13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[_JP_]

Subjectively speaking, compared to Meltdown attack page, this one has waaaay too many AMD logos. Without reading the text, one might actually mistake it for an ad! Count me up holding a pitchfork if Intel turned out to have a hand in this.

Objectively speaking, smear campaign or no, a vulnerability is a vulnerability. I'm personally quite illiterate on this matter so I'll defer judgement until "for dummies-"style security expert blog posts and articles start popping up.

If proved true, the usual applies.
Common sense running programs and visiting the internet, make sure you have backups (cold ones preferably), patch as soon as possible.

When it can survive a reinstall it's still a big issue. If these flaws are confirmed they are fairly signifigant.

As I said earlier, 2018 is going to be a rough year for processor security...

Only if it's embedded in firmware, but to reach that far, so much needs to be compromised to begin with...

 

[biffzinker]

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.

http://ir.amd.com/news-releases/news-release-details/view-our-corner-street-0

 

[W1zzard]

http://ir.amd.com/news-releases/news-release-details/view-our-corner-street-0

Thanks! Updated the original post with this statement

 

[Boatvan]

I kinda agree with AMD's point of view in that news release. If it is truly the case, releasing the CVE's without telling the vendor first seems counterproductive. I wouldn't go as far as to say this is fishy, but like I said earlier, once it ends up on a more official channel, I'll be more inclined to believe it.

 

[ShurikN]

I like how @FordGT90Concept put more effort in investigating than the TPU editorial that published the article.

On a different note, stock actually rose. Not by much, and it looks stable at the moment, but nonetheless.

 

[xkm1948]

I like how @FordGT90Concept put more effort in investigating than the TPU editorial that published the article.

On a different note, stock actually rose. Not by much, and it looks stable at the moment, but nonetheless.


View attachment 98284

Agree. This entire thing feels like a huge PR scam from the Isreal based “security” firm.

 

[oxidized]

There always be flaws, there are 2 types, deliberate ones and unnoticed ones....

And we always know that when we're talking about AMD, it's ALWAYS the second. Unlike other companies...

 

[the54thvoid]

Agree. This entire thing feels like a huge PR scam from the Isreal based “security” firm.

No, it's all salty tears from us.

And yes, too many people trying to be 'no, this is a big thing' when really, it's not such a biggie given the practicality of the process involved in the security issue. And really, it's too glossy to be anything other than a negative PR campaign, NOT a bona fide security issue notice (like how Google played it's role last year with along NDA). This is threat PR. Only the naive folk here can't see that.

 

[Konceptz]

Wonder how much Intel paid for this?

 

[dicktracy]

The double standard is real. Let's jump the gun and defame the researchers because this is AMD and not Intel. Hell, the AMD defense force has yet to provide actual evidence to discredit each of those findings but somehow someway found a way to link this to Intel. This AMD circlejerk culture, even though it's a vocal minority, has to stop.

 

[oxidized]

Wonder how much Intel paid for this?

You can't even begin to imagine!

 

[Konceptz]

The double standard is real. Let's jump the gun and defame the researchers because this is AMD and not Intel. Hell, the AMD defense force has yet to provide actual evidence to discredit each of those findings but somehow someway found a way to link this to Intel. This AMD circlejerk culture, even though it's a vocal minority, has to stop.

Any evidence to credit said researchers? Ford pointed out many points that back up the smear campaign theory...that surprisingly is shared by a LOT of people across the web. Don't let my avatar fool you, my alliance is purely to price/performance ratio.

 

[TheoneandonlyMrK]

Wow did'nt see this coming

the brassy-ballsy-ness and general bling of this new security firm is amazeballs, their in the wrong game regardless ,they should have definately been a PR company, they have skills.
Even the numbers, 13 vulnerabillities found,wow unlucky for some but a few listed , should'nt it read like the ten commandments plus , not like a supervillan squad.

And I'm loving the balanced views personally(genuinely and not sarcastic), yes there is a bit of salt ,why not , opinions can get that way but i thought this thread would be much worse, might taint my purchasing options but well see yet, It's not like there are options after all ,power-pc maybe?? or a new chinese developed chip er no

 

[oxidized]

Don't let my avatar fool you, my alliance is purely to price/performance ratio.

No doubt about it!

 

[FordGT90Concept]

Let's jump the gun and defame the researchers because this is AMD and not Intel.

