• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

Joined
Aug 20, 2007
Messages
21,476 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n
Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n
What are you talking about? No, really?

Meltdown/Spectre - industry as a whole had months to prepare the fixes, no public disclosure.
"Amdflaws" - 24h notification to AMD since "these are unfixable issues", then amateurish public FUD campaign.
 
Joined
Jul 5, 2013
Messages
27,860 (6.69/day)
"Amdflaws" - 24h notification to AMD
We've been over this. There is huge difference between making a public announcement and full disclosure to the public. CTS did not and has not disclosed the full technical details to the public. They only announced the existence of them. Have you actually read the links you've been posting?
 
Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n
Neither You or I or anyone but CTS-Labs knows who the details were shared with.

You take their word? Good for you. Thusfar they have less than stellar reputation on being factual.
 
Joined
Jul 5, 2013
Messages
27,860 (6.69/day)
Neither You or I or anyone but CTS-Labs knows who the details were shared with.
It only matters that they did not share it with the general public. You're picking nits again..
You take their word? Good for you. Thus far they have less than stellar reputation on being factual.
People make mistakes. It's not the end of the world. Get over it.
 
Joined
Mar 6, 2017
Messages
3,332 (1.18/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
OK then, I was wrong. These issues can be fixed and unlike Spectre and Meltdown there's no performance degradation that will be seen when it's fixed.
 
Joined
Sep 29, 2011
Messages
217 (0.05/day)
Location
Ottawa, Canada
System Name Current Rig
Processor Intel 12700K@5.1GHz
Motherboard MSI Pro Z790-P
Cooling Arctic Cooling Liquid Freezer II 360mm
Memory 2x16GB DDR5-6000 G.Skill Trident Z RGB
Video Card(s) MSI Gaming X Trio 6800 16GB
Storage 1TB SSD
Case Cooler Master Storm Striker
Power Supply Antec True Power 750w
Keyboard IBM Model 'M"
So you admit you're biased and unable to be objective. If you'd said that to begin with..

No. I'm not 'admitting' anything. I'm not 'guilty' of something, so admission is the wrong word. I'm merely stating my position on this matter. The fact that I own shares of AMD isn't a source of bias for me in my determination on whether these 'flaws' are a serious problem. I would argue the same thing if somebody had levelled this accusation at Intel-based computers, too.
 
Joined
Mar 18, 2015
Messages
2,963 (0.84/day)
Location
Long Island
As with the Spectre / Meltown scenario, It would be great if at some point we could have a thread focusing on the potential impact of these flaws on users ... Id rather skip having to read thru 100s of brand bashing posts to get any useful information. While it's certainy too early at this point to ascertain the impact of the new Zen flaws, it's been hard to find any instances of actual "typical user" impact of Spectre and Meltdown because of all the "noise".
 

bug

Joined
May 22, 2015
Messages
13,786 (3.96/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
As with the Spectre / Meltown scenario, It would be great if at some point we could have a thread focusing on the potential impact of these flaws on users ... Id rather skip having to read thru 100s of brand bashing posts to get any useful information. While it's certainy too early at this point to ascertain the impact of the new Zen flaws, it's been hard to find any instances of actual "typical user" impact of Spectre and Meltdown because of all the "noise".
All of these require admin rights to exploit.
As a home user, if someone gets into a position to exploit these, you're already royally screwed. But, as CTS Labs have noted, these are more of a danger to organizations where, by phising or other means, someone exploits these to plant almost undetectable malware that can be used to further compromise the organization.
 
Joined
Jul 5, 2013
Messages
27,860 (6.69/day)
But, as CTS Labs have noted, these are more of a danger to organizations where, by phising or other means, someone exploits these to plant almost undetectable malware that can be used to further compromise the organization.
Exactly correct. It's a risk that must be taken seriously no matter how difficult it is to accomplish.
No. I'm not 'admitting' anything.
:kookoo:
 

Veradun

New Member
Joined
Mar 13, 2018
Messages
19 (0.01/day)
Exactly correct. It's a risk that must be taken seriously no matter how difficult it is to accomplish.

Yep, correct. If companies are unable to isolate users and they give every employee admin rights on their PCs, well, being exploited is well deserved.
 

las

Joined
Nov 14, 2012
Messages
1,693 (0.38/day)
System Name Meh
Processor 7800X3D
Motherboard MSI X670E Tomahawk
Cooling Thermalright Phantom Spirit
Memory 32GB G.Skill @ 6000/CL30
Video Card(s) Gainward RTX 4090 Phantom / Undervolt + OC
Storage Samsung 990 Pro 2TB + WD SN850X 1TB + 64TB NAS/Server
Display(s) 27" 1440p IPS @ 360 Hz + 32" 4K/UHD QD-OLED @ 240 Hz + 77" 4K/UHD QD-OLED @ 144 Hz VRR
Case Fractal Design North XL
Audio Device(s) FiiO DAC
Power Supply Corsair RM1000x / Native 12VHPWR
Mouse Logitech G Pro Wireless Superlight + Razer Deathadder V3 Pro
Keyboard Corsair K60 Pro / MX Low Profile Speed
Software Windows 10 Pro x64
The danger of these flaws has been exaggerated ALOT.

