13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[anubis44]

The longer you leave up this fake security news article, the less likely it becomes that I'll keep visiting this site.

 

[lexluthermiester]

The longer you leave up this fake security news article, the less likely it becomes that I'll keep visiting this site.

This is not fake news. Much of it has either been verified or is looking very plausible. But if you want to leave, your loss..

 

[ikeke]

Even if everything they say turns out to be truth then it still leaves the question why they gave AMD less than 24h notification on these before publishing "amdflaws" and why none of this was validated by independant review before going public.

These two, along with references to personal profit they may gain from publishing the alleged exploits, do not paint them as security researchers. More like guns for hire.

 

[anubis44]

This is not fake news. Much of it has either been verified or is looking very plausible. But if you want to leave, your loss..

It's utter garbage. You have to be sitting at the computer AND know the admin password to do any of these. If somebody gets admin rights and is sitting at your computer, you're ALREADY screwed. This was a stock market short-sell hit piece plain and simple. Please just accept this and move on. Nothing to see here.

HW News: CTS Labs Avoids Questions

Linus Torvalds slams CTS Labs over AMD vulnerability report
Linux's creator said he thinks CTS Labs' AMD chip security report "looks more like stock manipulation than a security advisory" and questions an industry.
http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/

Evidence Suggests Report on AMD Security Was Financially Motivated
https://wccftech.com/report-alleges-amd-ryzen-epyc-cpus-suffer-13-fatal-security-flaws/

 

[lexluthermiester]

It's utter garbage. You have to be sitting at the computer AND know the admin password to do any of these. If somebody gets admin rights and is sitting at your computer, you're ALREADY screwed.

As most of these problems are aimed at remote attack vectors it would seem you have not been reading up on the details of these vulnerabilities.

This was a stock market short-sell hit piece plain and simple.

Conspiracy theory. Even if true, such efforts didn't work on any level.

Please just accept this and move on.

Oh please.

Nothing to see here.

As several of these vulnerabilities have been verified, there is very clearly something "to see" and be concerned about. If you want to bury your head in the sand that's your choice. The rest of us will be responsible, stay objective and focus on facts & evidence.

 

[Totally]

As most of these problems are aimed at remote attack vectors

That are not executable without aforementioned password and physical access to computer. ATM to me it would be like a car thief stealing a car by smashing in a window after finding the door unlocked with the keys in the ignition.

The rest of us will be responsible, stay objective and focus on facts & evidence.

Your opinion has clearly gone a bit beyond that.

 

[lexluthermiester]

That are not executable without aforementioned password and physical access to computer.

Not a difficult task depending on the target and goal. You'd be surprised how vulnerable most systems are to directed remote attacks and how easy it is to gain admin access.

Your opinion has clearly gone a bit beyond that.

My opinion is that of focusing on the problems presented by the vulnerabilities, not on the politics or brand loyalties of the companies involved. The motivations of the actors behind the discoveries are irrelevant to the discoveries themselves.

The perspectives offered by "anubis44" focus on the politics of the people making the discoveries rather than the facts and details of the discoveries themselves, which is not helpful or constructive. "abubis44" is also calling out TPU for reporting on the information claiming some sort of bias or defaming effort on their part which is complete rubbish and narrow minded thinking. Again, not helpful or constructive. TPU is reporting information as it comes to light and doing a damn good job keeping updated and up to speed with developments as they occur. "anubis44" also made a veiled "threat" of abandoning the site if they didn't discontinue what "anubis44" considers unacceptable. My response to that sad little remark implied "don't let the door hit you on the way out".

The occurrence of "certain" people "getting outraged" over silly things that ultimately don't matter has been on the rise lately. The staff have had to deal with it even more than us users. Both groups are getting tired of it.

Even if everything they say turns out to be truth then it still leaves the question why they gave AMD less than 24h notification on these before publishing "amdflaws" and why none of this was validated by independent review before going public.

The technical details were not released with the announcement, only the conceptual details. This seems to be a continuing misunderstanding on the part of the general public. The technical details and proof of concept samples were only released to AMD and other responsible party's/entity's to be validated and fixed. The announcement was the only part of this release that was done with only 24hr notice, which CTS Labs admitted they could have handled better. Everything else was handled in a seemingly appropriate manner.

