category has its sub-division.

All these vulnerabilities require higher administrator access permissions. The MasterKey can only be refreshed before the BIOS is refreshed. However, the CTS lab launched an offensive, pointing out that it raised issues related to AMD's security practices, auditing and quality control, and said "these vulnerabilities completely ignore the basic security principles ". This is indeed a strong wording, and some may expect them to wait for an official response. Another angle is to give ghost/melting, and the "one-day" disclosure was designed for the greatest impact. In any case, you only need enough time to develop a website.

AMD has issued a statement saying it is investigating the issue.

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151375.htm