
Severe Security Advisory on AMD Processors - wila
https://amdflaws.com/
======
willvarfar
Very heavy on fear and branding, light on technical detail...

Its very interesting to contrast this to the way Spectre and Meltdown were
'marketed'. They had fancy websites too, but not quite as blandly corporate
sanitized as this one, and both actually focused quite a lot on the names of
the security researchers who had found it, and went into details.

Whereas this is just trying to get the public to put pressure on AMD and to
get corporate purses to commission CTS-Labs reports.

Will be interesting when the details become public.

------
b3lvedere
"The Promontory chipset is powered by an internal microcontroller that manages
the chip's various hardware peripherals. Its built-in USB controller is
primarily based on ASMedia ASM1142, which in turn is based on the company's
older ASM1042. In our assessment, these controllers, which are commonly found
on motherboards made by Taiwanese OEMs, have sub-standard security and no
mitigations against exploitation. They are plagued with security
vulnerabilities in both firmware and hardware, allowing attackers to run
arbitrary code inside the chip, or to re-flash the chip with persistent
malware. This, in turn, could allow for firmware-based malware that has full
control over the system, yet is notoriously difficult to detect or remove.
Such malware could manipulate the operating system through Direct Memory
Access (DMA), while remaining resilient against most endpoint security
products."

So because a design was based of a design based of a design it may be
vulnerable to all kinds of attacks.

Am i following these assumptions correctly?

Promontory -> ASMedia ASM1142 -> ASM1042 -> these are wrong

------
EtDybNuvCu
Not sure whether this is being hyped extra due to Intel's desire to tar and
feather AMD. Certainly, the FUD around where AMD's chips are made is other-
than-honest, and many parts of the paper are blatantly speculative.

One part of the paper claims that AMD's use of East Asian IP is inherently
inferior and established IP-based backdoors in Ryzens. With such a bold claim,
put up or shut up, please.

Nonetheless, the vulns appear real, but without PoC, all CTS has here is
vapor, and they don't even have PoCs internally for all of the exploits which
they claim to be documenting.

------
detuur
Anything that describes itself as a "severe security advisory", but doesn't
come with a CVE entry up front is really shady.

There's no disclosure timeline. Was AMD ever informed of the "vulnerabilities"
and if so, when, and what their responses were? Nothing suggests as such.

There's no concise explanation of the risk. What exactly is the danger here?
The website only shouts in my face that everything is wrong but not how.

The name "Ryzenfall" really sounds like they came up with the name first and
looked for a vulnerability second.

The phrasing of "Severe Security Advisory" is deceptive. Sounds like it's
coming from AMD, it's not.

Lots of smoke, a tonne of it actually. But I don't see anything else to
suggest there's actually a fire.

------
sonamor
This site seems really scammy. Another attempt to deflate stock?

[https://www.thestreet.com/video/14469681/jim-cramer-on-
amd-t...](https://www.thestreet.com/video/14469681/jim-cramer-on-amd-there-s-
a-concerted-effort-to-keep-the-stock-lower.html)

~~~
willvarfar
Well CTS-Labs seems to be an Israeli "cyber-security" consultancy, and I can't
find more back-history than that. They do seem to have got the story into
businessinsider and cnet etc already in the past hour - these are the only
CTS-Labs hits I find on google.

~~~
kakwa_
the whois on their domain is bit weird:

Registrant Organization: Domains By Proxy, LLC

~~~
dogma1138
It’s GoDaddy’s domain privacy.

------
rdl
So, the access required seems to be: 1) MASTERKEY: Reflash UEFI BIOS (local
access, or defeat the specific BIOS, such as from AMI) 2) RYZENFALL: defeats a
bunch of TPM and other secure boot/etc. stuff. Even in 2018 a lot of this is
unused, and should never be your only security 3) FALLOUT: allows defeating
some bootloader security, but isn't a big deal except on some locked down
endpoints. 4) CHIMERA: some kind of chipset backdoor requiring local root.
Unclear how big a deal this is due to access required.

Overall, even if these are real, they're not showstoppers. If your security
depends on TPM/etc., you're screwed anyway. They do allow local malware to do
worse things, and might require some mitigations in shared environments, but
it's mostly stuff you should already have protected in those settings anyway.