Trying to vilify and berate a group for what is clearly a minor mistake by conjuring up fanciful conspiracies is an effort of foolishness, not objectivity.

 

[ikeke]

I'm still calling BS on the excuses.

Giving someone 90d headsup on allegedly critical flaw vs taking the time to craft a web site and videos with greenscreen just to paddle some FUD, not to mention some stock shortseller pushing 20+ page FUD article minutes after you go public? Yeah, all good...

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

IC: Would there be any circumstance in which you would be willing to share the details of these vulnerabilities and exploits under NDA with us?
YLZ: We would love to, but there is one quirk. According to Israel export laws, we cannot share the vulnerabilities with people outside of Israel, unless they are a company that provides mitigations to such vulnerabilities. [ikeke:this is BS] That is why we chose the list. But look, we are interested in the validation of this – we want people to come out and give their opinion, but we are only limited to that circle of the vendors and the security companies, so that is the limitation there.

And, to repeat myself, if they want to see how AMD is "unable" to fix issues then perhaps someone can point them towards latest example that i know of, which is a fix for, well-well AMD-PSP
http://seclists.org/fulldisclosure/2018/Jan/12

 

[lexluthermiester]

@ikeke
That comment showcases what I was saying. Your complaint focus's on the politics of the company that made the discoveries instead of the technical details of the discoveries themselves. Not saying you're wrong either. The way CTS conduced themselves was very much less than ideal. However one could also say that they knew what they had on their hands, knew it would be a big deal and made efforts beforehand to be prepared with presentations. The only real problem I see is the way they handled the announcement. Not buying into this conspiracy nonsense one bit.

This kind of thing has happened before. Someone makes a discovery, knows it's big, prepares for the announcement and disclosure of such and then messed up the timing of it of all. This has happened in all area's of society, not just the tech sector. Intel, AMD, Nvidia, IBM, HP, Dell, etc, etc have all made these kinds of mistakes. Call it what it is and lets move on..

 

[ikeke]

But them saying that they "messed up" and the available facts do not add up.
Too many inconsistencies.
Im not one to veer into conspiracies but they have shown way too many markers for bad intentions and against accidental mishap. Claiming to have "16 years of experience" and then this? Yeah, right.

https://www.gamersnexus.net/industry/3264-hw-news-cts-labs-update-r5-2600x-specs-dead-wafers-more

One of our questions was about NineWells Capital, with which CTS Labs CFO Yaron Luk-Zilberman has held a position. We asked what the relationship was between NineWells Capital, a hedge-fund firm, and CTS Labs. The company provided this statement: “NineWells Capital is a long-oriented financial partnership that was managed by our CFO, Yaron Luk-Zilberman. He no longer actively manages that partnership. NineWells has no financial position in AMD, Intel, or any other semiconductor company.”

We are still waiting for clarity on this. Some digging revealed an SEC document that lists Yaron Luk-Zilberman as President of NineWells Capital as recently as March 8, 2018, just days before CTS Labs released its exploit list. We can’t make links at this time, but we have asked for clarity on this point. Luk-Zilberman was also listed on the CTS-Labs website as a Managing Director of NineWells Capital.

Regarding Viceroy, we asked this question: “What is CTS Labs' affiliation with Viceroy Research? Did Viceroy commission CTS Labs for this report? Have the two companies had any previous connections or affiliation?”

The response was as follows: “"Viceroy is not a client of CTS. We did not send Viceroy our report. For any additional questions, please ask Viceroy."

Unfortunately, this response side-steps half the other questions -- like our question about the affiliation between Viceroy Research and CTS Labs. There is some affiliation, even if unofficial or distant. Viceroy Research is on-record with Reuters stating that they received the CTS Labs research document prior to launch, via leak, and took a “sizeable short” on AMD as a result. Given the small size of CTS Labs, it’s interesting that a leak would happen to such a specific firm.

 

[R0H1T]

@ikeke
That comment showcases what I was saying. Your complaint focus's on the politics of the company that made the discoveries instead of the technical details of the discoveries themselves. Not saying you're wrong either. The way CTS conduced themselves was very much less than ideal. However one could also say that they knew what they had on their hands, knew it would be a big deal and made efforts beforehand to be prepared with presentations. The only real problem I see is the way they handled the announcement. Not buying into this conspiracy nonsense one bit.

