Its very interesting to contrast this to the way Spectre and Meltdown were 'marketed'. They had fancy websites too, but not quite as blandly corporate sanitized as this one, and both actually focused quite a lot on the names of the security researchers who had found it, and went into details.
Whereas this is just trying to get the public to put pressure on AMD and to get corporate purses to commission CTS-Labs reports.
Will be interesting when the details become public.
So because a design was based of a design based of a design it may be vulnerable to all kinds of attacks.
Am i following these assumptions correctly?
Promontory -> ASMedia ASM1142 -> ASM1042 -> these are wrong
One part of the paper claims that AMD's use of East Asian IP is inherently inferior and established IP-based backdoors in Ryzens. With such a bold claim, put up or shut up, please.
Nonetheless, the vulns appear real, but without PoC, all CTS has here is vapor, and they don't even have PoCs internally for all of the exploits which they claim to be documenting.
There's no disclosure timeline. Was AMD ever informed of the "vulnerabilities" and if so, when, and what their responses were? Nothing suggests as such.
There's no concise explanation of the risk. What exactly is the danger here? The website only shouts in my face that everything is wrong but not how.
The name "Ryzenfall" really sounds like they came up with the name first and looked for a vulnerability second.
The phrasing of "Severe Security Advisory" is deceptive. Sounds like it's coming from AMD, it's not.
Lots of smoke, a tonne of it actually. But I don't see anything else to suggest there's actually a fire.
Registrant Organization: Domains By Proxy, LLC
Overall, even if these are real, they're not showstoppers. If your security depends on TPM/etc., you're screwed anyway. They do allow local malware to do worse things, and might require some mitigations in shared environments, but it's mostly stuff you should already have protected in those settings anyway.
On its face I'd generally accept that the security features on AMD are bypassable, but I don't think any of the current x86 platforms are really suitable for anything except dedicated system for a given customer or security level ("system-high").
Multi-tenant/cloud are nice, convenient, and less expensive, but I'd want to depend on as few of the security features as possible.
> It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the White Paper.
> The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so
"Advanced Micro Devices (NASDAQ: AMD) shares are active as Viceroy Research has come out negative on the stock, saying it could become worthless.
Viceroy made the comments after analyzing CTS Labs' report exposing fatal security vulnerabilities across AMD products.
"Viceroy, in consultation with experts, have evaluated CTS’s report. We believe the issues identified by CTS are fatal to AMD on a commercial level, and outright dangerous at an international level," the report said.
It was added, "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries."
Viceroy will discuss the short call on CNBC's Halftime Report at noon."
The entire website is fishy to the point that I can basically smell it.
Note that the site of that "Cyber Security Consultancy Firm" does not even support HTTPS. :))
I wonder what (other) security professionals have to say about this white paper.
There's a big difference between a break and enter, and "The airbnb guest stole my lamp when he left!"
It's similar to what Peach (Fuzzer) did after they've (co)"discovered" Heartbleed however that was handled much better.
There is a good number of red flags all over this site, including the non-existent disclosure timeline, I would say the chance this is for real is basically 0.
> This site is maintained by CTS-Labs. By accessing the contents of this website, you confirm that you have read our full disclaimer.
The white paper seems non standard too, where's the disclosure timeline, etc?
I wish Intel would invest in fixing their CPUs instead of doing this.
"We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops."
Dan Guido (https://twitter.com/dguido/status/973628933034991616) claims:
"Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works."
I think this is self explanatory
> we have another instance of MS07-052: Code execution results in code execution.
At one point they straight up assert that Taiwanese IP is inferior.
Edit: I own amd stock, make of that what you will
It is a matter of time before the over-dramatization of security flaws becomes weaponized by vendors against competitors. If a side-effect is that building actual secure software and hardware becomes a ship requirement, what the hell; let everyone burn each other.