13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

I'm getting two things here:

That the flaw allows undetectable (or nearly so) hooks into a system to be installed, and that while some Intel boards use ASMedia parts to add features, AMD uses ASMedia for the whole chipset. Which means that the flaw will likely be significantly harder to mitigate.
 
Summary
CTS Labs published a white paper claiming that they have found no fewer than 13 vulnerabilities in the AMD's chip architecture.

In this article we discuss these vulnerabilities and examine how credible they are.

Finally we discuss the credibility, or rather the lack thereof, of CTS Labs.

On March 13th, 2018, CTS Labs announced that they have found no less than 13, yes, count them, 13 vulnerabilities in AMD's (AMD) Ryzen and EPYC architectures. To back up this claim they have had their findings reviewed by not less than ONE, yes, just one, company, Trail of Bits. To further bolster their claim they have produced one, yes, just one, screenshot of one affected machine where the boot code in the bottom left coroner was replaced with the number "1337." These findings caused Viceroy Research, another firm with a questionable reputation, to proclaim in a 25-page report on the matter that:

“AMD must cease the sale of Ryzen and EPYC chips in the interest of public safety.”

In this article we are going to look at the claimed vulnerabilities, discuss the level of threat these vulnerabilities pose to AMD's customers, and then take a closer look at who's behind CTS Labs.

The Vulnerabilities
A few months ago Google (NASDAQ:GOOG) (NASDAQ:GOOGL) researchers in conjunction with independent security researchers published the Meltdown and Spectre vulnerability research paper. That paper was a pleasure to read, though it was very tough to understand, it was peer reviewed, and came with discussion of methodology and proof of concepts. I wrote an article entitled "Intel And The Meltdown And Spectre Vulnerabilities Explained" discussing these vulnerabilities.

By contrast CTS' white paper, which can be found on amdflaws.com, and yet inexplicably hosted by a blank website safefirmware.com, discusses no methodology at all, and for proof of concepts discussed therein offers just one screenshot of a server with a boot screen with "1337" (hacker slang for LEET which is phonetic shortening of ELITE) added to the bottom right hand corner, purportedly by CTS. Due to the lack of any discussion of methodology or technical details in the white paper it is impossible to verify the veracity of CTS' claims. That said, let's discuss them at face value anyway and see what the worst-case scenario could be.

Linus, Kanter and Walrath all state that the exploits have occurred where admin rights were mitigated, while flaws they were on compromised machines, the methodology is not realistic as the bypass requires local access to admin account or backdoors which cause the user to default on admin settings which again can be done on Intel CPU's as easily as they can on AMD, this is more a negligence scenario rather than a Meltdown/Spectre ghost intrusion type flaw.

The Romanian guy Juan is clinging to suggests there is a fault in the method of testing which suggest to fall in line with Jon Walraths opinion on the subject which Kyle Bennett sourced.

This is what I will call a fixed flaw, putting the system into a situation where it is unrealistically bypassed.

so far from credible sources the issue is basically a non issue and I think if AMD trace CTS there will be a massive legal dispute which I would suggest to the two Israeli's to run back home and hide, they have falsified a position to short investors and tarnish the reputation of a company that is performing well within the bounds of ethics.
 
Sorry, but I will side with Linus Torvolds over you. lol Contesting someone who knows his shit and slammed you for good reason.

You can side with whoever you want. I can understand Linus is unaware that Microsoft Security is working in the flaws, but it is very funny that Linus still pretends this is a "scam" from CTS-labs, when all the material (including PoCs) is on the hands of AMD since last Monday. If it was a scam, AMD had denounced it time ago...

Who are you anyway? That's right "Feb 22, 2017" Showed up at Ryzen launch out of thin air. Probably one of the returned banned shills I banned from AnandTech years ago with a new IP.

This is the second time you attack me, except the other time you did in a PM sent to me. Re-read the whole conversation and pay attention to the last PM I sent you.
 
Linus, Kanter and Walrath all state that the exploits have occurred where admin rights were mitigated, while flaws they were on compromised machines, the methodology is not realistic as the bypass requires local access to admin account or backdoors which cause the user to default on admin settings which again can be done on Intel CPU's as easily as they can on AMD, this is more a negligence scenario rather than a Meltdown/Spectre ghost intrusion type flaw.

The Romanian guy Juan is clinging to suggests there is a fault in the method of testing which suggest to fall in line with Jon Walraths opinion on the subject which Kyle Bennett sourced.

This is what I will call a fixed flaw, putting the system into a situation where it is unrealistically bypassed.

so far from credible sources the issue is basically a non issue and I think if AMD trace CTS there will be a massive legal dispute which I would suggest to the two Israeli's to run back home and hide, they have falsified a position to short investors and tarnish the reputation of a company that is performing well within the bounds of ethics.

How can you know this when CTS has not released the details of the exploits, except to a few large firms and one third party tester? At least according to the Anandtech conference call.
 
Make you case with facts or put the person on ignore, but knock off the name calling and insults or bans will be coming.
 
