This year started with the arrival of Meltdown and Spectre processor flaws. That’s now old news. Brace yourself for a bunch of new processor flaws. There are four new buzzwords this time, all affecting AMD processors: RyzenFall, MasterKey, Fallout and Chimera.
These new flaws were announced by CTS Labs, a Tel Aviv-based cyber-security research firm and consultancy company. Like other much publicised security vulnerabilities, CTS Labs has made a website for these AMD processor flaws: AMDFlaws.
You are affected if you use an AMD Ryzen CPU or EPYC CPU.
There are actually thirteen vulnerabilities, grouped into the four categories named above, i.e., RyzenFall, MasterKey, Fallout and Chimera. The flaws are in the AMD Secure Processor, which affects EPYC and Ryzen processors. There are also flaws in the AMD Ryzen Chipset, a central component on Ryzen and Ryzen Pro workstations.
The manner of CTS Lab’s disclosure of these vulnerabilities is at least a bit questionable. They only contacted AMD one day before going public with their vulnerability disclosure. In the case of Meltdown and Spectre, Intel and their partners had a 200-day lead. The Register spilled the beans ahead of the originally planned announcement, after they made a discovery from Linux kernel commits.
Regardless of CTS Lab’s motive, and the lack of complete, detailed, public full-disclosure, the vulnerabilities are likely to be real.
While Meltdown and Spectre are major enough issues, the vulnerabilities in AMD’s Secure Processor are even more disturbing. The nature of a Secure Processor, like the iPhone’s Secure Enclave, requires it to be secure and impenetrable, so that it can process highly sensitive information that the main processor is unsuited to handle. AMD’s Secure Processor, however, have a series of critical flaws that attackers could exploit to seal sensitive secrets. It defeats the whole point of such a security component.
There’s perhaps some good news for some people. The flaws affect AMD processors. They’re not as ubiquitous as Intel processors. Perhaps you don’t even own or use any device with an AMD processor. Ouch.