Report Claims AMD Ryzen, EPYC CPUs Contain 13 Security Flaws

Status
Not open for further replies.

bit_user

Polypheme
Ambassador
CTS-Labs provided AMD with only a 24-hour notice.
This is extremely shady. What could be the purpose of making such an announcement, except to spread FUD in the market and put the brakes on AMDs sales momentum?

These guys are most likely funded by Intel or individuals with a strong financial stake in Intel.
 
Covered themselves with that disclaimer big time.

Whilst thats sensible for a firm like cts (nier a necessity) I would say the whole thing has very very suspicious undertones.

I hope they have good lawyers if theyre wrong , bringing asus into the mix by name/brand aswell is a very risky decision.
 
Mar 13, 2018
1
0
10
The lack of comprehensive tech detail of these flaws compared to Spectre and Meltdown, even in the white paper, plus the lack of notice to AMD to look into the claim of flaws, sounds fishy to me. It was not released in good faith and the disclaimer of "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." speaks for itself. Economic interest. They likely have friends trading the stock and pushing conveniently for a short situation, seems like manipulation. Walks like fake news, talks like fake news...What is it?
 

JoeNM84

Honorable
Sep 1, 2012
4
0
10,510
Sounds like a rumor if there has been no evidence or sources listed. And given the short 24 hour notice it makes the whole thing a bit shady. Possibly to manipulate stock prices? Hopefully it's all false, or the vulnerabilities are easy/quick to fix.
 

bit_user

Polypheme
Ambassador
There's already a lot out there on debunking these overblown claims.

Interestingly, they registered the domain 19 days ago, so they surely could have started informing AMD of some of the issues back then.

One conjecture I've read is that it could be a simple stock market play - bet on AMD's share price to drop, then release a bunch of bad news.

I hope AMD has some grounds to sue them on the basis of misleading statements.
 

rwinches

Distinguished
Jun 29, 2006
888
0
19,060
Shame on Tom's for not having a huge, bold type, disclaimer at the top of this stating there is no real data to back this up.
Not even their tired 'grain of salt'
 

techy1966

Reputable
Jul 31, 2015
149
3
4,685
I was like LMAO at this crap....This is pure fud at it's best. All they or who ever is paying them to do this wants is AMD stocks to fall and sales drop off as well seems a bit timely that this happens just before AMD's new CPU launch/ refresh of Ryzen in April. I am thinking Intel or someone that has a stake in Intel is behind this. Problem is the damage is already done because all news sites and tubers will cover this like it is the Holy Gospel and plat the seed of fud into everyone's minds. By the way if this was true they would have been forced to give AMD the proper amount of time to get their crap together not this 24 hour crapola...I really hope who ever is behind this get sued big time and go to jail.
 

tslot05qsljgo9ed

Distinguished
May 22, 2009
51
0
18,530
Quote: Possibly to manipulate stock prices?

That is exactly what it was and from todays headlines for AMD and initial sell off you can see that it worked for a while. But then common sense and analysis showed that this was purely a figment of CTS-Labs imagination.

The 24 hour notice along with the amdflaws.com web site clearly shows the skeeviness of CTS-Labs.
 
Israel huhh? Does Intel have a division in israel that developed the Core processor?? Essentially the basis of Intel's modern processors. This is highly suspicious given the amount of time AMD had to respond.
 

none12345

Distinguished
Apr 27, 2013
431
2
18,785
Need to flash the bios, need a signed driver, need administrator access.....

if you have any of that you already have the keys to the kingdom and have access to everything.

This all seems extremely fishy. 24 hours notice, the domain name, the production videos, media briefing at the same time or possibly before notifying amd, etc, etc. It seems like this was a planned hit piece.

Note i do not excuse security flaws. If there are legit flaws they need to be fixed. However, I'm personaly not worried about any flaws that require root access, at that point the battle is already lost.
 
This doesn't pass the smell test. For something like this the vendor, AMD, should have at least 30 days notice before anything is announced. I put no merit in this at all. It almost feels like something a competitor would do as a back room deal to spread FUD.