Spectre and Meltdown are way more serious.
 

bug

Joined
May 22, 2015
Messages
13,786 (3.96/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
The danger of these flaws has been exaggerated ALOT.

Spectre and Meltdown are way more serious.
How so? They may not require admin rights, but still in most cases the data you can sniff will be garbage.
Vulnerabilities are vulnerabilities. Just because you and I can't figure out how to exploit them doesn't make them less dangerous. Patch them and move on.

Also, I wonder who exaggerated these "A LOT" since very few parties actually had a chance to examine them properly. CTS Labs? We've already established they have little credibility, so I wouldn't put much weight on their assessment of how serious these are. And I'm not aware of anyone else saying these were serious flaws.
 
Joined
Jul 5, 2013
Messages
27,860 (6.69/day)
And I'm not aware of anyone else saying these were serious vulnerabilities.
Let's be fair, AMD themselves have said this with their actions.
https://www.techpowerup.com/242550/initial-amd-technical-assessment-of-cts-labs-research
When the company effected by these problems commits resources to releasing full bios revisions for said problems, they are automatically qualified as serious.
So AMD themselves have validated them and are taking these vulnerabilities seriously enough to release fixes for them.
 

bug

Joined
May 22, 2015
Messages
13,786 (3.96/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10

In case I wasn't clear before, any security vulnerability should be taken seriously. It's just that in this context I haven't understood where the "end of the world is drawing near" assessment came from in the first place. Therefore, I'm not getting the "these aren't as serious as previously thought" reasoning now.

I've been looking at these with the caution any person looks at an unknown quantity. Now that the quantity is known, I/we can relax.
 
Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n

hat

Enthusiast
Joined
Nov 20, 2006
Messages
21,745 (3.30/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: i5 10400
Motherboard ASUS P8P67 Pro :: ASUS Prime H570-Plus
Cooling Cryorig M9 :: Stock
Memory 4x4GB DDR3 2133 :: 2x8GB DDR4 2400
Video Card(s) PNY GTX1070 :: Integrated UHD 630
Storage Crucial MX500 1TB, 2x1TB Seagate RAID 0 :: Mushkin Enhanced 60GB SSD, 3x4TB Seagate HDD RAID5
Display(s) Onn 165hz 1080p :: Acer 1080p
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro - Bose Companion 2 Series III :: None
Power Supply FSP Hydro GE 550w :: EVGA Supernova 550
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
In case I wasn't clear before, any security vulnerability should be taken seriously. It's just that in this context I haven't understood where the "end of the world is drawing near" assessment came from in the first place. Therefore, I'm not getting the "these aren't as serious as previously thought" reasoning now.

I've been looking at these with the caution any person looks at an unknown quantity. Now that the quantity is known, I/we can relax.
You really think so? I agree these flaws would be very hard to actually use, but imagine if somebody managed to pull it off at your bank, or anywhere else where you have sensitive information...
 
Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n
I dont think organizations with sensitive information should have InfoSec holes that allow for such vulnerabilities to be used, unless bad actor/insider user can deploy them.
 

r9

Joined
Jul 28, 2008
Messages
3,300 (0.55/day)
System Name Primary|Secondary|Poweredge r410|Dell XPS|SteamDeck
Processor i7 11700k|i7 9700k|2 x E5620 |i5 5500U|Zen 2 4c/8t
Memory 32GB DDR4|16GB DDR4|16GB DDR4|32GB ECC DDR3|8GB DDR4|16GB LPDDR5
Video Card(s) RX 7800xt|RX 6700xt |On-Board|On-Board|8 RDNA 2 CUs
Storage 2TB m.2|512GB SSD+1TB SSD|2x256GBSSD 2x2TBGB|256GB sata|512GB nvme
Display(s) 50" 4k TV | Dell 27" |22" |3.3"|7"
VR HMD Samsung Odyssey+ | Oculus Quest 2
Software Windows 11 Pro|Windows 10 Pro|Windows 10 Home| Server 2012 r2|Windows 10 Pro
At first take on CTS Labs I was thinking that provable somebody cough*intel* payed them to do it why else.
But if you think about it this is what they do, and you can't buy exposure like this.
 

bug

Joined
May 22, 2015
Messages
13,786 (3.96/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
At first take on CTS Labs I was thinking that provable somebody cough*intel* payed them to do it why else.
But if you think about it this is what they do, and you can't buy exposure like this.
Yes, that's probably why they rushed disclosing all this. Even bad publicity is publicity and CTS Labs went from no-name to world famous. But I really, really hope they don't handle further discoveries like they did.
 
Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n
I dont think that being in InfoSec/auditing business and having this clusterf*ck in resume will give you any credits in the future.

(oh, we found this issue while looking at this non-related thing, hmm, looks like something that could be sold to stockmarket for quick buck, ta-daaa, profit. Also, we don't know how to inform parties of our findings, hehe, no worries, happens, whoops...)

edit:In another news, Viceroy unmasked.

https://www.moneyweb.co.za/in-depth/investigations/viceroy-unmasked/

This all stinks to high heaven. They all look to be a front for someone else.
 
Last edited:
Top