Following recent heated attention over possible flaws in AMD processor chips, Check Point Research was privately approached by the source of these controversial findings, CTS Labs, and was asked to verify their existence.
It is important for us to note that Check Point has absolutely no relationship, neither current nor previous, with CTS Labs, neither were we paid to review their findings.
We do not agree in any way with how CTS Labs’ research was published, and find it very irresponsible. However, we do believe that if the claims made in the publication are found to be correct then it may raise several issues worth discussing, regardless of the way it was handled or reported
Having received the original AMD hardware upon which the research is based, along with the technical details of the vulnerabilities, RYZENFALL-1 and RYZENFALL-3, we were able to successfully review the vulnerabilities and have concluded the following:
- RYZENFALL-1: An attacker running on the PC with the capabilities to read and write physical memory (i.e. kernel privileges), can write a small amount of constant uncontrolled data to a chosen protected physical memory address with the permissions of the PSP’s DMA mechanism, limited by its built-in restrictions.
For example, an attacker could overwrite the SMM memory on a machine with vulnerable firmware.
- RYZENFALL-3: An attacker running on the PC with the capabilities to read and write physical memory (i.e. kernel privileges), can read a controlled amount of protected physical memory from a chosen address with the permissions of the PSP’s DMA mechanism, limited by its built-in restrictions.
For example, an attacker could read SMM memory on a machine with vulnerable firmware.
Note: Since the hardware we received was PC based, we could not verify the rest of the vulnerabilities which are based on the server CPU versions.
To conclude, in our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present.
However, problematic phrasing aside, after inspecting the technical details of the above, we can indeed verify that these are valid vulnerabilities and the risks they pose should be taken under consideration.