back to article OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws

CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors." Tuesday's glitzy advisory disclosed no …

Page:

  1. Solarflare

    Anybody look at their disclaimer?

    https://amdflaws.com/disclaimer.html

    "The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents. "

    Yeah, doesn't sound shady at all...

    1. Voidstorm
      Pirate

      Re: Anybody look at their disclaimer?

      "... not statements of fact" -- so, they're lies, then ? <.<

      I agree, this stinks like a barrel of sardines.

  2. GrumpenKraut Silver badge
    Mushroom

    Amateur hour

    still a certain German news outlet (*cough* heise.de *cough*) totally fell for it. They are receiving a nice roasting in their comment section, though. ---->

  3. Zippy's Sausage Factory

    Sounds like the lab are trying to make a name for themselves. Although rehashing old vulns and putting fancy names on them doesn't sound like a sensible way to do that...

    1. GrumpenKraut Silver badge
      Pint

      it's not just the fancy names. Example: "Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS ...". Hello? If an attacker is in a position to flash the BIOS on any machine whatsoever, that's well and truly game over.

      Security ALERT: An attacker can compromise AMD-based computer if in the position to take a pee on the mainboard. We need a name for that: PIDDLE-NADO-APOCALYPSE. Yeah, that's fitting.

      Sorry, not beer ------>

  4. JakeMS Silver badge

    If these issues exist..

    They should absolutely be taken seriously and, if possible, fixes released.

    However, giving AMD only 24 hours notice is just irresponsibile.

    Yes, try to find them, yes report them to AMD but for the love of computers give them a chance to at least investigate it. 24 hours is no time at all, at best you could check a few chipsets in a day, but no way would you have time to fix them all in 24 hours.

    Bear in mind, fixes would have to be tested also prior to release (to check for brickage, we're talking cpus and chipsets here, a bad update is a bricked machine).

    In my opinion the security team handled this poorly, even Google Security Team gives you a week!

    1. Peter2 Silver badge

      Re: If these issues exist..

      That's because it's either:-

      1) a deliberate attempt to manipulate the AMD share price to make a profit via shorting AMD's shares

      or;

      2) a hit peice from a certain well known company which has recently been discovered to have both a shockingly wide variety of severely dangerous remotely exploitable security flaws in it's products and a well known historical track record for having a predeliction towards illegal dirty tricks being ultimately responsible, and using a share price scheme as semi plausible cover for trying to prevent to competition from exploiting their shortcomings.

  5. Doctor Syntax Silver badge

    If they're on the level they have just given potential clients notice of why not to deal with them. Or maybe the initial investment was running out and they had to whip up some publicity PDQ.

  6. Anonymous Coward
    Facepalm

    Roll up folks! The security circus is back in town!

    1. Witty names? Check.

    2. Individual logos? Check.

    3. Special domain name? Check.

    4. Lashings of self-aggrandizing hyperbole? Check.

    5. Lack of useful detail? Check.

  7. iron Silver badge

    This whole thing stinks to the heavens and I'm not talking about AMD's security. A company I've never heard of, a report that was published without responsible disclosure, no POC code, no CVE numbers, the vendor given 24h notice yet a random security researcher (who I've also never heard of) was supposedly given a week with the report and POC code... Meanwhile some investment company is citing it and calling for people to sell AMD stock? My local fishmonger smells less fishy.

    1. GrumpenKraut Silver badge
      Boffin

      You forgot videos in fake(ed) labs.

      About the 24h notice: if they made that any more, then AMD would surely came back with a big fat "Are you guys kidding?". And that would go against the obvious intention of this PR stunt.

  8. johnnyblaze

    Sensationalist headlines. Nothing to see here. Move along. I wonder if the CTS Labs 'research' was funded by Intel? It was very AMD focussed. Keep buying those Ryzens and EPYC's - they're great CPU's.

  9. potatohead

    What can be patched

    That there are flaws in the processor is not that surprising - it's a new design, and this stuff is hard if not impossible to reason about.

    The interesting question is whether AMD are able to patch these systems to resolve the flaws.

    Another explanation for the lack of disclosure delay would be that CTS-Labs are well aware that these problems are easy to fix, and hence they would have a non-story if they delayed publication.

  10. jms222

    Found this explanation

    https://www.reddit.com/r/Amd/comments/846gpm/how_cts_labs_created_their_offices_out_of_thin_air/

    speaks for itself.

    1. mutin

      Re: FoFake company, fake claims?und this explanation

      By the link that is ALL fake. Will see what AMD will find. While Israel does not permit extradition of its citizens, AMD still can sue guys. Let's get some popcorn and patiently wait for the dust settles.

  11. GrumpenKraut Silver badge
    Devil

    CTS-Labs is "Catenoid Security" which was formally Flexagrid Systems Inc

    ...A company that produced the Computer Hijacking "CrowdCores"

    See here (link to anandtech.com forum).

    Hope they get their balls pinched.

  12. Bronek Kozicki Silver badge

    grumble grumble ...

    When people find that your products suffer from meltdown, do you:

    1) focus on fixing the problem, or

    2) put large spectacles, wig and fake moustaches, point at a rodent passing nearby competitor's factory, and shout "oh look, squirrel!"

