CTS Labs Posts Some Clarifications on AMD "Zen" Vulnerabilities

[btarunr]

Please take all your anti-sh**post plugin feedback here: https://www.techpowerup.com/forums/threads/how-does-a-post-being-qualified-as-low-quality.242395/

 

[Easo]

If the attacker has admin access, he has won the most of the battle already.
Is this a security hole? Yes. Are the huge, screaming names and shitty webpages inciting panic justified. Absolutely not.

 

[Chaitanya]

I am really sad seing this Low quality posts and attitude from TPU personal !!
let me explain:
Low quality posts from TPU staff - you basically gave free Press (all they ever could wanted) to Stock price manipulators (multiple times - when lot of other tech portals stopped after first news, waiting for some more credible source confirmations).
Low quality attitude from TPU staff - sadly in this case self explanatory

Lets not discuss TPU staffs IQ of regurgitating wccftech level news posts and this new bot based censoring system here on this post. If you want create a thread in general discussion forum.

That Anandtechs interview raises more questions than answers. Also people claiming amd fanboys who blasted Intel for spectre/meltdown seem to have amnesia of events that tooks place when those bugs were discovered. Intel, AMD and ARM all had 6 months before bugs were made knowm to general public. Intel was the one who went to notify Chinese and Amazon regarding the security holes to make additional measurements to improve their infrastructre. This Cts is just targetting AMd for Asmedia bugs which are in use with millions of Intel motherboards as well.

 

[eidairaman1]

This Cts is just targetting AMd for Asmedia bugs which are in use with millions of Intel motherboards as well

The way they write sounds more like a smear libel case though, aka a panic mode from a certain company...

 

[Chaitanya]

The way they write sounds more like a smear libel case though, aka a panic mode from a certain company...

It was very surprising that only AMD was targetted for use of Asmedia chips when those chips are common factor across the industry. Everyday more red flags are going up with regards to this mess.

 

[jabbadap]

It was very surprising that only AMD was targetted for use of Asmedia chips when those chips are common factor across the industry. Everyday more red flags are going up with regards to this mess.

Well they are targeting AM4 Promontory chipset, which is made by ASmedia not by amd itself and it's in every AM4 board. So if that Chimera vulnerability is legit, it will affect all asmedia chipset out there.

 

[DeathtoGnomes]

I'll say it again, this all to manipulate stock prices, mostly AMD, the smearing of AMD is just a bonus.

 

[Chaitanya]

Well they are targeting AM4 Promontory chipset, which is made by ASmedia not by amd itself and it's in every AM4 board. So if that Chimera vulnerability is legit, it will affect all asmedia chipset out there.

Acknowledged all AsMedia based USB chipsets are vulnerable, yet still targeting just one specific company. If there is any concern it should be Intel MoBo which has way higher market share and they got 0 mention. Fishy AF.

CTS can spin this whatever they want. At least this end user is not buying into their BS.

Security experts, including Linus, weighs in on the situation after thr anandtech phone call.

https://www.realworldtech.com/forum/?threadid=175139&curpostid=175169


Lets see what they say after TPU phone call

 

[AsRock]

The problem is AMD hasn't handled it well. AMD has had no comment other than their strange blog post acknowledging the investigation into the claimed vulnerabilities. That post wasn't even written in clear professional terms ("certain of our processors" and doesn't even have a date). Until AMD writes/speaks and either declares the vulnerabilities fake or explains complexity it will continue being a story and TPU needs to cover it. You don't get bona fide debunks from random users named "BiGchiCKens14", you get it from the company.

You what ?, AMD should not have to say any thing, well except what they have done and that they are looking in to it. AMD did not even have chance to test this out fully yet and i am sure if they had 6 months like Intel did with the last vulnerabilities they would of had much more to say about it. But that was not the case here CTS acted like A holes ( i was thinking of a much more fitting word but ) by giving AMD time to actually test their claims which oddly enough are not willing to prove.

