AMI Response to the CTS-Labs Advisory of 13 Security Flaws in AMD Ryzen and EPYC processors
Recently, a report came out that a security company, CTS-Labs, discovered potential security flaws in the AMD Ryzen and EPYC processor lines and gave AMD 24 hours’ notice that the information was going to be released publicly. Typically, the software industry allots a 3-6 month period before information is released to the public, allowing the affected company to mitigate the issues and preserve end-user confidentiality. According to a news article covering the topic of these potential security flaws, "CTS-Labs cite that AMI, a common BIOS provider for Ryzen systems, makes a BIOS re-flash very easy, assuming the attacker has a compatible BIOS". In response to this statement, AMI would like to provide some clarification and address concerns that may arise when it comes to secure BIOS update processes.
AMI would like to reassure users of AMI's products that AMI makes security a top priority when it comes to its products and services. AMI has in fact made the BIOS update process easy for its end users with various security protocols in place to prevent malicious and/or unauthorized BIOS updates. It is important to note that the update process is "easy" only when using the original BIOS images from the motherboard manufacturers. If the BIOS image has been compromised/tampered with by an unknown source, the update process will reject the update, no changes will be made to the BIOS and BIOS re-flash will most certainly not be easy. The only way an attacker can have a "compatible BIOS" is if the attacker had access to the secret, private key of the motherboard manufacturer. This key is secret and private, only available to the motherboard manufacturer; therefore, it is not accessible to the public or potential attackers.
It is understandable that in light of recent news about security vulnerabilities, users are concerned when reports like these come out. However, users of AMI's BIOS should not be concerned about these reports because as mentioned previously, AMI's update process makes it so that only motherboard manufacturers can provide BIOS updates and unknown updates will be rejected. Most security firms withhold publicly releasing information regarding security holes, flaws and so on for months. In our industry, 24-hour notice is unheard of.
AMI stands with our technology partners, such as AMD, to help create a secure computing world.