You can side with whoever you want. I can understand Linus is unaware that Microsoft Security is working in the flaws, but it is very funny that Linus still pretends this is a "scam" from CTS-labs, when all the material (including PoCs) is on the hands of AMD since last Monday. If it was a scam, AMD had denounced it time ago...



This is the second time you attack me, except the other time you did in a PM sent to me. Re-read the whole conversation and pay attention to the last PM I sent you.

Fact: these exploits are un-proven.

Fact: these exploits require access that would allow someone to exploit a system no matter what hardware is installed.

Fact: CTS did not follow industry standards and give AMD a chance to address these supposed exploits before releasing them.

Fact: CTS informed the press and a company known for shady business practices involving shorting companies stocks while releasing negative press releases, said company is also associated with CTS.

Fact: in an interview previously linked, CTS gave conflicting answers, evaded others, and out right lied.

Edit:
Fact: the one company used to "verify" the exploits was paid to do so, creating a conflict of interest.

Fact: CTS put a disclaimer that their findings were opinions and not statements of fact.

Just to reiterate, any system that these thereoritical and non proven exploits can be used on, requires access that makes basically any system vulnerable. Further, the Asmedia chips allowing the supposed exploits have been, and are, used in millions of Intel systems which CTS did not disclose.

So please feel free to factually prove these exploits actually exist, that if these exploits are real, that they are llimited to AMD.
 
Last edited:
That's Dan Guido's company. The same security expert whose twitter feed you've already quoted a few times. So far he's the only 3rd party they've shared the info with according to the Anandtech conference call.

No. In #65 I gave a tweet from Alex Ionescu. Then bb_forrest replied to my post in his message #73, recognizing Ionescu is a security expert and requiring me to mention more experts. In my reply #85 I gave him the link to Dan Guido's blog explaining the AMD flaws.

So two experts confirmed CTS-labs findings. And as said in my reply to him, there are more.
 
Last edited:
No. In #65 I gave a tweet from Alex Ionescu. Then bb_forrest replied to my post in his message #73, recognizing Ionescu is a security expert and requiring me to mention more experts. In my reply #85 I gave him the link to Dan Guido's blog explaining the AMD flaws.
So two experts confirmed CTS-labs findings. And as said in my reply to him, there are more.

And what exactly did Alex say?

He certainly did not confirm what CTS says.
 
And what exactly did Alex say?

He certainly did not confirm what CTS says.

Not only he confirmed that the flaws are real, but he also criticized to those diminishing the problem:

Ionescu also addressed another major criticism directed at CTS Labs —the fact that many security researchers derided the Israeli company because all of the 13 flaws required an attacker to gain admin rights before they could be exploited.

[...]

Ionescu disagreed that some security researchers were dismissing the severity of CTS Labs' findings just because the flaws required admin access.
 
Let me help you.

He stated, "Admin-level access and persistance are legitimate threats in multi-tenant IaaS [Infrastructure-as-a-Service] and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken,"

and, "I have seen the technical details and there are legit design & implementation issues worth discussing as part of a coordinated disclosure effort."


NOWHERE does he state the "flaws" are as bad as CTS and people such as yourself are making them out to be.

Intel has a host of security problems with it's management engine but you seem to forget that. -- https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/

The Intel vuln allows privesc and the possibility of remote exploitation. But who gives a shit when we can talk about AMD amiright?
 
It took Trail of Bits 4-5 days to confirm CTS's findings according to Anandtech, so we should probably expect a reply from AMD Monday or Tuesday.
 
Fact: these exploits are un-proven.

False. Several security experts have confirmed the flaws exist and the PoCs develoed by CTS-labs work as described on AMD Zen-based hardware.

Fact: these exploits require access that would allow someone to exploit a system no matter what hardware is installed.

False. Those flaws are characterized by properties such as persistency and stealth, which are absent in non-Zen hardware.

Fact: CTS did not follow industry standards and give AMD a chance to address these supposed exploits before releasing them.

Correct that CTS-labs followed a non-standard disclosure procedure. They have explained many times why they don't like the standard procedure. And of course they don't like the standard procedure for any company, not only for AMD. What is more they want rest of security researchers to follow their procedure when disclosing vulnerabilities for any company.

False that AMD wasn't given "a change". CTS-labs eliminated all the relevant technical details from the public announcements and the public version of paper, whereas sent AMD and others all the technical details, including PoCs. So CTS-labs has combined a fast public announcement with the hiding of the key information to avoid putting users at risk. until AMD and rest of involved companies develop the needed patches and mitigations.

CTS-labs confirmed they will make public the full details once these companies come out with patches and mitigations.

Fact: CTS informed the press and a company known for shady business practices involving shorting companies stocks while releasing negative press releases, said company is also associated with CTS.

False. The only fact is that Viceroy report was published after CTS-labs published its findings. Due to the short delay between both publications, some people has speculated that Viceroy had the CTS-labs paper before publication. From here other people adds more speculation and claims that CTS-labs gave the paper to Viceroy, but CTS-labs negated it.

CTS-labs sent the security material to multiple hardware/software companies before the public announcement. Some other people speculates that someone from those companies could have shared the paper with Viceroy.

