AMD Discloses New CPU Flaws that can Enable Data Leaks via Timing Attacks
Anonymous Coward writes:
Four newly revealed vulnerabilities in AMD processors, including EPYC and Ryzen chips, expose enterprise systems to side-channel attacks. CrowdStrike warns of critical risks despite AMD's lower severity ratings.
AMD has disclosed four new processor vulnerabilities that could allow attackers to steal sensitive data from enterprise systems through timing-based side-channel attacks. The vulnerabilities, designated AMD-SB-7029 and known as Transient Scheduler Attacks, affect a broad range of AMD processors, including data center EPYC chips and enterprise Ryzen processors.
The disclosure has immediately sparked a severity rating controversy, with leading cybersecurity firm CrowdStrike classifying key flaws as "critical" threats despite AMD's own medium and low severity ratings. This disagreement highlights growing challenges enterprises face when evaluating processor-level security risks.
The company has begun releasing Platform Initialization firmware updates to Original Equipment Manufacturers while coordinating with operating system vendors on comprehensive mitigations.
The vulnerabilities emerged from AMD's investigation of a Microsoft research report titled "Enter, Exit, Page Fault, Leak: Testing Isolation Boundaries for Microarchitectural Leaks." AMD discovered what it calls "transient scheduler attacks related to the execution timing of instructions under specific microarchitectural conditions."
These attacks exploit "false completions" in processor operations. When CPUs expect load instructions to complete quickly but conditions prevent successful completion, attackers can measure timing differences to extract sensitive information.
"In some cases, an attacker may be able to use this timing information to infer data from other contexts, resulting in information leakage," AMD stated in its security bulletin.
Read more of this story at SoylentNews.