AMD has officially confirmed the validity of the RyzenFall, MasterKey, Fallout, and Chimera vulnerabilities that came to light on March 12, and said it would be releasing patches in “the coming weeks.”
The company’s assessment of the four flaws is consistent with the original whitepaper published by Israeli security firm CTS Labs, and with third-party audits by Trail of Bits, Check Point, and Crowdstrike’s Alex Ionescu.
Because of the non-standard vulnerability disclosure process, many security experts believed the original CTS Labs report was an attempt to manipulate AMD stock, and hence, containing false or misleading bugs.
AMD officially confirms products are affected
AMD CTO Mark Papermaster effectively confirmed today that the flaws are real and, indeed, affect AMD Ryzen and EPYC processor series.
More specifically, three of the flaws —MasterKey, Fallout, RyzenFall— affect the AMD Platform Security Processor (PSP), a secure chip-on-chip processor, similar to the Intel Managment Engine (ME), that is separated from the rest of the AMD processor at the hardware level and usually deals with secure data such as passwords, encryption keys, etc..
The last —Chimera— affects the AMD chipset (motherboard component) that manages communication between the processor, memory, and peripherals, allowing attackers to execute code and relay false information to other components.
AMD says it had only one day to look at original report
The reason why AMD took a whole week to assess these flaws was because CTS Labs gave AMD only a day to read its report before going public with its findings.
AMD also dismissed the original severity of these flaws by pointing out —similar to the third-party investigators— that these flaws need administrative access to be exploited. The Meltdown and Spectre flaws did not need elevated privileges during exploitation.
Below is a table with AMD’s assessment of the MasterKey, Fallout, RyzenFall, and Chimera vulnerabilities and its plan of action. AMD promised more in-depth details about the patching process in the coming weeks.