Report Claims AMD Ryzen, EPYC CPUs Contain 13 Security Flaws

CTS-Labs, an Israeli-based security company, claims to have discovered 13 critical security vulnerabilities in AMD's Ryzen and EPYC processors.

Report Claims AMD Ryzen, EPYC CPUs Contain 13 Security Flaws : Read more
65 answers Last reply
More about report claims amd ryzen epyc cpus security flaws
  1. Quote:
    CTS-Labs provided AMD with only a 24-hour notice.

    This is extremely shady. What could be the purpose of making such an announcement, except to spread FUD in the market and put the brakes on AMDs sales momentum?

    These guys are most likely funded by Intel or individuals with a strong financial stake in Intel.
  2. I thought the same thing... Hit piece. Intel is so full of sh*t I would not be surprised one bit if they funded this.
  3. Covered themselves with that disclaimer big time.

    Whilst thats sensible for a firm like cts (nier a necessity) I would say the whole thing has very very suspicious undertones.

    I hope they have good lawyers if theyre wrong , bringing asus into the mix by name/brand aswell is a very risky decision.
  4. The lack of comprehensive tech detail of these flaws compared to Spectre and Meltdown, even in the white paper, plus the lack of notice to AMD to look into the claim of flaws, sounds fishy to me. It was not released in good faith and the disclaimer of "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." speaks for itself. Economic interest. They likely have friends trading the stock and pushing conveniently for a short situation, seems like manipulation. Walks like fake news, talks like fake news...What is it?
  5. Sounds like a rumor if there has been no evidence or sources listed. And given the short 24 hour notice it makes the whole thing a bit shady. Possibly to manipulate stock prices? Hopefully it's all false, or the vulnerabilities are easy/quick to fix.
  6. There's already a lot out there on debunking these overblown claims.

    Interestingly, they registered the domain 19 days ago, so they surely could have started informing AMD of some of the issues back then.

    One conjecture I've read is that it could be a simple stock market play - bet on AMD's share price to drop, then release a bunch of bad news.

    I hope AMD has some grounds to sue them on the basis of misleading statements.
  7. Shame on Tom's for not having a huge, bold type, disclaimer at the top of this stating there is no real data to back this up.
    Not even their tired 'grain of salt'
  8. "an Israel-based security company"
    Aaaand that's more than i need to tell this is bs.
  9. I was like LMAO at this crap....This is pure fud at it's best. All they or who ever is paying them to do this wants is AMD stocks to fall and sales drop off as well seems a bit timely that this happens just before AMD's new CPU launch/ refresh of Ryzen in April. I am thinking Intel or someone that has a stake in Intel is behind this. Problem is the damage is already done because all news sites and tubers will cover this like it is the Holy Gospel and plat the seed of fud into everyone's minds. By the way if this was true they would have been forced to give AMD the proper amount of time to get their crap together not this 24 hour crapola...I really hope who ever is behind this get sued big time and go to jail.
  10. Quote: Possibly to manipulate stock prices?

    That is exactly what it was and from todays headlines for AMD and initial sell off you can see that it worked for a while. But then common sense and analysis showed that this was purely a figment of CTS-Labs imagination.

    The 24 hour notice along with the amdflaws.com web site clearly shows the skeeviness of CTS-Labs.
  11. Someone debunk this already? After an initial stock price drop, AMD is now up 4% at the time I'm writing this. Short squeeze?
  12. Israel huhh? Does Intel have a division in israel that developed the Core processor?? Essentially the basis of Intel's modern processors. This is highly suspicious given the amount of time AMD had to respond.
  13. Need to flash the bios, need a signed driver, need administrator access.....

    if you have any of that you already have the keys to the kingdom and have access to everything.

    This all seems extremely fishy. 24 hours notice, the domain name, the production videos, media briefing at the same time or possibly before notifying amd, etc, etc. It seems like this was a planned hit piece.

    Note i do not excuse security flaws. If there are legit flaws they need to be fixed. However, I'm personaly not worried about any flaws that require root access, at that point the battle is already lost.
  14. This doesn't pass the smell test. For something like this the vendor, AMD, should have at least 30 days notice before anything is announced. I put no merit in this at all. It almost feels like something a competitor would do as a back room deal to spread FUD.

    EDIT1: The CFO of CTS-Labs is a hedge fund manager... Anyone short a lot of AMD stock today?

    EDIT2: Check this out the company photos are photoshopped stock photos(Credit Singuy8888 on Anandtech forums): https://i.imgur.com/OkWlIxA.jpg
  15. It seems possible until the statement that the flaws have existed for 6 years. Ryzen is an entirely new architecture and chipset and hasn't even been available for 6 years. While it's true that CPU development takes years, until release, AMD are the only ones that know anything about the arch and its vulnerabilities.

