13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[ikeke]

@bug

I'm just going to leave this. You're bashing and this aint a way for grownups to talk. I've been adding links and reasoning behind my inputs to this thread. Can't say that about yours, unfortunately.

Please, find the nearest bridge, sir, there's a meeting place under it for people like you, i think.

You're just being schizophrenic now.

I'd direct you to https://www.techpowerup.com/forums/threads/forum-guidelines.197329/ under "Posting in a thread " where you can find quite a few helpful pointers as to what you should do and not do in a thread.

 

[bug]

My point has consistently been that I don't see the threatening stipulations in the GPP. What links would you think I could post to reinforce that?
Also, we don't have a copy of the GPP, just the fragments Kyle published.

 

[ikeke]

https://www.tomshardware.com/news/amd-vulnerability-patches-ecosystem-partners,36993.html

The "impossible to fix" fixes are being validated by partners.

Quote:
Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC™ platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly. We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month. We expect these patches to be released publicly as our ecosystem partners complete their validation work.

 

[lexluthermiester]

The "impossible to fix" fixes are being validated by partners.

No one said they're impossible to fix. Quit trolling.

 

[nemesis.ie]

https://blog.cts-labs.com/2018/05/new-amd-update-encrypts-psp-firmware.html

 

[Vya Domus]

"It appears the latest AGESA update encrypts portions of the PSP firmware, making it harder for security researchers to examine the code."

Or rather for everyone ? Funny, they infer that this is done to keep them away specifically.

CTS seems awfully interested in everything AMD does. If they discovered all these vulnerabilities as a result of someone contracting them , what is it that still piques their interest such that they still conduct research on their own for free , I wonder.

 

[ikeke]

No one said they're impossible to fix. Quit trolling.

How long before a fix is available?

We don't know. CTS has been in touch with industry experts to try and answer this question. According to experts, firmware vulnerabilities such as MASTERKEY, RYZENFALL and FALLOUT take several months to fix. Hardware vulnerabilities such as CHIMERA cannot be fixed and require a workaround. Producing a workaround may be difficult and cause undesired side-effects.

https://amdflaws.com/

 

[nemesis.ie]

@Vya Domus Who says they are still doing it for free? Perhaps they have an on-going contract or are still fulfilling the previous one, or even a new one?

AMD now have a chance to gauge this latest CTS response and possibly change how things work again/more with another patch/AGESA or issue a comment on it.

 

[1stn00b]

No word on Spectre Next Generation Techpowerup ?
https://www.heise.de/ct/artikel/Exc...U-flaws-revealed-several-serious-4040648.html
https://newsroom.intel.com/articles/addressing-questions-regarding-additional-security-issues/

I remember this news about AMD was instantly posted and also pinned up on site for days if not weeks ;>

 

[bug]

No word on Spectre Next Generation Techpowerup ?
https://www.heise.de/ct/artikel/Exc...U-flaws-revealed-several-serious-4040648.html
https://newsroom.intel.com/articles/addressing-questions-regarding-additional-security-issues/

I remember this news about AMD was instantly posted and also pinned up on site for days if not weeks ;>

Damn, TPU's secret plan to make AMD look bad has been uncovered bt astute minds

 

[Prince Valiant]

No one said they're impossible to fix. Quit trolling.

The first post of the thread mentions a second Chimera exploit as "requiring a hardware fix and hinting at needing a recall".

Damn, TPU's secret plan to make AMD look bad has been uncovered bt astute minds

I'm not going to don my tinfoil but I'd have thought we'd see a post about the new Intel vulnerabilities and the update from AMD. Coverage for the Ryzen exploits was over the top.

 

[bug]

I'm not going to don my tinfoil but I'd have thought we'd see a post about the new Intel vulnerabilities and the update from AMD. Coverage for the Ryzen exploits was over the top.

Depends on your definition for "over the top", it's not like there's a common standard of how much coverage a type of story should get. I just did a TPU search and found about a page of news articles about Spectre and Meltdown.

Incidentally, this very thread only got so long because AMD fans just couldn't underscore enough how the vulnerabilites reported here are without merit, because the ones disclosing them were jerks. Streisand effect at its best.

 

[R0H1T]

Depends on your definition for "over the top", it's not like there's a common standard of how much coverage a type of story should get. I just did a TPU search and found about a page of news articles about Spectre and Meltdown.

Incidentally, this very thread only got so long because AMD fans just couldn't underscore enough how the vulnerabilites reported here are without merit, because the ones disclosing them were jerks. Streisand effect at its best.

No most of the AMD fan base (& others) were angry because a no name security firm, with ties to a hedge fund, released highly professional (read dubious) videos on how the AMD chips were vulnerable with admin rights. While their site was all glitzy, they were very light on details & (almost) certainly had an agenda to drive the stock price down ~ given their minutiae exposé spread over a period of 2(?) weeks. Also they'd given no practical time to AMD in resolving this issue, unlike another major competitor which sat on that info (GPZ) for almost 3 quarters & yet botched updates for another full quarter!

