Firmware patches are incoming for Masterkey, Ryzenfall, and Fallout vulnerabilities

Santa Clara-based semiconductor group Advanced Micro Devices (AMD) is developing firmware and BIOS updates to address the previously disclosed flaws in its Ryzen and Epyc chipsets.

AMD hit the headlines earlier this month, when previously little-known Israeli firm CTS Labs went public with what it described as 13 “critical security vulnerabilities and manufacturer backdoors” in the company’s processors.

As previously reported in The Daily Swig, CTS-Labs’ decision to give AMD just 24 hours’ notice before going public with its findings has thrown up new questions surrounding the ethics of security disclosures.

Ethics aside, a newly published technical assessment from AMD provides confirmation that the flaws do indeed exist, although the company reiterated the fact that the issues raised all require administrative access in order for an attacker to achieve a successful exploit.

“Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research,” said AMD.

After completing its assessment of the vulnerabilities, the manufacturer said firmware updates for the so-called ‘Masterkey’, ‘Ryzenfall’, and ‘Fallout’ issues will be released “in the coming weeks”.

Mitigating patches for the ‘Chimera’ backdoor will be released through a future BIOS update, with AMD stating that no performance impact is expected.

Pending the release of the updates, this post from Trail of Bits provides a useful summary of the difficulties associated with successfully exploiting these issues.

“There is no immediate risk of exploitation of these vulnerabilities for most users,” the report reads.

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers.”