13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[bug]

I dont think that being in InfoSec/auditing business and having this clusterf*ck in resume will give you any credits in the future.

(oh, we found this issue while looking at this non-related thing, hmm, looks like something that could be sold to stockmarket for quick buck, ta-daaa, profit. Also, we don't know how to inform parties of our findings, hehe, no worries, happens, whoops...)

Yeah, well, they're into the business of finding issues and they found them. When they'll be in the business of making friends, they'll hire a PR company.

 

[ikeke]

I don't think they have anything to do with the original findings. This looks more and more like an orchestrated stunt by someone else.

 

[Veradun]

Yeah, well, they're into the business of finding issues and they found them. When they'll be in the business of making friends, they'll hire a PR company.

The funny part is they hired one.

 

[bug]

I don't think they have anything to do with the original findings. This looks more and more like an orchestrated stunt by someone else.

Do you have anything to back that up, other than "you don't think"?

 

[ikeke]

Nope, just the looks of it and available information about involved parties, it stinks.

 

[lexluthermiester]

edit:In another news, Viceroy unmasked.
https://www.moneyweb.co.za/in-depth/investigations/viceroy-unmasked/
This all stinks to high heaven. They all look to be a front for someone else.

Credible citation that is not. Looks like a hit-piece and a rather flimsy one. FUD, plain and simple.

 

[EarthDog]

Zzzzzzzzz*snore*zzzzzzzzzzzzz

Will someone tag me when conclusive info comes out intel was behind this, please? Much appreciated (not expecting a notification either). We all know everything around the very real and blown out of proportion security flaws sucked. But until something conclusive comes out about intel, this is all a rehash of day 1...400+ posts ago. Boooooooring.

 

[ikeke]

Credible citation that is not. Looks like a hit-piece and a rather flimsy one. FUD, plain and simple.

y u troll?

This sheds some light onto Viceroy who were the first to react, and like CTSLabs they look to be amateurs who push information without credentials for analysis they claim to have done themselves.

 

[bug]

y u troll?

This sheds some light onto Viceroy who were the first to react, and like CTSLabs they look to be amateurs who push information without credentials for analysis they claim to have done themselves.

Well, you also push the claim CTS Labs did not uncover the vulnerabilities without evidence. What does that tell us?

Also, of your 150+ posts here, only 5 or so are not on this or the "CTS-Labs Posts Ryzen Windows Credential Guard Bypass Proof-of-concept Video" thread. If I were you, I'd stay away from trolling references.

 

[ikeke]

So?

Only those who wrote certain amount of posts over certain threads have the right to express their thoughts? :/

OK.

And btw, which part of my thoughts on this specific topic would fall into trolling category?

In Internet slang, a troll (/troʊl, trɒl/) is a person who sows discord on the Internet by starting quarrels or upsetting people, by posting inflammatory,[1] extraneous, or off-topic messages in an online community (such as a newsgroup, forum, chat room, or blog) with the intent of provoking readers into an emotional response[2] or of otherwise disrupting normal, on-topic discussion,[3]often for the troll's amusement

 

[lexluthermiester]

Also, of your 150+ posts here, only 5 or so are not on this or the "CTS-Labs Posts Ryzen Windows Credential Guard Bypass Proof-of-concept Video" thread.

@ikeke
I've made a similar observation. You seem to be deliberately posting FUD comments. And we've been over this next one, lack of objectivity. You seem hell bent on smearing CTS who's claims have been proven to have merit, by AMD themselves. Your actions here seem to clearly show that you are acting with an agenda in a troll like fashion. The only thing that is making your comments tolerable, for me at least, is that you seem to be conducting yourself in a mostly civilized manner.

 

[ikeke]

You seem hell bent on smearing CTS who's claims have been proven to have merit, by AMD themselves.

CTSLabs assessment of the issues impact/scope has been overturned by independent reviewer they themselves hired. Amd assessment for fixes availability was estimated as weeks-to-month.

And they (CTSLabs) stopped broadcasting, silence speaks volumes in this case.

 

[lexluthermiester]

CTSLabs assessment of the issues impact/scope has been overturned by independent reviewer they themselves hired. Amd assessment for fixes availability was estimated as weeks-to-month. And they (CTSLabs) stopped broadcasting, silence speaks volumes in this case.

This is a perfect example of your FUD and dancing around the facts. AMD has confirmed the findings of CTS. They downplayed it a bit, naturally, but they confirmed it all none-the-less.
You also danced completely around the other points made without confirmation or denial.

Seriously, you're not and haven't added anything of value to the conversation. Let it go.

 

[EarthDog]

And they (CTSLabs) stopped broadcasting, silence speaks volumes in this case.

What are they supposed to be saying during this time?

They gave their information out (in the most questionable manner possible), AMD confirmed all the issues are real and will be fixing it in 'weeks not months'. CTS replied to that and said they don't believe it will take weeks, but months (part of what they said initially). Only time will tell who is right on this. As I said before, this is just rehashing what we already know. Nothing new... Zzzzzzzzzzzzzzzzzzzzzzz*snore*zzzzzzzzzzzzzz wait wut? Nothing new? Zzzzzzzzzzzzzzzzzz*snore*zzzzzzzzzzzzzzzzzzz.

Anyway, AMD responded about 2 weeks ago right? We'll expect to see some roll outs soon if they are correct.


Unsubscribing to this spinning amusement park ride... someone tag me when..........................

1. Intel is PROVEN CONCLUSIVELY to be behind this...
2. When AMD fixes everything.


mmmmmmmmmmmmmkay?