~~~
snuxoll
If your security depends on a TPM you should be using a proper hardware TPM
and not the fTPM running on the PSP, even my gaming-oriented Crosshair VI Hero
motherboard has headers for a hardware TPM.

------
rdl
This is the slickest/weirdest branding for a security vulnerability that I've
ever seen. There's basically zero information on the site itself except
something like: "if you use AMD devices, don't use them, and AMD is
incompetent", although the whitepaper has more content (which I'm now
reading).

On its face I'd generally accept that the security features on AMD are
bypassable, but I don't think any of the current x86 platforms are really
suitable for anything except dedicated system for a given customer or security
level ("system-high").

Multi-tenant/cloud are nice, convenient, and less expensive, but I'd want to
depend on as few of the security features as possible.

------
mtgx
I'm not trying to dismiss this outright, but what is this? Is this a hoax or
real? Because from the name of the site to the whitepaper, it all smells
rather fishy. I also read on Reddit that they only told AMD 24h before
disclosure, even though all of these vulnerabilities are supposed to be
"public knowledge" anyway?

> It summarizes security vulnerabilities, but purposefully does not provide a
> complete description of such vulnerabilities to protect users, such that a
> person with malicious intent could not actually exploit the vulnerabilities
> and try to cause harm to any user of the products described herein. Do not
> attempt to exploit or otherwise take advantage of the security
> vulnerabilities described in the White Paper.

> The report and all statements contained herein are opinions of CTS and are
> not statements of fact. To the best of our ability and belief, all
> information contained herein is accurate and reliable, and has been obtained
> from public sources we believe to be accurate and reliable. Our opinions are
> held in good faith, and we have based them upon publicly available facts and
> evidence collected and analyzed, which we set out in our research report to
> support our opinions. We conducted research and analysis based on public
> information in a manner that any person could have done if they had been
> interested in doing so

~~~
pault
Someone shorting AMD?

~~~
MulliMulli
Looks like it!

"Advanced Micro Devices (NASDAQ: AMD) shares are active as Viceroy Research
has come out negative on the stock, saying it could become worthless.

Viceroy made the comments after analyzing CTS Labs' report exposing fatal
security vulnerabilities across AMD products.

"Viceroy, in consultation with experts, have evaluated CTS’s report. We
believe the issues identified by CTS are fatal to AMD on a commercial level,
and outright dangerous at an international level," the report said.

It was added, "We believe AMD is worth $0.00 and will have no choice but to
file for Chapter 11 (Bankruptcy) in order to effectively deal with the
repercussions of recent discoveries."

Viceroy will discuss the short call on CNBC's Halftime Report at noon."

[https://www.streetinsider.com/Analyst+Comments/Viceroy+Resea...](https://www.streetinsider.com/Analyst+Comments/Viceroy+Research+Negative+on+Advanced+Micro+Devices+%28AMD%29/13937313.html)

~~~
kevin_b_er
Is CTS connected to Viceroy?

------
enzo1982
Looks like some teenagers [1] and a PR company [2] are doing some marketing or
market manipulation stunt...

Note that the site of that "Cyber Security Consultancy Firm" does not even
support HTTPS. :))

[1] [http://cts-labs.com/management-team](http://cts-labs.com/management-team)
[2] [http://www.bevelpr.com](http://www.bevelpr.com)

------
nottorp
Screams "scareware" and "financed by Intel"...

------
ken47
These are interesting "security flaws," given the level of access an attacker
needs to exploit these.

I wonder what (other) security professionals have to say about this white
paper.