The "researchers" jumped the gun. AMD hasn't even had time yet to reproduce them for verification purposes.

When Specter and Meltdown went public, it was huge news because despite having six months to work on it, they weren't even close to fixing it. Even if one of these 13 ends up being legit, it most likely could have been quietly fixed without any fanfare. In this case, everything the "researchers" did was about maximizing fanfare. That should concern everyone. I hope this doesn't become the new norm but it could.

 

[ssdpro]

AMD provided us with the following statement: "We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings.

So AMD wasn't able to discredit the claims after 36 hours of research. Probably some verified vulnerabilities then as they only take a short time to verify. Ugly mess how it was released; a serious security company would WANT the mfg to fix the problems not benefit by exposure. AMD will fix.

 

[xkm1948]

Power of Reddit. Entire video footage of their “security firm” is all just green screened. Someone over reddit found all the available stock background this firm used for their video.

I am not just calling this BS now, this is market manipulation and scam. Shame on tech sites that took it and run with it WITHOUT doing their own homework. GT90 did way more research than the editors here

 

[oxidized]

Power of Reddit. Entire video footage of their “security firm” is all just green screened. Someone over reddit found all the available stock background this firm used for their video.

I am not just calling this BS now, this is market manipulation and scam. Shame on tech sites that took it and run with it WITHOUT doing their own homework. GT90 did way more research than the editors here

Wow, you're soo keen man

 

[FordGT90Concept]

So AMD wasn't able to discredit the claims after 36 hours of research. Probably some verified vulnerabilities then as they only take a short time to verify. Ugly mess how it was released; a serious security company would WANT the mfg to fix the problems not benefit by exposure. AMD will fix.

Not really. If all they provided is a white paper, AMD has to author its own tools then they have to run said tools against a variety of hardware. If the tools indicate some truth to the claims, they have to dig deeper and find out why. The why indicates whether or not it is something that needs to be fixed or not, and how. This process will likely take a month.

 

[EarthDog]

They provided instructions on how to recreate the issues 'found'.

 

[Alphadark]

Power of Reddit. Entire video footage of their “security firm” is all just green screened. Someone over reddit found all the available stock background this firm used for their video.

I am not just calling this BS now, this is market manipulation and scam. Shame on tech sites that took it and run with it WITHOUT doing their own homework. GT90 did way more research than the editors here

View attachment 98286

I'm upgrading to Zen+ after seeing this. Good bye i7, wonder if Intel is behind this or some former crypto miners looking for a quick buck manipulating AMD stocks.

 

[oxidized]

I'm upgrading to Zen+ after seeing this. Good bye i7, wonder if Intel is behind this or some former crypto miners looking for a quick buck manipulating AMD stocks.

Intel, and also nvidia, are most definitely behind this man, get rid of your i7, just do it...

 

[EarthDog]

I think you are forgetting about the government too... they are watching, and listening, you know...................

 

[ssdpro]

They provided instructions on how to recreate the issues 'found'.

Yes. And google images and stutterstock added those green screen backgrounds 6 hours ago. Even the discredits are discredited... what a world!

This just got a mention on CNBC so watch that stock now that someone knows.

 

[dyonoctis]

(I know that motherboard isn't exactly a reference, but I'm curious to see how thing are going to evolve from there, dan guido and trail of bits are apparently not on the shady side.)
https://motherboard.vice.com/en_us/...ssor-ryzen-epyc-vulnerabilities-and-backdoors

" All 13 vulnerabilities are exploitable, according to Dan Guido, the founder of security firm Trail of Bits, whose researchers reviewed the flaws and exploit code before publication last week.
“Each of them works as described,” Guido told me in a phone call.

It’s important to note that all these vulnerabilities require hackers to get on the computers and gain administrative privileges some other way first, such as with a phishing attack that tricks the victim into running a malicious application, according to the CTS researchers and Guido.

This means that they are “second stage” vulnerabilities, which would allow attackers to move from computer to computer inside the same network, or install malware directly inside the processor that can’t get detected by security software. This would allow an attacker to spy on the target without detection."

So apparently those guys send a detailed document to trails of bits, a week before but choosed to alert AMD just 24h before. (How nice of them).
According to this guy the flaws are real:

https://twitter.com/i/web/status/973628511515750400