Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

Sponsored by, Intel! (R)

... someone needs to dig (deep) into who registered the amdflaw domain and who is funding this.

Re:Sponsored by, Intel! (R)

[sinij]

Yes, couple days to respond is a hit job and not a responsible disclosure. However, if AMD and Intel get into "flaw disclosure" wars, the only winner will be consumers. This is not a bad thing.

Not a vulnerability

[FeelGood314]

This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity. This happens way to often, just this time it got more publicity than usual. What happens is researchers looking to make a name for themselves finds what they think could sound like exploit, the fact that it might already be public knowledge or hell even the way a device is supposed to work (e.g. exploit needs signed drivers and physical access) doesn't matter. Usually the "researchers" aren't very good. They use automated tools to scan for a vulnerability that they don't really understand and when you respond that "yeah, that 32 bit signed/unsign error might be exploitable if you send me a buffer with 2^31 + 7 bytes of data to a processes on an old 32 bit server but since the process only has 2GB of memory good luck.* The researches intentionally published right away so that the organization they are attacking doesn't have time to respond. The researchers didn't want a response because they knew the response would be "fuck off, this isn't a vulnerability!"

*yes, I had this conversation.

Re:trying to make a name for themselves...

[MachineShedFred]

The sentence on the web site was probably edited from:

"Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy. If you would like to become one of our customers by handing over a signed NDA and a fat bag of money, you can contact us at the following email address. Should we find a flaw in a product that is not produced by one of our NDA partners, we'll first ask them for a fat bag of money, and if they don't immediately capitulate, we'll be publishing their dirty laundry as "full disclosure with previous notification".

Somehow I have a feeling that the "disclosure" to AMD included the offer of a mutual NDA and business-to-business financial arrangement, with AMD telling them to pound it.

From their own Disclaimer

[iCEBaLM]

https://amdflaws.com/disclaime...

"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

24 hours notice. "Researchers" who seem to spring up out of nowhere. Creating a website and videos for maximum publicity. All the security flaws seem overblown (require actual flashing of firmware or bypassing driver signing), and.. wait, what's this?

https://www.reddit.com/r/AMD_S...

A huge number of put option (a bet that share price will fall dramatically) volume 5 days ago?

Nah, this is totally legit!