This kind of thing has happened before. Someone makes a discovery, knows it's big, prepares for the announcement and disclosure of such and then messed up the timing of it of all. This has happened in all area's of society, not just the tech sector. Intel, AMD, Nvidia, IBM, HP, Dell, etc, etc have all made these kinds of mistakes. Call it what it is and lets move on..

I think the problem, for many on this forum & elsewhere, is that CTS hasn't disclosed the more technical details & PoC to the public or even the press. So there's no way to know how serious they are, like flash 0day level or closer to spectre/meltdown wrt PSP & ASMedia chipsets.

If they are really serious about helping us, then why not tell us what's wrong & how bad is it? I have a Z97 with 2 Asmedia USB ports, am I safe(r) after these disclosures?

 

[R-T-B]

physical access to computer.

Can we please stop repeating this? It's not what the report claims.

At this point the best we can do is wait and see. But the fact that AMD did not debunk this immediately firmly takes it out of the "fake news" category in my eyes, FWIW.

 

[lexluthermiester]

But them saying that they "messed up" and the available facts do not add up. Too many inconsistencies. I'm not one to veer into conspiracies but they have shown way too many markers for bad intentions and against accidental mishap. Claiming to have "16 years of experience" and then this? Yeah, right.

That assumes that all of the information has been disclosed. It hasn't so a lot of assumptions are being made. And 16 years might be collective for all of the people involved. Again, this information focuses on the politics of the people involved instead of the merit of the vulnerabilities disclosed, which we already know some of them to be valid.

I think the problem, for many on this forum & elsewhere, is that CTS hasn't disclosed the more technical details & PoC to the public or even the press. So there's no way to know how serious they are, like flash 0day level or closer to spectre/meltdown wrt PSP & ASMedia chipsets.

Correct, they didn't! And that is what is responsible about it. They released only the conceptual descriptions of the vulnerabilities to the public, not the full technical details.

 

[R-T-B]

Correct, they didn't! And that is what is responsible about it. They released only the conceptual descriptions of the vulnerabilities to the public, not the full technical details.

That is the big point people seem to miss about why the "60 day disclosure warning" did not occur here, isn't it?

The big difference here is: They aren't disclosing it to the public at all. Period.

 

[R0H1T]

That assumes that all of the information has been disclosed. It hasn't so a lot of assumptions are being made. And 16 years might be collective for all of the people involved. Again, this information focuses on the politics of the people involved instead of the merit of the vulnerabilities disclosed, which we already know some of them to be valid.

Correct, they didn't! And that is what is responsible about it. They released only the conceptual descriptions of the vulnerabilities to the public, not the full technical details.

And I'll refer you back to the post where 4 different researchers found spectre/meltdown within a space of 3 to 6 months after GPZ first reported it.
If there's a flaw, chances are ~ it was already known or will be uncovered quickly by those who want to exploit it.

 

[ikeke]

Anything accidental goes out the window with the original diclaimer where they say, that they have financial interest in companies affected by these exploits.
edit: NineWells Capital + Viceroy

https://amdflaws.com/disclaimer.html
Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

 

[lexluthermiester]

If there's a flaw, chances are ~ it was already known or will be uncovered quickly for those who want to exploit it.

There is one glaring flaw with that logic, Meltdown existed for nearly a decade before being discovered and there are still no known exploits for it, only the potential for such. Spectre was even longer starting in mid-90's with the first Pentium, K6 and ARM CPU's and again no known exploits to date.

Anything accidental goes out the window with the original disclaimer where they say, that they have financial interest in companies affected by these exploits.

Again, those are the politics of the problems, not the applied technicalities of such.

The reality is that the circumstances of the discovery of these vulnerabilities are irrelevant. The impact of them is the only relevant information we in the tech sector need worry about. Are they real and if so, how bad are they? Will they affect consumers, prosumers, enterprise sectors or perhaps all? Can they be fixed in software or will hardware revisions need to be made? These are the type os questions we need to be asking and concern ourselves with. Any else is just drama and fluff.

 

[R0H1T]

There is one glaring flaw with that logic, Meltdown existed for nearly a decade before being discovered and there are still no known exploits for it, only the potential for such. Spectre was even longer starting in 1993 with the first Pentium, K6 and ARM CPU's and again no known exploits to date.

