13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[Shihab]

Like Reddit is also weed whacking this thing to oblivion, it looks like a pure smear campaign.
Red flags:
- 24h deadline before publishing
- All flaws require administrative rights in order to accomplish anything (one requires flashing firmware)
- All domains, linkedin records and so forth for a "16 year" in operations company date back at best...a year.

Subjectively speaking, compared to Meltdown attack page, this one has waaaay too many AMD logos. Without reading the text, one might actually mistake it for an ad! Count me up holding a pitchfork if Intel turned out to have a hand in this.

Objectively speaking, smear campaign or no, a vulnerability is a vulnerability. I'm personally quite illiterate on this matter so I'll defer judgement until "for dummies-"style security expert blog posts and articles start popping up.

 

[lexluthermiester]

Everything of these so called “white papers” seems fishy. Only one source, no independent duplication of their “research “ findings is a pretty serious red flag. I am calling this b*llshit. Seems like some smearing operation. Ryzenfall, so amature and obvious.

While I'm not willing to call BS, I agree that additional and independent testing & verification is required.

 

[FordGT90Concept]

#FakeNews

Intent is in the disclaimer:

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

They likely bought put options on AMD and published this website make a fortune on the sell off of AMD stocks it triggers.

But wait, there's more:

...CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate.

Defamation and libel grounds there for AMD to sue on top of potential securities fraud.


Others above have already pointed out all the flaws in their methodology not only to exploit the vulnerabilities but also in how they don't conform to the standard six month window between informing the company and informing the public.

 

[xkm1948]

Eitherway, TPU probably benefits from the clickbait ~ish title. Who cares if the news is true or not. Dumb average Joe lives on sensationalism. Plus increased traffic and attention benefits both those researchers as well as any tech site that publish these without a serious look into the actual issue. More publicity and sweet sweet ad revenue, yay.

See this:

http://science.sciencemag.org/content/359/6380/1094.full

The difference is the paper on fake news is peer reviewed, not some magical claim certain “researchers “ pull out of their ass

 

[lexluthermiester]

but also in how they don't conform to the standard six month window between informing the company and informing the public.

There are no legally binding limitations or regulations that require any amount of time between discovery and public disclosure, especially in Israel.

 

[HTC]

While I'm not willing to call BS, I agree that additional and independent testing & verification is required.

Agreed!

Question: i read (skimmed) the whitepaper but i didn't see a mention of Linux or other OSs other then Windows ... doesn't that mean it's Windows vulnerabilites when using Zen based hardware?

 

[FordGT90Concept]

There are no legally binding limitations or regulations that require any amount of time between discovery and public disclosure, especially in Israel.

It shows intent. Six month window often doesn't allow the stock market to even respond because it's fixed before the public knows about it. A 24-hour window is intended to spook the market as their disclaimer clearly indicates. As I said, it opens the door to securities fraud investigation. 24-hour is in private, not public, interest.

If this does end up in court, the 24-hour window will work heavily in AMD's favor. Any change in AMD's stock can be pinned on this website damaging AMD.

Six month is an unwritten rule for a reason.

 

[IceScreamer]

So they notified AMD of the findings and posted the paper 24 hours after, when the usual time frame is, I dunno, more. Also, posting this right before the 2000 series launch. Highly suspicious.

 

[windwhirl]

Well, if this turns out to be true, it's gonna be a shitstorm for AMD....

Edit: No, it probably won't.

 

[lexluthermiester]

Question: i read (skimmed) the whitepaper but i didn't see a mention of Linux or other OSs other then Windows ... doesn't that mean it's Windows vulnerabilites when using Zen based hardware?

My take is that most, if not all, of those problems are OS-agnostic. If all of this pans out and is verified, AMD is going to have as bad a time as Intel did with Meltdown.

Six month is an unwritten rule for a reason.

Rule, not law.

 

[dj-electric]

 

[W1zzard]

Reworked most of the article and added AMD's statement

 

[Sam32]

All four vulnerabilities require administrative access. This this NOTHING like Spectre/Meltdown...

 

[Imsochobo]

skeptical as remote attacks seems hardly possible.
Method of doing this release.

if true;
what they're mentioning seems to be what intel ME has going for it, we don't like it and we still have 50 000 unpatched computers at work from Intel, that security issue isn't really talked about cause it required physical access.

Give a hacker physical access to something and some time and nothing stands in their way.
Spectre and Meltdown is fundamentally different as it allows remote attacks.

I am in no way protecting the PSP, I don't like stuff like it but I'm pretty much saying it's like intel ME.

 

[EarthDog]

https://www.anandtech.com/show/1252...lish-ryzen-flaws-gave-amd-24-hours-to-respond

 

[xorbe]

This "security company" is based in Israel where Intel has it's most important design centre and one of the largest manufacturing facilities.

This. Also, why does everyone need dedicated logos and websites for bug reports these days. It's a PR smear campaign (if the website name didn't tip you off). First and fourth are flashing the board bios, and the second and third require OS root access. These are absolutely not on the level of Meltdown or Spectre.

 

[W1zzard]

Added info that Vega is probably affected, too

 

[R-T-B]

All flaws require administrative rights in order to accomplish anything (one requires flashing firmware)

When it can survive a reinstall it's still a big issue. If these flaws are confirmed they are fairly signifigant.

As I said earlier, 2018 is going to be a rough year for processor security...

 

[839millionman]

The timing on this is interesting. There's a ton of movement right now around AMD's stock.

The 24 hour notice is really fishy. I would take this with salt, especially since its from a website called amdflaws.com and has titles like "Ryzenfall".

 

[W1zzard]

Question: i read (skimmed) the whitepaper but i didn't see a mention of Linux or other OSs other then Windows ... doesn't that mean it's Windows vulnerabilites when using Zen based hardware?

I see no technical reason why any other OS won't be affected. As long as that OS provides a mechanism to access hardware

 

[xorbe]

https://amdflaws.com/disclaimer.html

"you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports"

edit: oops sorry, this was already posted above by FordGT90Concept

 

[Sempron Guy]

they published it on a site called amdflaws.com who they most likely authored as well. Anyone still falls for this kind of stuff in 2018?

 

[gr33nbits]

Fake news!

 

[xkm1948]

they published it on a site called amdflaws.com who they most likely authored as well. Anyone still falls for this kind of stuff in 2018?

Like 99% of the population?

 

[the54thvoid]

I'm with @FordGT90Concept on this. This isn't about security, this is about hurting AMD.

That seems pretty obvious from the disclosure he quoted.