EDIT1: The CFO of CTS-Labs is a hedge fund manager... Anyone short a lot of AMD stock today?

EDIT2: Check this out the company photos are photoshopped stock photos(Credit Singuy8888 on Anandtech forums): https://i.imgur.com/OkWlIxA.jpg
 
It seems possible until the statement that the flaws have existed for 6 years. Ryzen is an entirely new architecture and chipset and hasn't even been available for 6 years. While it's true that CPU development takes years, until release, AMD are the only ones that know anything about the arch and its vulnerabilities.

IIRC, Ryzen isn't based off bulldozer and is entirely new. Unlike Intels offerings which are based on Core2 and have been tweaked and shrunken. Even Coffeelake is a heavily tweaked Core 2 uarch but with additional cores and smaller process. So major flaws affect multi generations of CPU's
 

Fluffy_Hedgehog

Commendable
Mar 11, 2016
12
0
1,510
simple hit piece to affect short term stock price. all of those "vulnerabilities" are around the PSP, which is not even active in most cases.

but hey it worked prices dropped for a few hours more than enough time to make millions with the right setup ...
 
It's possible that the flaws could be real, but who's to say that it wasn't someone like Intel who actually discovered them, perhaps while researching spectre and meltdown's affects on other processors, then sat on the data for months before paying a small company to make a sudden announcement about it shortly before AMD's next generation of processors launch. It does seem suspicious that a company would only provide a day's notice before making an announcement about their findings, not even enough time for AMD to properly look into the matter and determine whether there's a real concern, let alone be able to announce any course of action about it.
 

wownwow

Commendable
Aug 30, 2017
37
1
1,535
No address, no land line, 4 cheap, Israelis (drinking Intel milk?), being set up in 2017 (likely after Intel's "Meltdown inside" in June), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321 :-D ... :-D

Intel, the CPU God = 4 cheap, Israelis drinking the God's milk :-D ... :-D

tomshardware --> tomsfairytale?
 

salgado18

Distinguished
Feb 12, 2007
928
373
19,370
We all know this is ill-intended, but we also are tech people. This goes into the regular news, common folks will be scared and will back away from AMD. Fake news works wonders in social media these days.

I hope it's false, and if it is, I hope AMD sues them into oblivion.
 
Mar 13, 2018
12
0
10
Need to flash the bios, need a signed driver, need administrator access.....

Security flaws that require root access? I'm not sure Intel (Read: CTS-Labs) understand what security means...

Giving 24 hours notice, when you are required to provide at least 90 days notice. Where was the good faith in that? For Spectre/Meltdown researchers gave a 200 days notice.. THAT is good faith...!

Shame on Tomsfairytale for propagating this without any reasonable warning. FFS these guys don't even have evidence of what they're saying... :))
 

InvalidError

Titan
Moderator

Ryzen may be new but AMD's partnership with ASMedia for chipsets isn't. Since some of the flaws are about the ASMedia chipsets, those can certainly be several years older than Ryzen.
 

Giroro

Splendid
Hey guys, Just discovered yet another AMD vulnerability.

They are vulnerable to hammers. Normal operation of any modern AMD processor can be disrupted if a hammer is used to impart a measured impulse directly to the integrated memory controller. The effect is permanent and the flaw has been known for over 15 years. Physical access is necessary unless used in conjunction with PAYSOMEBODYTODOIT. No known security software can fix or prevent this style of attack. My security researchers have confusingly named this new architectural flaw BUYINTELNOW.
 


Sure but this finding is not legitimate on any level. No real security researcher would give a chip maker 24 hours notice. The standard is 90 days notice or more for hardware flaws ie 6 months for Spectre/Meltdown. This is a plain an simple targeted hit. I doubt it was a competitor as it won't stand up long so its likely a stock market related scam. See my post above they are using stock green screen photos, the links on the site are utter garbage, the site is almost entirely other people's content ie a lot of copy paste and links to document/standards, and the fact they gave no notice this just smells profoundly terrible. Until these are validated by a 3rd party I think everyone should treat these as non credible findings.
 
Status
Not open for further replies.