Slashdot Mirror
Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public (cnet.com)
Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.
... someone needs to dig (deep) into who registered the amdflaw domain and who is funding this.
In collusion with intel or not, I'd bet these "researchers" have bought a bunch of intel stock over the last few months.
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
I used to be a full disclosure guy.
I grew up.
Support my political activism on Patreon.
Saying they aren't on par with Spectre or Meltdown is missing the point - it's an apples to oranges comparison, just like IME's many problems aren't comparable to Spectre or Meltdown.
It's not clear that firmware updates can fix it -- it depends on whether it's something that can be updated in firmware. Many security-critical hardware designs doesn't allow firmware updates, because at that stage modifiable firmware is a security hole in and of itself.
At the end of the day, it sounds like AMD's Secure Processor has similar problems as Intel's Management Engine. It's not exactly unexpected, as every remote management 'feature' of the type has historically been riddled with security holes, regardless of vendor.
I can't help but wonder, though, what the source of "24 hours notice" is; the articles I saw don't explain. I recall in years past, there are cases where researchers tried for months to get Microsoft to take their claims seriously. Microsoft wouldn't even acknowledge them, and when the researchers released it as a zero-day, and Microsoft shrieked they weren't given any notice...
If AMD really was only given 24 hours notice, it was outrageously unprofessional and unethical behavior by the research company.
Honestly, I'm more willing to believe corporate America would lie in an attempt to CYA than researchers would act in a way so unethical that nobody will work with them in the future.
-- Sometimes you have to turn the lights off in order to see.
Looks like somebody has shortened AMD stocks. This should be under investigation soon.
From reddit.com:
FRANKFURT, March 12 (Reuters) - German financial watchdog Bafin said on Monday that short-seller Viceroy Research breached German securities law with a research report on ProSiebenSat.1 as it did not notify the regulator of its activities.
Under German law, any entity that is not a securities firm, a fund manager, an EU administrative firm or an investment company that intends to publish recommendations on investments in assets must notify Bafin ahead of time, it said.
It also said Viceroy’s website did not contain information on where the company was based.
ProSieben last week rejected a critical report by Viceroy that led to a drop in its share price by as much as 9 percent, saying the allegations of questionable accounting contained in it were“unfounded and distorting reality”. (Reporting by Maria Sheahan Editing by Arno Schuetze)
This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity. This happens way to often, just this time it got more publicity than usual. What happens is researchers looking to make a name for themselves finds what they think could sound like exploit, the fact that it might already be public knowledge or hell even the way a device is supposed to work (e.g. exploit needs signed drivers and physical access) doesn't matter. Usually the "researchers" aren't very good. They use automated tools to scan for a vulnerability that they don't really understand and when you respond that "yeah, that 32 bit signed/unsign error might be exploitable if you send me a buffer with 2^31 + 7 bytes of data to a processes on an old 32 bit server but since the process only has 2GB of memory good luck.* The researches intentionally published right away so that the organization they are attacking doesn't have time to respond. The researchers didn't want a response because they knew the response would be "fuck off, this isn't a vulnerability!"
*yes, I had this conversation.
Such a quick turnaround between private and public disclosure means one of two things.
First possibility: They're not interested in responsible disclosure. Likely. As others have pointed out, they get more noise for their findings this way.
Second possibility: They know these vulnerabilities are being actively exploited. Not as likely, but a real possibility, and way more worrying.
The sentence on the web site was probably edited from:
"Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy. If you would like to become one of our customers by handing over a signed NDA and a fat bag of money, you can contact us at the following email address. Should we find a flaw in a product that is not produced by one of our NDA partners, we'll first ask them for a fat bag of money, and if they don't immediately capitulate, we'll be publishing their dirty laundry as "full disclosure with previous notification".
Somehow I have a feeling that the "disclosure" to AMD included the offer of a mutual NDA and business-to-business financial arrangement, with AMD telling them to pound it.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
https://amdflaws.com/disclaime...
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
24 hours notice. "Researchers" who seem to spring up out of nowhere. Creating a website and videos for maximum publicity. All the security flaws seem overblown (require actual flashing of firmware or bypassing driver signing), and.. wait, what's this?
https://www.reddit.com/r/AMD_S...
A huge number of put option (a bet that share price will fall dramatically) volume 5 days ago?
Nah, this is totally legit!