    IIRC, Ryzen isn't based off bulldozer and is entirely new. Unlike Intels offerings which are based on Core2 and have been tweaked and shrunken. Even Coffeelake is a heavily tweaked Core 2 uarch but with additional cores and smaller process. So major flaws affect multi generations of CPU's
  16. simple hit piece to affect short term stock price. all of those "vulnerabilities" are around the PSP, which is not even active in most cases.

    but hey it worked prices dropped for a few hours more than enough time to make millions with the right setup ...
  17. It's possible that the flaws could be real, but who's to say that it wasn't someone like Intel who actually discovered them, perhaps while researching spectre and meltdown's affects on other processors, then sat on the data for months before paying a small company to make a sudden announcement about it shortly before AMD's next generation of processors launch. It does seem suspicious that a company would only provide a day's notice before making an announcement about their findings, not even enough time for AMD to properly look into the matter and determine whether there's a real concern, let alone be able to announce any course of action about it.
  18. No address, no land line, 4 cheap, Israelis (drinking Intel milk?), being set up in 2017 (likely after Intel's "Meltdown inside" in June), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321 :-D ... :-D

    Intel, the CPU God = 4 cheap, Israelis drinking the God's milk :-D ... :-D

    tomshardware --> tomsfairytale?
  19. We all know this is ill-intended, but we also are tech people. This goes into the regular news, common folks will be scared and will back away from AMD. Fake news works wonders in social media these days.

    I hope it's false, and if it is, I hope AMD sues them into oblivion.
  20. Need to flash the bios, need a signed driver, need administrator access.....

    Security flaws that require root access? I'm not sure Intel (Read: CTS-Labs) understand what security means...

    Giving 24 hours notice, when you are required to provide at least 90 days notice. Where was the good faith in that? For Spectre/Meltdown researchers gave a 200 days notice.. THAT is good faith...!

    Shame on Tomsfairytale for propagating this without any reasonable warning. FFS these guys don't even have evidence of what they're saying... :))
  21. Martell1977 said:
    It seems possible until the statement that the flaws have existed for 6 years. Ryzen is an entirely new architecture and chipset and hasn't even been available for 6 years.

    Ryzen may be new but AMD's partnership with ASMedia for chipsets isn't. Since some of the flaws are about the ASMedia chipsets, those can certainly be several years older than Ryzen.
  22. Hey guys, Just discovered yet another AMD vulnerability.

    They are vulnerable to hammers. Normal operation of any modern AMD processor can be disrupted if a hammer is used to impart a measured impulse directly to the integrated memory controller. The effect is permanent and the flaw has been known for over 15 years. Physical access is necessary unless used in conjunction with PAYSOMEBODYTODOIT. No known security software can fix or prevent this style of attack. My security researchers have confusingly named this new architectural flaw BUYINTELNOW.
  23. Not surprised
  24. InvalidError said:
    Martell1977 said:
    It seems possible until the statement that the flaws have existed for 6 years. Ryzen is an entirely new architecture and chipset and hasn't even been available for 6 years.

    Ryzen may be new but AMD's partnership with ASMedia for chipsets isn't. Since some of the flaws are about the ASMedia chipsets, those can certainly be several years older than Ryzen.


    Sure but this finding is not legitimate on any level. No real security researcher would give a chip maker 24 hours notice. The standard is 90 days notice or more for hardware flaws ie 6 months for Spectre/Meltdown. This is a plain an simple targeted hit. I doubt it was a competitor as it won't stand up long so its likely a stock market related scam. See my post above they are using stock green screen photos, the links on the site are utter garbage, the site is almost entirely other people's content ie a lot of copy paste and links to document/standards, and the fact they gave no notice this just smells profoundly terrible. Until these are validated by a 3rd party I think everyone should treat these as non credible findings.
  25. JamesSneed said:
    No real security researcher would give a chip maker 24 hours notice. The standard is 90 days notice or more for hardware flaws ie 6 months for Spectre/Meltdown.

    Notices are nothing more than courtesy, there is no binding "standard" for any particular time window. We'll see soon enough whether AMD confirms or denies the claims.
  26. bit_user said:
    Quote:
    CTS-Labs provided AMD with only a 24-hour notice.

    This is extremely shady. What could be the purpose of making such an announcement, except to spread FUD in the market and put the brakes on AMDs sales momentum?

    These guys are most likely funded by Intel or individuals with a strong financial stake in Intel.

    Its not a cover up or helping Intel. (even if they did there no way AMD can beat Intel for more than 30 years....AMD $2 Stocks if you remember)
    I think that security company is illegally trying get money.

    The Security Frim did not release any CVE (most important) and did not show clear proof instead they show us a baseless Non-Technical Video...more likey they want some sort of attention or an attack to AMD the company.
  27. redgarl said:
    The worst is the naming convention. Ryzenfall, Chimera, Fallout... take this into notice with everything else and you know this seems to be a scam. Anyway, why targeting AMD when they control less than 10% of the CPU business? And if you look at past Intel actions, this would fit perfectly.

    https://youtu.be/osSMJRyxG0k?t=20m47s

    Mother of All Program was a disgusting tactic that screwed the customers over pure capitalism interest.
    \

    I think the CEO of that Company need be investigated for illegal activity to gain money.

