13 Security Vulnerabilities and Manufacturer Backdoors Exposed In AMD Ryzen Processors

Published by

Click here to post a comment for 13 Security Vulnerabilities and Manufacturer Backdoors Exposed In AMD Ryzen Processors on our message forum
https://forums.guru3d.com/data/avatars/m/258/258664.jpg
Can't help but remember all the red team's fanboys crying out for Spectre and Meltdown and how AMD's CPUs are totally secure etc.
https://forums.guru3d.com/data/avatars/m/55/55855.jpg
Ouch!
https://forums.guru3d.com/data/avatars/m/188/188114.jpg
Can't help but think this is becoming a hunt... Intel and AMD sponsoring these sudden exploit finds. Suddenly a lot of exploits come to surface. Also to be on topic, should they have warned AMD of these exploits before going public ?
https://forums.guru3d.com/data/avatars/m/197/197287.jpg
fantaskarsef:

Can't help but remember all the red team's fanboys crying out for Spectre and Meltdown and how AMD's CPUs are totally secure etc.
It's 2018 and it's software/hardware. There will never be a time that there are no vulnerabilities. That being said, a vulnerability that lasts 10+ years is pretty sad.
Spider4423:

Also to be on topic, should they have warned AMD of these exploits before going public ?
^ This. If they didn't, and i don't know if they did or didn't, then the real people allowing vulnerabilities to be exploited are the people who make this information public knowledge. I'm not saying the public should never know about this, obviously they should, but considering the fact there's nothing for the public to do in these issues, either intel or AMD, then the information should be announced after they have been fixed, unless there is something that can be done for temporary reasons to halt the exploit on the user end.
https://forums.guru3d.com/data/avatars/m/258/258664.jpg
Aura89:

It's 2018 and it's software/hardware. There will never be a time that there are no vulnerabilities. That being said, a vulnerability that lasts 10+ years is pretty sad.
That being said, a vulnerability that takes 10+ years to detect / exploit is not as sad as one discovered in a relatively new architecture, no? πŸ˜‰
https://forums.guru3d.com/data/avatars/m/197/197287.jpg
fantaskarsef:

That being said, a vulnerability that takes 10+ years to detect / exploit is not as sad as one discovered in a relatively new architecture, no? πŸ˜‰
Depends on how long they were being used. No one realistically can say for certain that any issue were not being abused before it was "discovered". Though again, 10+ years means the whole CPU has not been overhauled in 10+ years, which is simply sad.
data/avatar/default/avatar25.webp
Doesn't it seem really strange that this was announced on the 1 year anniversary of Ryzen and just happens to have a splashy website name and advertisement style videos? The flaws are probably legit but someone is out for publicity on this one.
https://forums.guru3d.com/data/avatars/m/105/105757.jpg
Check calendar......Hmmm... Not April 1st..... Oh feck! Can someone, anyone, please make a secure processor? Is it even possible?
data/avatar/default/avatar05.webp
Being an Intel fanboy, I will now demonstrate how a mature person steps up instead of screaming insults: Components/hardware/software have vulnerabilities. They all do; those that are known, those that are unknown, it is just the way it is. All we need is the companies to step up and do what they can to mitigate and accountability for those responsible if they covered it up thus endangering end users. AMD has some really great products right now at competitive prices and this shouldn't be seen as a deterrent.
data/avatar/default/avatar18.webp
They did post a disclaimer stating it is their opinion not fact. Legal Disclaimer BACK TO SITE CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. **The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind. It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website. The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents. You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content. Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate.
data/avatar/default/avatar21.webp
We really need a lot more information...they "supposedly" gave AMD notice but only 24 hours before this "news" was published...when standard practice is 90 days. Just saying.
https://forums.guru3d.com/data/avatars/m/150/150085.jpg
Let set a few things straight about this as I'm no fan of AMD CPUs. Haven't had one in years but I find this a bit suspect. This is a no-name startup that simply pops out of nowhere. They have professional PR representation, videos, ads, and a dedicated info weblink that's hyperbol towards AMD? And no one caught this? https://amdflaws.com/. <---LOL ok it must be legit From what I've read this rogue group gave AMD less than 24 hours to look at the vulnerabilities and respond before this was published for all to see in it's glory. From watching videos about journalism the standard vulnerability disclosure calls for 90 days notice, so companies have time to address flaws and respond about it. This in of itself makes the claims shady and unethical even if what they claim is remotely true. This is a huge conflict of interest how and when this is presented. But what I also found interesting is the fact that this comes from the same area in Israel where Intel has facilities for their core design teams and manufacturing plants Nah, that must be just a coinkydink right? Or perhaps made to look like a coinkydink. I find this report regardless if true or not true to be incredibly disingenuous. And won't be surprised if the bread crumbs lead back to a conspirator causing drama. I am not fully convinced this is from Intel either. As it's way to obvious. That's also a red flag.
https://forums.guru3d.com/data/avatars/m/16/16662.jpg
Administrator
The timing of this whitepaper, website release and even press-releases on pro PR agencies like BusinessWire are just so suspicious. It feels like it was deliberately released as a payload, to create damage. This research is extensive - it likely has been funded in full, as the scope of it goes very deep, months if not an entire year of work maybe even? Yesterday AMD had their one year Ryzen anniversary, they're about to launch Zen+ as well. So who benefits from all this the most? It's pure speculation, but didn't Intel have activities in Israel as well? Yep, they invested $15 billion in a plant, and let me quote the Intel CEO: β€œWe think of ourselves as an Israeli company as much as a US company,” Krzanich said at a Jerusalem press conference" It's not an accusation, but come on, it is suspicious. Also, CTS was founded as a privately held company in... 2017. Regardless of that remark, if the vulnerabilities are for real they, of course, should be out in the open. But only after AMD would have had enough time for this.
https://forums.guru3d.com/data/avatars/m/115/115235.jpg
This is shady af, and should be taken with a huge grain of salt. The white paper ends saying all of these "vulnerabilities" require admin level privleges. Seems like a complete smear job to me.
https://forums.guru3d.com/data/avatars/m/247/247876.jpg
The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing this report.
Does that sound like a ransom blackmail? What is the point to give 24 hours?
https://forums.guru3d.com/data/avatars/m/105/105985.jpg
I hope this is not to hard to fix if its true
https://forums.guru3d.com/data/avatars/m/270/270792.jpg
Is that you Intel? Lol. I'm using my I5 fearlessly,, but keeping a backup.;)
https://forums.guru3d.com/data/avatars/m/243/243702.jpg
Less than 24 hours from letting AMD know till sending it out = malicious intent.
data/avatar/default/avatar01.webp
Hilbert Hagedoorn:

but didn't Intel have activities in Israel as well? Yep, they invested $15 billion in a plant,
Both AMD and Intel are US companies, surely thats evidence that they are one and the same and secretly working together? Please, countries are big places. If this was a US company, you would certainly not try to make this alleged connection, despite Intel being in the US? And for all that "only 24 hours" BS, the typical 90 day guideline really only applies to releasing technical information on the exploits, so that companies have time to fix it before it goes public. This did not happen here, no technical information has been made public.