Last week CTS-Labs dropped a bomb on AMD by disclosing 13 vulnerabilities in the Ryzen and EPYC processors. There's still a lot of uncertainty about the details and severity of these vulnerabilities, especially because the bugs require administrative access to a system in order to allow exploitation. In a new blog post, AMD acknowledges the bugs and promises firmware patches.
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
These updates are expected the coming weeks and should not lower performance.