Dubious Research Discovers Ryzen vulnerabilites

jwilliamson47 · 13 Mar 2018 at 15:32

Some pretty interesting reports regarding AMD's Zen architecture..

Article -
13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

sideways14a · 13 Mar 2018 at 15:54

Err... well i wonder who is behind this ..

This ones gonna be fun.

DragonQ · 13 Mar 2018 at 15:55

This is only the beginning. Now this kind of thing has more focus, expect more issues to crop up for all major manufacturers going forward.

Note that 3 of the 4 categories of vulnerabilities relate to the PSP (equivalent of Intel's ME), which is a complete non-surprise. The other one relates to the chipset but is just as dangerous. To categorise them as similar to Spectre and Meltdown is disingenuous though to be honest, since those are pure CPU architecture issues; these are platform issues. There will also be no potential performance issues relating to fixes because of this.

jwilliamson47 · 13 Mar 2018 at 15:56

It could be nonsense and I'm sceptical but time will tell.

crinkleshoes · 13 Mar 2018 at 16:00

What do you want to bet that Intel funded this?

jwilliamson47 · 13 Mar 2018 at 16:01

The location does raise some questions

drunkenmaster · 13 Mar 2018 at 16:05

I posted some information on this in the other thread.

First off they have a disclaimer on the site saying they may have been paid and may have an interest in securities affected by the report. The report afaik has no references or citations which makes it insanely unprofessional.

The standard reporting time after informing companies for security reasons is 90 days, Spectre/Meltdown got 6+ months, they told AMD 24 hours before releasing this.

It's on a site called AMDFlaws.com for which the domain was registered in June 2017..... in Israel (a very much Intel country), the site is two weeks old and has weird marketing style video about this. They also describe this as spectre/Meltdown like, the very reason Spectre and Meltdown were dangerous is they are specific hardware flaws that can be effected by software at normal user levels. A user goes to a site with javascript being used and you can be effected. All these AMD flaws require bios flashing and higher admin level access..... which is where you're already vulnerable. So these vulnerabilities even in this ridiculous paper are barely vulnerabilities and they are no where near the same level of Spectre/Meltdown.

As I said in the other post in the Ryzen thread, this seems like something they could have done 3 months ago when it mattered. This seems more like a pre-emptive attack on AMD to help with an upcoming disclosure of another major security flaw that Intel will have soon to me. There was a rumour about a month after Meltdown that there were a couple more vulnerabilities to be disclosed in the not too distant future so I do wonder if that is what this is.

This couldn't be a more obvious hatchet job really. This also somewhat sounds like the existing disclosed AMD vulnerabilities which again required on site access and bios flashing but dressed up with fancy names to sound worse than they are, maybe they are genuine but not really dangerous vulnerabilities but the presentation that this is akin to Meltdown/Spectre is truly nonsense. The very thing that made those two so dangerous are specifically not even being suggested here. Something that requires admin level access and/or a bios flash is no where near something that can hit literally any user.

jwilliamson47 · 13 Mar 2018 at 16:09

Yep, there's something very fishy about their methodology and the manner in which they have made their case. As you say, it comes across as very unprofessional and almost sounds like a paid smear campaign.

LoadsaMoney · 13 Mar 2018 at 16:09

Steedie · 13 Mar 2018 at 16:10

So they are only issues when having admin level privileges, or when flashing the BIOS

Lol...complete non-issue. You're already at risk if something malicious has those kind of privileges or capabilities, CPU architecture issues or not

hyperseven · 13 Mar 2018 at 16:11

AMD defence force, assemble!

Rroff · 13 Mar 2018 at 16:11

jwilliamson47 said:
It could be nonsense and I'm sceptical but time will tell.

Most of them are only really exploitable via some kind of social engineering but a couple of them probably explain why AMD has been very cagey with the wording of some of its press releases over the previous exploits (as in the whole disclosure thing).

DragonQ · 13 Mar 2018 at 16:12

White paper said:
MASTERKEY: Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.

RYZENFALL: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.

FALLOUT: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.

CHIMERA: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

Not exactly "the world is gonna end" Meltdown/Spectre style stuff. I imagine these'll be fixed in an AGESA update at some point, just like Intel updates their Management Engine every time there's a vulnerability found in it.

LoadsaMoney · 13 Mar 2018 at 16:25

hyperseven said:
AMD defence force, assemble!

gavinh87 · 13 Mar 2018 at 16:29

hyperseven said:
AMD defence force, assemble!

Rroff · 13 Mar 2018 at 16:31

DragonQ said:
Not exactly "the world is gonna end" Meltdown/Spectre style stuff. I imagine these'll be fixed in an AGESA update at some point, just like Intel updates their Management Engine every time there's a vulnerability found in it.

While for the typical home user most are only exploitable once you've already given them admin/super user privileges for whatever reason a couple of them are potentially concerning in a corporate environment or other networked environment where relatively low level privileges could allow for compromise of higher level ones.

Aretak · 13 Mar 2018 at 16:52

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

Fascinating.

Still, the facts are irrelevant of course. Intel fanboys will be celebrating and claiming that AMD is doomed and this is worse than Meltdown/Spectre, whilst AMD fanboys will handwave it as nothing and tech "journalists" will sex it up as much as possible for clicks. Of course, objectively speaking, the way this has been reported, with AMD given 24 hours notice of the report and the company setting up an entire website with a sensationalist name like "amdflaws.com" to report their findings is certainly highly suspicious, given usual practices in the industry.

Killer7xx · 13 Mar 2018 at 16:53

It's a completely fake set of vulnerabilities if you ask me. Nothing but a smear campaign being run to attack AMD.

The "Masterkey" "vulnerability" requires physical access to flash the bios. The attacker might as well just take the HDD out and off they go with all of the data without risking any funny business with BIOS flashing.

"RyzenFall", "Fallout" and "Chimera" all require administrator level access. If you give any ordinary malware administrator access, it is game over anyway. They are no different to any other types of malware in that case.

If these are in fact actual exploits, they are nowhere near the level of spectre/meltdown which can be exploited remotely without administrator rights. Calling these "vulnerabilities" is rather ridiculous, you might as well call administrator/root access a vulnerability.

The timing of this release, being out of the blue is extremely suspicious, given that it is not standard practice in the computer security industry to release details of a vulnerability without giving at least a months notice. They also mentioned no attempts to reproduce any of these vulnerabilities with other operating systems or with an Intel CPU, to truly confirm that it is an AMD vulnerability. No details of which version of Windows they used were mentioned, or which CPUs in particular they tested.

Hotwired · 13 Mar 2018 at 16:54

This seems a less sketchy article

https://www.anandtech.com/show/1252...lish-ryzen-flaws-gave-amd-24-hours-to-respond

Also found this disclaimer hilarious when a comment pointed to it:

https://amdflaws.com/disclaimer.html <- site specially created to publicise (smear?)

CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.

It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.

Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate.

What a complete BS campaign.

"May" have economic interest behind the claims. Claims not double checked by anyone.

Oh and give AMD a trivial 24h notice beforehand, seems clean right?

BongoHunter · 13 Mar 2018 at 17:12

Someone somewhere saw what spectre and meltdown did to stock prices, and then decided there's some good money to be made with a well executed short and the right news story.

I have no doubt there are plenty of venurabilities out there in the wild for all vendors - but something is making me doubt the validity of this one on the way it's being handled and presented