~~~
tjwds
Also curious that "safefirmware.com" — where the whitepaper is hosted —
doesn't seem to have any history whatsoever.

~~~
dogma1138
CTS will be launching a firmware security analysis service/tool for the
enterprise market in the coming months this is likely a PR domain for that,
and also likely the reason behind this whole "campaign".

It's similar to what Peach (Fuzzer) did after they've (co)"discovered"
Heartbleed however that was handled much better.

------
rlabrecque
This is such a weird site.

> amdflaws.com

> This site is maintained by CTS-Labs. By accessing the contents of this
> website, you confirm that you have read our full disclaimer.

The white paper seems non standard too, where's the disclosure timeline, etc?

------
jakewins
"Exploitation requires that an attacker be able to run a program with local-
machine elevated administrator privileges."
[https://safefirmware.com/amdflaws_whitepaper.pdf](https://safefirmware.com/amdflaws_whitepaper.pdf)

I wish Intel would invest in fixing their CPUs instead of doing this.

~~~
dogma1138
The PSP MIMO registers and the driver are exposed in VMs at least on the
Pro/Epyc platform because the PSP is needed for SEV-KM which is used to manage
the keys for memory encryption if these are sufficient this will be a big
problem for cloud/vm deployments.

------
b3lvedere
AMD's response ([http://ir.amd.com/news-releases/news-release-details/view-
ou...](http://ir.amd.com/news-releases/news-release-details/view-our-corner-
street-0) / [http://ir.amd.com/ir-blog](http://ir.amd.com/ir-blog)) :

"We have just received a report from a company called CTS Labs claiming there
are potential security vulnerabilities related to certain of our processors.
We are actively investigating and analyzing its findings. This company was
previously unknown to AMD and we find it unusual for a security firm to
publish its research to the press without providing a reasonable amount of
time for the company to investigate and address its findings. At AMD, security
is a top priority and we are continually working to ensure the safety of our
users as potential new risks arise. We will update this blog as news
develops."

Dan Guido
([https://twitter.com/dguido/status/973628933034991616](https://twitter.com/dguido/status/973628933034991616))
claims:

"Regardless of the hype around the release, the bugs are real, accurately
described in their technical report (which is not public afaik), and their
exploit code works."

------
baybal2
>Media Inquiries - Jessica Schaefer, BevelPR: Jessica@bevelpr.com

I think this is self explanatory

------
HugoDaniel
Were they given a heads-up of 7 months ?

------
kuschku
The vulnerabilities all sound like

> we have another instance of MS07-052: Code execution results in code
> execution.

------
jaunkst
"fakenews.com"

~~~
jaunkst
It looks like they are trying to drum up business

------
deepnotderp
-_-

At one point they straight up assert that Taiwanese IP is inferior.

Edit: I own amd stock, make of that what you will

------
bhouston
This seems to be targeted at AMD's reputation primarily. Security seems to be
a secondary concern.

------
nfbush
Tweet [0] Says only 24Hrs notice given? can anyone confirm this?

[0]
[https://twitter.com/MalwareJake/status/973567705142853632](https://twitter.com/MalwareJake/status/973567705142853632)

~~~
guax
He appears to be trying to justify it, badly, by insinuating AMD did the same
by breaking the meldown/spectre embargo.
[https://twitter.com/MalwareJake/status/973569779419160576](https://twitter.com/MalwareJake/status/973569779419160576)

~~~
zaarn
These tweets to give the impression the team behind "AMDFlaws.com" are either

A) incompetent,

B) jerks or

C) all of the above

Post Scriptum: I've archived both tweets here;
[https://archive.is/bqQRT](https://archive.is/bqQRT)
[https://archive.is/z1wgy](https://archive.is/z1wgy)

Just in case.

------
kevin_b_er
At least one group looks to be an attack against AMD's equivalent of Intel
AMT.

~~~
snuxoll
The AMD PSP is akin to the Intel ME, AMT is a set of remote management tools
that happens to run _on_ the ME on supported systems - so not quite.

------
phyzome
From discussion I'm seeing elsewebs, this is _extremely_ suspicious.

------
yAnonymous
Whois protection. Very trustworthy source... not.

