Announcement

Collapse

7 Year´s FREAKTAB

See more
See less

AMD Responds To CPU Security Flaw Report

Collapse
X
Collapse

  • AMD Responds To CPU Security Flaw Report

    AMD has finally issued a full response to CTS Labs’ report that Ryzen and EPYC processors contain a total of 13 security flaws. Here’s the short version of the chipmakers’ response:
    • Exploitation of the vulnerabilities requires admin access
    • The vulnerabilities have to do with firmware and chipsets, not the x86 architecture
    • Patches are coming in the form of BIOS updates and firmware patches only--no microcode updates are required--via OEMs and ODMs
    • All issues will be addressed within “weeks,” but we strongly infer that AMD is aiming for 90 days or less
    • There is no expected performance impact

    The whole story was strange from the beginning. CTS Labs issued a red-alert type of report stating that AMD’s Ryzen and EPYC processors had numerous vulnerabilities, but it gave AMD just 24 hours to respond instead of the industry-norm 90 days. The firm also refused to release the full details of its findings, so only one entity--a security firm--was able to evaluate the assertions independently.




    In the post, AMD’s Mark Papermaster wrote in part:
    The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

    Papermaster also addressed the access issue--that is, in order for the vulnerabilities to be exploitable, one would need metal access. He stated:
    Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues.

    CTS Labs has made it seem as though an enterprise-level threat is a real possibility, but when AnandTech pressed the issue, CTS Labs clarified:
    To be honest with you, in that particular situation [running a virtual machine on a server], the vulnerabilities do not help you very much. However if a server gets compromised and the cloud provider is relying on secure virtualization to segregate customer data by encrypting memory, and someone runs an exploit on your server and breaks into the SP, they could tamper with this mechanism and this mechanism.

    Note that in AMD’s response, it condensed CTS Labs’ four threat categories into three. In all three, AMD stated that admin access is required, and all the attacks would require that the system’s security has already been compromised.

    Expect all patches to arrive via AMD’s ODM and OEM partners within the next 90 days.

    Source: tomshardware
      Posting comments is disabled.

    Categories

    Collapse

    Article Tags

    Collapse

    Latest Articles

    Collapse

    • Beelink S2: A Ideal Mini PC For Work, Gaming and Entertainment With Intel Gemini Lake
      trebor


      Under the Beelink brand, here is an optimum Mini PC which will be used for casual office, games, and home entertainment and it is equipped with the Windows 10 OS and it has the relevant system activation code. This Ideal Mini PC name is S2 and it is the next generation of S1.

      The Beelink S2 is an evolution of a model that we’ve been seeing for a while, the S1 model that runs under Celeron N3450, but which switches to a Celeron Gemini Lake N4100 that will provide more performance.
      ...
      04-23-2018, 21:01
    • WIN WIN WIN 7 years of Freaktab, thank you all WIN WIN WIN
      trebor


      Thanks to our Users, Sponsors, Devs and Mods:

      Click to win:


      http://freaktab.com/forum/freaktab-g...way#post720206


      What prizes do we have exactly in the Giveaway in order to win?

      1. OUKITEL WP5000

      2. PROBOX2 AVA

      3. ZIDOO H6 PRO

      4. UGOOS AM3

      5. UGOOS AM3

      6. UGOOS AM3

      7. RKM MK22
      ...
      04-15-2018, 13:45
    • New Android TV dongle passes through the FCC with Google Logo, Assistant enabled remote and Oreo on board
      trebor

      If you’re a keen watcher of the US Federal Communications Commission (FCC), then a new device from Shenzhen SEI Robotics Co., Ltd. labelled a ‘4K ATV Stick’ will probably have piqued your interest, with the external photos showing off a HDMI dongle, with Google Logo running the latest version of Android TV and with a Google Assistant enabled voice remote.

      As you can see from the images the dongle is extremely reminiscent of the Chromecast dongles that have been massively popular
      ...
      04-10-2018, 15:16
    • Google removes ‘Kodi’ from search autocomplete in anti-piracy effort
      trebor
      Google has banned the term “Kodi” from its autocomplete feature, meaning those who look for information on the set-top box will have to type out the full term in order to search, as reported by TorrentFreak. Google has been increasing its anti-piracy efforts in recent years, banning terms from autocomplete and making changes to its search algorithms in order to demote copyright-infringing material.

      While Kodi is legal software in a set-top box for streaming, it supports a myriad of
      ...
      03-29-2018, 14:06
    • Google starts blocking its apps on uncertified Android devices
      trebor
      If you're fond of loading custom ROMs on your Android phone, life just became complicated. Google has quietly started blocking access to its apps on uncertified devices whose firmware was built after March 16th. If you're affected, you'll get a warning that a device is "not certified" and can't sign into a Google account. This won't prevent you from loading ROMs, but you'll have to register your device IDs on a white list every time you undergo a factory reset -- when there's a 100-ID...
      03-26-2018, 14:42
    • AMD Responds To CPU Security Flaw Report
      trebor
      AMD has finally issued a full response to CTS Labs’ report that Ryzen and EPYC processors contain a total of 13 security flaws. Here’s the short version of the chipmakers’ response:
      • Exploitation of the vulnerabilities requires admin access
      • The vulnerabilities have to do with firmware and chipsets, not the x86 architecture
      • Patches are coming in the form of BIOS updates and firmware patches only--no microcode updates are required--via OEMs and ODMs
      • All issues will be addressed within “weeks,”
      ...
      03-20-2018, 13:37
    Working...
    X