 

[ikeke]

Sigh.
@EarthDog
Where. In. Any. Of. My. Posts. Have. I. Said. Intel?
@lexluthermiester
And AMD confirmed the vulnerabilities, where have I argued that. You, though, conveniently dance around the issues of impact assessment. Which, in case of vulnerabilities is quite important, well actually the most important. CTSLabs failed spectacularly in theirs.

Tinfoil hats and trolling, guys.

 

[EarthDog]

I. Didn't. Say. You. Said. Intel.

If you read more closely, you will note I asked to be notified when Intel is proven to be behind this (along with when AMD fixes things)... that is just one of the many points brought up in this thread by various people.



Good bye, thread and the constant rehash of known information... and glossing over of talking points by both sides. Man o man do threads like these really make me hate forums.

 

[lexluthermiester]

Tinfoil hats and trolling, guys.

Irony, far out. Look in a mirror. I'm not leaving the conversation though. Instead, welcome to my ignored users list.

 

[bug]

So?

Only those who wrote certain amount of posts over certain threads have the right to express their thoughts? :/

OK.

And btw, which part of my thoughts on this specific topic would fall into trolling category?

In Internet slang, a troll (/troʊl, trɒl/) is a person who sows discord on the Internet by starting quarrels or upsetting people, by posting inflammatory,[1] extraneous, or off-topic messages in an online community (such as a newsgroup, forum, chat room, or blog) with the intent of provoking readers into an emotional response[2] or of otherwise disrupting normal, on-topic discussion,[3]often for the troll's amusement

Repeating the same opinion over and over and over ad nauseam fits the description pretty well.
Of the 440-ish comments so far, 40 are yours saying nothing but "Intel made CTS Labs publish these and they're so meaningless we shouldn't even mention them". Ok, your opinion. We don't need 40 posts of that.

Like @lexluthermiester said, your saving grace is you're conducting yourself in a civilized manner so far. But don't be surprised if you find yourself reported one day if you keep polluting threads.

 

[Veradun]

Repeating the same opinion over and over and over ad nauseam fits the description pretty well.

This includes you opinion

 

[bug]

This includes you opinion

It does. Am I up to 40 posts yet?

 

[ikeke]

40 are yours saying nothing but "Intel made CTS Labs publish these and they're so meaningless we shouldn't even mention them".

Really? When facts fail - just make them up?

Some of you are all in on protecting the original OP of this thread, which makes me wonder..

“When my information changes, I change my mind. What do you do?”
- John Maynard Keynes

/t

 

[bug]

Really? When facts fail - just make them up?

Some of you are all in on protecting the original OP of this thread, which makes me wonder..

“When my information changes, I change my mind. What do you do?”
- John Maynard Keynes

View attachment 98884

/t

Ok, be the constructive one and summarize for me what is it that you had to share with us over 40 posts?

 

[lexluthermiester]

Really? When facts fail - just make them up?

Some of you are all in on protecting the original OP of this thread, which makes me wonder..

“When my information changes, I change my mind. What do you do?”
- John Maynard Keynes

View attachment 98884

/t

Based on that graph, you have been doing much of the orange, yellow and green. You've seemingly avoided the red and haven't touched the blue, violet and gray. Just based on observations.

 

[ikeke]

@bug
CTSLabs has still been unable to demonstrate the quote "13 Critical Security Vulnerabilities and Manufacturer Backdoors discovered throughout AMD Ryzen & EPYC product lines" and quote "Any consumer or organization purchasing AMD Servers, Workstations, or Laptops are affected by these vulnerabilities" and quote "How long before a fix is available? - We don't know. CTS has been in touch with industry experts to try and answer this question. According to experts, firmware vulnerabilities such as MASTERKEY, RYZENFALL and FALLOUT take several months to fix. Hardware vulnerabilities such as CHIMERA cannot be fixed and require a workaround. Producing a workaround may be difficult and cause undesired side-effects." (https://amdflaws.com/)

They paid trailofbits for analysis which they've ignored aswell as ignoring suggestion to disclose them via CERT, industry experts disagree with their impact assessment. https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

The information leaked to stock shortseller Viceroy who were the first to capitalize on this, unsuccessfully since they are a bunch of amateurs, as found in #426.

Based on all this CTSLabs is a bunch of amateurs paddling some vulnerabilities which they were hoping to make some dirty money out of, instead of reporting issues as per industry agreed procedures to resolve the problems.

Based on that graph, you have been doing much of the orange, yellow and green. You've seemingly avoided the red and haven't touched the blue, violet and gray. Just based on observations.

Come again? For every detail i've shared along with my opinion about this I've added links and reasoning. Can't do much more in a forum thread, unfortunately. Something that cant be said about you, though.

 

[bug]

You're just being schizophrenic now. On one hand you're questioning CTS Labs' credibility (somewhat justified), on the other hand you seem to be waiting for them to demonstrate the vulnerabilities.
Disregard the fact that they have already stated they will not demonstrate these publicly because at this point that would only teach hackers how to compromise systems and have instead sent their proof of concept attacks to other security researches and AMD. Disregard the fact that I have told you these things before.
Why on Earth are you seeking confirmation from a source you've already deemed unreliable?
If CTS Labs' findings are without merit, what is AMD getting ready to patch?

On another note, a simple look at the price of AMD's stock would have saved you the embarrassment of talking about shorting (hint: the stock price didn't move past CTS Labs' revelations).

Edit: On the upside, do you now see it doesn't take 40+ posts to make a fool of yourself? When properly motivated, you could finally do it in one!