So best thing to do is sit and wait until we get solid proof on the situation, i amd sure AMD will do when the time is right and these things take time which they have not been given..

 

[Hood]

So best thing to do is sit and wait until we get solid proof on the situation, i amd sure AMD will do when the time is right and these things take time which they have not been given..

That's all we can do - but my concern is that in the meantime, all AMD systems may be vulnerable, especially the EPYC servers that are in use now, which could be spreading some of these exploits to other machines as we speak. That's why it was wrong for CTS to not wait a proper amount of time. Now that the exploits have been published, black hat hackers know what to target, and know there's no defense against it (for now).

 

[AsRock]

That's all we can do - but my concern is that in the meantime, all AMD systems may be vulnerable, especially the EPYC servers that are in use now, which could be spreading some of these exploits to other machines as we speak. That's why it was wrong for CTS to not wait a proper amount of time. Now that the exploits have been published, black hat hackers know what to target, and know there's no defense against it (for now).

Well that should be on CTS acting irresponsible and should be taken to the cleaners for acting the way they did. Sure AMD need to do some thing and chances are they are doing all they can.

In the end it's not a good place to be in but it's hardly AMD's fault or at least proven. It's a shame AMD cannot get the courts or who ever to get CTS to hand over there findings to get this resolved ASAP. In fact i think the government should step in and force they to do so.

 

[Hood]

It is AMD's fault, if you look at it objectively. They designed these chips on a shoestring budget, (and did a good job, on the surface). But in these days of frequent major hacks, it was irresponsible of AMD to do so without considering possible vulnerabilities. Their budget didn't have room for millions of dollars worth of testing and validation, and shortcuts were obviously taken. But they're still responsible for these flaws (their quick success with Ryzen came at the expense of users unwitting vulnerability to exploits). Just as Intel was ultimately responsible for the Spectre/Meltdown fiasco. Lack of due diligence on the part of both companies. Like with any product that causes damage or loss to someone - lawsuits are inevitable. And you certainly can't blame the consumers, all they did was trust a major company to do the right thing.
Also, CTS has already given AMD detailed examples of how to reproduce all the exploits (as stated in the original White paper). Isn't that what you mean by "handing over their findings"?

 

[AsRock]

Thats like saying it's Microsofts fault that any of there OS's were not immune from viruses and what ever. There is always some thing else, Always.

I guess they did some what of a decent thing then giving that data to AMD but still, they should be taken to the cleaners for being douch bags.

 

[Hood]

Thats like saying it's Microsofts fault that any of there OS's were not immune from viruses and what ever. There is always some thing else, Always.

I guess they did some what of a decent thing then giving that data to AMD but still, they should be taken to the cleaners for being douch bags.

So AMD should sue CTS for causing them financial loss (drop in stock price because of negative publicity, if that actually occurs). Depends on Whether they can convince a jury that it was intentional, or possibly presented in a negligent way. AMD stock went up the next day, now it's very slowly dropping. It will be very important that AMD puts the right spin on this, and they can't wait too long, or it makes it worse. I hope they do it right and weather this latest storm with no lasting damage. We need them to be healthy and competitive, to keep Intel and NVIDIA in check (and provide decent budget solutions).

 

[DeathtoGnomes]

So AMD should sue CTS for causing them financial loss (drop in stock price because of negative publicity, if that actually occurs). Depends on Whether they can convince a jury that it was intentional, or possibly presented in a negligent way. AMD stock went up the next day, now it's very slowly dropping. It will be very important that AMD puts the right spin on this, and they can't wait too long, or it makes it worse. I hope they do it right and weather this latest storm with no lasting damage. We need them to be healthy and competitive, to keep Intel and NVIDIA in check (and provide decent budget solutions).

The law suit, if any, will prolly come after AMD confirms any/all CTS claims. CTS should be reported to the SEC as well for attempted stock manipulation. As for AMD stock, its been on a steady decline for a while, and if you look the charts, price spikes are very common. IMO. AMD doesnt have to put any spin on this, just face it head on.