 

[bug]

No most of the AMD fan base (& others) were angry because a no name security firm, with ties to a hedge fund, released highly professional (read dubious) videos on how the AMD chips were vulnerable with admin rights. While their site was all glitzy, they were very light on details & (almost) certainly had an agenda to drive the stock price down ~ given their minutiae exposé spread over a period of 2(?) weeks. Also they'd given no practical time to AMD in resolving this issue, unlike another major competitor which sat on that info (GPZ) for almost 3 quarters & yet botched updates for another full quarter!

Yeah, thanks for posting all that again, I thought the thread was dying.
The one that reported could have been murderers and necrophiles, it wouldn't change that vulenrabilities (as hard to exploit as they were) were there.
But you just can't get enough of attacking the messenger, can you? That won't solve anything, it never did.

 

[HTC]

No word on Spectre Next Generation Techpowerup ?
https://www.heise.de/ct/artikel/Exc...U-flaws-revealed-several-serious-4040648.html
https://newsroom.intel.com/articles/addressing-questions-regarding-additional-security-issues/

I remember this news about AMD was instantly posted and also pinned up on site for days if not weeks ;>

I sent a heads-up note to Bta about this yesterday (1st link, Google translated to English).

 

[TrustNo1]

Take THAT AMD. I dont wanna hear the fanbois anymore.

there is a lot of anti AMD propaganda on the internet its beyond suspicious. best you dig a little deeper and find out the truth yourself, a lot of the stuff you see online is regurgitated garbage that reviewers have somehow come to agree on.

basically viceroy research is full of you know what and cts labs doesn't exist:

"https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs"

 

[Salty_sandwich]

there is a lot of anti AMD propaganda on the internet its beyond suspicious. best you dig a little deeper and find out the truth yourself, a lot of the stuff you see online is regurgitated garbage that reviewers have somehow come to agree on.

basically viceroy research is full of you know what and cts labs doesn't exist:

"https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs"

very interesting read that link, ... here's a quote from it

Unreachable PR Company

When we first saw the press release, we reached-out to the listed Bevel PR phone number and publicly listed contact, Jessica Schaefer, to learn more about the CTS Labs research company. We won’t show it on screen, but looking through personal social media pages, we were able to find that Bevel PR appears to have been founded in 2017, and that it is staffed primarily or entirely by one individual. The Bevel PR phone number went straight to a full inbox and we were unable to get into contact. We have also reached-out to Schaefer through other contact media. We’ve never heard of Bevel PR before, but their webpage indicates that they have some experience working with ICOs and hedge funds. This pointed us in the next direction.

How vast amounts of money can change a human from being a human is …. well, frankly disturbing

 

[Space Lynx]

very interesting read that link, ... here's a quote from it

Unreachable PR Company

When we first saw the press release, we reached-out to the listed Bevel PR phone number and publicly listed contact, Jessica Schaefer, to learn more about the CTS Labs research company. We won’t show it on screen, but looking through personal social media pages, we were able to find that Bevel PR appears to have been founded in 2017, and that it is staffed primarily or entirely by one individual. The Bevel PR phone number went straight to a full inbox and we were unable to get into contact. We have also reached-out to Schaefer through other contact media. We’ve never heard of Bevel PR before, but their webpage indicates that they have some experience working with ICOs and hedge funds. This pointed us in the next direction.

How vast amounts of money can change a human from being a human is …. well, frankly disturbing

we already knew this this was all a dead end and basically just anti AMD propaganda, why resurrect a dead topic? I'll be rocking AMD 7nm cpu and GPU in winter 2019, vote with your money.

 

[bug]

we already knew this this was all a dead end and basically just anti AMD propaganda, why resurrect a dead topic? I'll be rocking AMD 7nm cpu and GPU in winter 2019, vote with your money.

And you're posting this despite AMD acknowledging the issues were real: https://community.amd.com/community...amd-technical-assessment-of-cts-labs-research

 

[TheoneandonlyMrK]

https://www.tomshardware.com/news/amd-vulnerability-patches-ecosystem-partners,36993.html

The "impossible to fix" fixes are being validated by partners.

Quote:
Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC™ platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly. We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month. We expect these patches to be released publicly as our ecosystem partners complete their validation work.

Loop complete , return to start.

 

[John Naylor]

After all the Intel and AMD *vulnerabilities" announced and finger pointing, has anyone seen a post saying "I didn't install the patch and [insert horror story] happened to me.

 

[qubit]

After all the Intel and AMD *vulnerabilities" announced and finger pointing, has anyone seen a post saying "I didn't install the patch and [insert horror story] happened to me.

<tumbleweeds>

 

[AsRock]

After all the Intel and AMD *vulnerabilities" announced and finger pointing, has anyone seen a post saying "I didn't install the patch and [insert horror story] happened to me.

Well if some one is being hacked, the hacker might not want to be seen\noticed. There fore you might of been and just don't know about it ( YET!).

It's like depending on a single anti virus program and saying i have never had a virus.

Ignorence is bliss.

 

[John Naylor]

I always used one active AV and had a second do nightly scans ... up until a few years ago. Now we just have one on each box and the server scans all networked drives in wee hours.

As to getting it out there... what idiot uses their real name online ? Well back when i started, that was the only way you could get online ... AOL going to the unlimited data for $19.99 a month and allowing "handles" will be later defined in historical exts as the "End of Western (amd eastern) Civilization"

 

[GoldenX]

This was the best joke of the year until Intel released the same Skylake 14nm CPU at $600.