    As said Intel will not be beaten by AMD even in 30 years... Those spammers that keep saying Intel cover up need be removed,
  28. "For the attacks to work, an attacker must
    first obtain administrator access to a targeted network, Guido said."

    For the car thief to steal the car, the car thief must first obtain the car key
    and access to the car, Guido said.
  29. "asses" .. noone??
  30. The worst is the naming convention. Ryzenfall, Chimera, Fallout... take this into notice with everything else and you know this seems to be a scam. Anyway, why targeting AMD when they control less than 10% of the CPU business? And if you look at past Intel actions, this would fit perfectly.

    https://youtu.be/osSMJRyxG0k?t=20m47s

    Mother of All Program was a disgusting tactic that screwed the customers over pure capitalism interest.
  31. "For the attacks to work, an attacker must
    first obtain administrator access to a targeted network, Guido said."

    For the car thief to steal the car, the car thief must first obtain the car key
    and access to the car, Common Sense said.
  32. Anyone can gain fame and fortune (maybe) from making the exact same dubious statements about Intel SGX, PTT, and ME tomorrow. What exactly is new or novel about these AMD vulnerabilities?

    CTS-Labs' report is raising more red flags than it is raising legitimate concerns. I want to see technical details. Until then, CTS-Labs appears to have ulterior motives and a lack of trustworthy credentials. I think they're just trying to cash in on all the SPECTRE and MELTDOWN news by proclaiming another set of headline-grabbing vulnerabilities. RYZENFALL, FALLOUT, and MASTERKEY look like features to me -- powerful features that could be used for nefarious purposes in the wrong hands, or wielded for legitimate purposes.

    CHIMERA is the only one that concerns me. The lack of technical details means it's hard to tell if that is a new concern or a mechanism to recover a locked or bricked device.
  33. Flaws galore on both platforms , it's just beginning.
  34. SR-71 Blackbird said:
    Flaws galore on both platforms , it's just beginning.


    The 13 Flaws are bogus.

    I try to access their site again, they took it down now.
    https://www.cts-labs.com/

    Its unclear if cts-labs and amdflaws websites was use for malicious reasons.

    As a Security Percolation, i recommended users who visited those 2 suspicious sites to check for malicious connections on your network

    -Certificate concern on their site and other
  35. Headline should have been "AMD targeted by shady claims of obvious stock manipulators"

    The Linked-In of the CTS "CEO" is pretty weak for any Tech Executive and the accounts of the others in the claimed company look like fakes.

    The disclaimer basically says "We are low rent stock manipulators."

    - Israel has a problem in the area of financial crime enforcement -
    the following from an Israeli Source (because they also have a problem of being targeted by anti-Semitic slurs)

    https://www.timesofisrael.com/former-top-fbi-officer-warns-israeli-law-enforcement-lax-reforms-needed/
  36. Wow, just when AMD is announcing their 2000 series the 2700, 2700x and more, here comes news with AMD getting one day's warning.

    Does that Israeli company work for Intel? The timing and buffer for disclosure is 24 hours.

    There is a double standard somewhere.
  37. Headline should have "unverified" in it from the start.. Anyway the article itself is going to have to be updated again soon as this story unravels.
  38. I say we sue the small Israeli company for putting us AMD CPU users in danger by not giving AMD the normal 90 day period to correct the issue(s).
  39. alextheblue said:
    Headline should have "unverified" in it from the start.. Anyway the article itself is going to have to be updated again soon as this story unravels.

    Dan Guido from Trail of Bits and Gadi Everon from Cymmetria have apparently confirmed the exploits. All variants require root/admin access to exploit first to install the drivers required to gain direct access to hardware.
  40. JQB45 said:
    I say we sue the small Israeli company for putting us AMD CPU users in danger by not giving AMD the normal 90 day period to correct the issue(s).


    Its probably a verbal retaliation against United States / Donald Trump
  41. Looks like B.S. Smells like B.S. Must be B.S....
  42. Viceroy has already been "interested" in South African companies:
    https://twitter.com/cataclysmza/status/973621504427651072
  43. The report is very questionable.
  44. "Ryzenfall".... Security company? More like... hilarious pun company, amirite guys?

    In any case, it will be interesting to watch the rise and fall of Ryzenfall. I'M SORRY, I COULDN'T RESIST!
  45. Intel hack job???
  46. Intel hack job?????? 24 hrs notice.
  47. LOL!!! I really never thought Intel could stoop so low, but now I'm glad I never spent too much dough on them. Using Ryzens now and I have no complaints what so ever. Seems like the Shylock hasn't taken too well to loosing a little loose change from his wallet. Bad losers Intel.
  48. Hi Guys,

    I think it is nVIDIA's doing.... Intel is the obvious one to blame, though AMD has a better relationship with Intel now, with their GPU's going into Intel chips and all... and nVIDIA is the one to gain the most from a damaged Intel-AMD relationship.

    Also please read the below article, it seems like nVIDIA is the one that might be butthurt here... :)))

    https://www.hardocp.com/article/2018/03/07/geforce_partner_program_impacts_consumer_choice
Ask a new question

Read More

AMD Processors Security