American Megatrends Response to the CTS-Labs Advisory of 13 Security Flaws in AMD Ryzen and EPYC Processors

Monday: March 19, 2018

NORCROSS, GEORGIA, USA - American Megatrends Inc. (AMI), a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems, has released a statement in response to the recent news of security flaws discovered by CTS-Labs in the AMD Ryzen™ and EPYC™ processor lines.

Recently, a report came out that a security company, CTS-Labs, discovered potential security flaws in the AMD Ryzen and EPYC processor lines and gave AMD 24 hours’ notice that the information was going to be released publicly. Typically, the software industry allots a 3-6 month period before information is released to the public, allowing the affected company to mitigate the issues and preserve end-user confidentiality. According to a news article covering the topic of these potential security flaws, "CTS-Labs cite that American Megatrends, a common BIOS provider for Ryzen systems, makes a BIOS re-flash very easy, assuming the attacker has a compatible BIOS". In response to this statement, AMI would like to provide some clarification and address concerns that may arise when it comes to secure BIOS update processes.

AMI would like to reassure users of AMI's products that AMI makes security a top priority when it comes to its products and services. AMI has in fact made the BIOS update process easy for its end users with various security protocols in place to prevent malicious and/or unauthorized BIOS updates. It is important to note that the update process is "easy" only when using the original BIOS images from the motherboard manufacturers. If the BIOS image has been compromised/tampered with by an unknown source, the update process will reject the update, no changes will be made to the BIOS and BIOS re-flash will most certainly not be easy. The only way an attacker can have a "compatible BIOS" is if the attacker had access to the secret, private key of the motherboard manufacturer. This key is secret and private, only available to the motherboard manufacturer; therefore, it is not accessible to the public or potential attackers.

It is understandable that in light of recent news about security vulnerabilities, users are concerned when reports like these come out. However, users of AMI's BIOS should not be concerned about these reports because as mentioned previously, AMI's update process makes it so that only motherboard manufacturers can provide BIOS updates and unknown updates will be rejected. Most security firms withhold publicly releasing information regarding security holes, flaws and so on for months. In our industry, 24-hour notice is unheard of.

AMI stands with our technology partners, such as AMD, to help create a secure computing world.

To learn more about Aptio V UEFI Firmware from American Megatrends, please visit http://ami.com/products/bios-uefi-firmware/aptio-v/.

AMD, AMD Ryzen and AMD EPYC are trademarks of Advanced Micro Devices, Inc. in the United States and other countries. All other trademarks are property of their respective owners.

About AMI

Founded in 1985 and known worldwide for AMIBIOS®, American Megatrends (AMI) supplies state-of-the-art hardware, software and utilities to top-tier manufacturers of desktop, server, mobile and embedded systems for both X86 and ARM based platforms. AMI's industry leading Aptio® V UEFI BIOS firmware, MegaRAC® remote server management tools and solutions based on the popular Windows, Android™ and Linux® operating systems continue to garner industry acclaim and awards around the world. In line with the diversity of its technology and product line, AMI is a member of a number of industry associations and standards groups, such as the Unified EFI Forum (UEFI), the Intel® Internet of Things Solutions Alliance and the Trusted Computing Group (TCG). Headquartered in Norcross, Georgia, AMI has locations in the U.S., China, Germany, India, Japan, Korea, Taiwan and Hong Kong to better serve its customers.

For more information on AMI, its products or services, call 1-800-U-BUY-AMI or visit ami.com.

Statement of Liability: © 2019 American Megatrends Product specifications are subject to change without notice. Products mentioned may be trademarks or registered trademarks of their respective companies. All rights reserved. No warranties are made, either express or implied, with regard to the contents of this work, its merchantability or fitness for a particular use. This publication contains proprietary information, which is protected by copyright. American Megatrends reserves the right to update, change and/or modify this product at anytime.

TOP