Yes because it's nigh impossible to detect spectre or meltdown, surely you remember the dicussion we had? The OS throws no exception, there's no AV red flags or anything else, even when say a rogue JS code is eavesdropping on your passwords.

This exploit basically requires admin privileges, as well as overwriting BIOS (in case of Masterkey) & a whole host of things you'd avoid anyway so far as competent enterprises are concerned. Also wasn't the whole Asmedia backdoor thing known for many years, by CTS?

 

[ikeke]

Hm, Meltdown and Spectre are not seriuous enough due to there being no known exploits (and after they were discovered all procedures were followed, fixes were in pipeline before the flaws leaked) but "Amdflaws" are really serious since there are no known exploits (but they were revealed without following procedures and informing affected parties beforehand to look for possible fixes).

I struggle to follow the logic.

Asmedia flaw (edit: could possibly) affect (s) tens of millions of Intel motherboards, just FYI.

 

[lexluthermiester]

This exploit basically requires admin privileges

Again, not as difficult to achieve as one might think.

(but they were revealed without following procedures and informing affected parties beforehand to look for possible fixes)

Not true. The only things announced to the public were the existence of the vulnerabilities and the conceptual ideas behind them. The technical details were given only to responsible companies/entities to be researched, verified and fixed.

Asmedia flaw affects tens of millions of Intel motherboards, just FYI.

That is very possible and very worrisome. It's enough of a problem that I'm now actively looking to see if motherboards have AsMedia parts and avoiding them.

 

[ikeke]

Without CTSlabs giving the headsup and admitting they are to gain from these exploits - i struggle to see beyond FUD as a reason instead of "whoops".

edit: and they did not mess up the timing, they timed it to hit before Ryzen refresh with no headsup to AMD but with enough headsup to Viceroy to write a 20+ page FUD article. I'd say it's timed perfectly, for someone to short AMD.

 

[R-T-B]

Also wasn't the whole Asmedia backdoor thing known for many years, by CTS?

It's been known by everyone for a while. ASMedia was literally fined over it. They aparently did not learn, and copy-pasted the same code into the Ryzen chipset.

 

[Xzibit]

It's been known by everyone for a while. ASMedia was literally fined over it. They aparently did not learn, and copy-pasted the same code into the Ryzen chipset.

They still have 2 of the ones CTS-Labs listed on their site.

A lot of the Intel boards carried them as recent as the Z270 series.

 

[ikeke]

Since CTS-Labs also claim not to have any relation to Viceroy and yet Viceroy had enough headsup to time article perfectly to amdflaws website going public, then i would be very cautios about the claim that the exploits details were not shared with some still currently unknown party who could further profit from it or weaponize it.

Would fit this "security researcher for hire" more to sell 0-day to highest bidder.

(again, since AMD et al were not informed about the possible exploit then i see no other reasoning behind this but to give someone time for using it in the wild)

edit:
https://en.wikipedia.org/wiki/White_hat_(computer_security)
The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems.
https://en.wikipedia.org/wiki/Black_hat
A black hat hacker (or black-hat hacker) is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain"

Tell me, which one describes actions by CTS-labs, currently? Again, as per their own disclaimer..

 

[R-T-B]

Since CTS-Labs also claim not to have any relation to Viceroy and yet Viceroy had enough headsup to time article perfectly to amdflaws website going public, then i would be very cautios about the claim that the exploits details were not shared with some still currently unknown party who could further profit from it or weaponize it.

Would fit this "security researcher for hire" more to sell 0-day to highest bidder.

(again, since AMD et al were not informed about the possible exploit then i see no other reasoning behind this but to give someone time for using it in the wild)

edit:
https://en.wikipedia.org/wiki/White_hat_(computer_security)
The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems.
https://en.wikipedia.org/wiki/Black_hat
A black hat hacker (or black-hat hacker) is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain"

Tell me, which one describes actions by CTS-labs, currently? Again, as per their own disclaimer..

Considering they haven't released the bugs to the general public yet, I'd say "grey-hat" if anything, honestly.

They still have 2 of the ones CTS-Labs listed on their site.

A lot of the Intel boards carried them as recent as the Z270 series.

True. ASMedia needs a bigger fine, methinks.