    Credit to Torvalds for naming these guys for what they are.

  13. jfm

    Viceroy Research? The one who shorted Capitec Bank in South Africa and then claimed Capitec's financial statements were false and they were a loan shark heading for insolvency? And then when the Reserve Bank and the national Treasury said they had no concerns about Capitec, doubled down and said they'd both accepted the supposedly false accounts at face value, and would discover Viceroy was right and put Capitec into receivership if only they did a proper audit? That Viceroy Research?

  14. regregular

    Also worth of note:

    The company Viceroy Research has just recently been implicated in attempted stock market manipulation by german stock market / banking authority BAFIN (similar to US SEC).

    https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.handelsblatt.com%2Funternehmen%2Fit-medien%2Ffinanzmarkzaufsicht-bafin-nimmt-pro-sieben-kritiker-viceroy-ins-visier%2F21061952.html

    This is very dodgy.

  15. Anonymous Coward
    Terminator

    Free hole just by electronics

    Server, PC, Laptop and Mobile Phone are all a metaphor for 'a hole'

    want A Hole, then just utilise electronics/

  16. Anonymous Coward
    Anonymous Coward

    Secure Proccessor, it locks you down not out

    AMD: "Secure Processor, it locks you down not out (like all the others) - Well not true you are all locked out."

    Pththththththththt !

    If you want a Secure Processor, Bios or Hard Drive allow the user to check-sum the device (even old md5 & sha1 together) and save in an non-battery-backed manner on a chip (aka in 80's music electronics).

    Otherwise just means to lock out users.

  17. Destroy All Monsters Silver badge

    I see

    There is a market niche for the taking out of bottom feeders that is sadly not being actively exploited.

  18. Milton Silver badge

    Clumsily obvious

    I tend to agree with those who point out that "flaws" which can only exploited if the machine is already compromised at root level are much less significant than those which can burrow in under the radar and obtain that kind of access.

    It's a bit like worrying about mission protocols when the captain of the aircraft carrier is already a foreign agent: you lost the game long before having to worry about how many planes to keep on CAP. Your job is to employ good, loyal captains. Your job is also to worry about important threats, like (say) a new sea-skimming missile that your radar can't detect, which makes the question of mission protocols important if the captain hasn't been compromised.

    And yes, this whole thing stinks like a week-old haddock, and per my title, I suggest it is clumsily obvious, to the point of witlessness. I won't trouble to detail the points made so well by others, regarding timing, attempted anonymity, suspicious abruptness with which this latest crew apparated: it all simply stinks of an unsubtle, heavy-cack-handed and slimy attempt to smear AMD.

    As to who is really behind it, well, the same folks who are always responsible when corporations do dishonest, dishonourable things which strangely benefit it to the tune of billions: "A small group of junior employees gone rogue who acted beyond their authority and completely without the knowledge of senior management."

    They do get around, those guys.

    1. Anonymous Coward
      Anonymous Coward

      Re: Clumsily obvious

      @ Milton

      Great response and I expect you've hit the nail on the head :)

    2. Robert Carnegie Silver badge

      Re: Clumsily obvious

      One flaw in your argument: the claimed AMD flaws are such that if you metaphorically detect that the aircraft carrier captain is a foreign agent and you replace him with a good one, the bad captain may have still ineradicably compromised the aircraft carrier itself. That's to say: the bad operating system has infected the Secure Processor and/or the motherboard firmware. It looks like a real risk.

  19. mutin

    Good Pirates???

    That is a shame!!! Not AMD, because bugs are bugs and there is a process to fix. For the company expense. What CTS-Labs did was "good piracy" and my suggestion is to do what normal people do with ANY pirate - hang them! They are not about security, they are about money and getting it in the most dirty way. In InfoSec world of terms. I would suggest NOT to deal with the company, otherwise one day your own hands will get dirty as well. Or they trade you for yet another money.

    But, they are not only greedy but also stupid! They expected AMD stocks react on their "news". Well, the case of Meltdown etc. shows that the reaction is minimal if at all. Investors use different criteria. and judge by different information.

    Frankly, I've been in InfoSec since 2003 and do not remember such misconduct of vulnerability announcement. May be they need PR themselves? But that is not about Information Security. That works in Hollywood.

  20. tygrus.au

    Is the priority stock price manipulation

    The secretive behaviour of those behind the disclosure and websites is very suspicious. It could be an exercise to find a few bugs and exploit them for stock price manipulation or pay-back.

  21. rav

    CTS ADMITS EVERYTHING IS BULLSHYTE ALL OPINION AND ZERO FACTS.

    From CTS

    "The report and all statements contained herein are opinions of CTS and are not statements of fact."

    And this......

    "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

    Excerpted from below...

    "Legal Disclaimer

    CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.

    It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.

    The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

    You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.

    Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."

    https://amdflaws.com/discla...

    CTS is telling the world it is ALL bullshyte and they have a financial stake in AMD.

    Yet the on-line media is writing about nothing else.

  22. Lord_Beavis
    Trollface

    Old Tech

    Glad I'm hanging on to these 6502 and Z80 CPU's...

  23. William Higinbotham

    Look for those undocumented opcodes:-)

    http://www.rcollins.org/secrets/IntelSecrets.html

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019