I can also play the game of developing crazy conspiracy 'theories'. I can use what Vyedmic said in #81 as baseline for my own speculation. AMD got the material before the public announcement. Someone at AMD could have given the paper to Viceroy as part of smart defense strategy to divert the media attention and pretend this is only a stock manipulation move without technical foundation to minimize the financial impact of those security findings. See? Anyone can invent crazy conspiracy 'theories'. The problem is on proving they are true.

Of course, I cannot prove my crazy conspiracy theory, just as others cannot prove their. But I don't care about conspircy theories. I care about facts, and fortunately the media starts to focus on the facts:

As the dust settled after yesterday's overly-cosmeticized vulnerability disclosure, many security researchers are now not so dismissive of CTS Labs' findings, and the conspiracy theories about shorting AMD stock are starting to be replaced by warnings that the AMD flaws "could turn bad hacks into worse hacks."

This was because experts started realizing that attackers could use these AMD vulnerabilities to gain post-reinstall persistence by leaving malicious code in secure areas of the CPU. Areas where security software can't scan or reach, and where malicious attackers wouldn't normally be able to reach, admin access or not.

So if some of you guys want to continue discussing conspiracies and stock manipulation, you can do it, but allow others of us to focus on the security flaws.

Fact: in an interview previously linked, CTS gave conflicting answers, evaded others, and out right lied.

Yeah, because it is the first time that a company gives conflicting answers, evade questions, and lie. LOL. In the PR thread I mentioned as Gary Patton gives contradictory answers about 12LP or how GF lies when names "7nm" to their next node. No one of your shared any doubt about the existence of 12LP or 7LP. But the standard is another when talking about CTS-labs. True?

Edit:
Fact: the one company used to "verify" the exploits was paid to do so, creating a conflict of interest.

False. The flaws have been verified by other people, including Alex Ionescu, who got not payment



Moreover, It is really hilarious that you accuse of conflict of interest to a company as Trail of Bits, which simply got payment for their work (they would got their payment equally if they had refuted the findings from CTS-labs), still you will not accuse AMD when they come to us with a public statement about those security flaws. Am I right that you will not mention conflict of interest?

Fact: CTS put a disclaimer that their findings were opinions and not statements of fact.

This is legal jargon. The flaws have been confirmed by people outside CTS-labs.

Just to reiterate, any system that these thereoritical and non proven exploits can be used on, requires access that makes basically any system vulnerable. Further, the Asmedia chips allowing the supposed exploits have been, and are, used in millions of Intel systems which CTS did not disclose.

First point is false and refuted above.

Second point is false as well. Those ASMedia chips used in some old mobos for Intel (AMD or any other company) are used for controlling the USB ports or PCIe ports. So those systems could only suffer some version of the Chimera attack. And I wrote "could", because the only presence of the affected ASMedia chips is a needed but not sufficient condition.

It is a fact that no one has demonstrated that Chimera-like attacks exist on Intel mobos with the affected chipsets.

However, the real problem is on AMD using those ASMedia chips as part of the secure processor:

Intel boards don't have the same problems because they use the ASM1142 as a USB controller, not their Security Processor.

The problem is with the ARM cell, likely the debug port. Its just that on Intel, it's just a USB controller. On AMD, it's the Security Processor with access to everything.

That is a reason why Ryzenfall flaw isn't named CoffeeLakeflaw, for instance.

So please feel free to factually prove these exploits actually exist, that if these exploits are real, that they are llimited to AMD.

There is no reason to prove things have been proven. I will keep this summary post as reference for the future when someone pretends again that no one has proven that the PoCs work or that this affect Intel as well...
 
After all the reading I've done, especially the interview with CTS posted over on AT, I'm sure these vulnerabilities exist and that they are serious and warrant the attention of both security folks and AMD themselves.

However, I'm equally sure that they were presented in the fashion they were for the benefit of CTS's unnamed customer, or for their own self-promotion, rather than genuine desire to see the security of the global computing environment improved. Between the lack of notice given to AMD, the apparent pre-briefings given to select press agencies, lack of CVE/US-CERT involvement, the doom and gloom language used to describe the vulnerabilities by CTS (the "this is probably as bad as it gets in the world of security" quote in particular), and the very melodramatic names given to the vulnerabilities themselves, it all just smacks of someone who seemed intent on presenting the most damaging set of headlines to AMD possible. This attitude would exist for *someone's* benefit, and it certainly doesn't feel like it was done for the good of the community at large. The contrast to the presentation of Meltdown/Spectre is incredibly stark.
 
No. In #65 I gave a tweet from Alex Ionescu. Then bb_forrest replied to my post in his message #73, recognizing Ionescu is a security expert and requiring me to mention more experts. In my reply #85 I gave him the link to Dan Guido's blog explaining the AMD flaws.
So two experts confirmed CTS-labs findings. And as said in my reply to him, there are more.
Re-mentioning the same security expert that started all of this, one that everyone already knows about, is not mentioning "more experts". He's a known quantity at this point. It's not adding to your list of experts when he was already the first person on the list.
 
Correct that CTS-labs followed a non-standard disclosure procedure. They have explained many times why they don't like the standard procedure. And of course they don't like the standard procedure for any company, not only for AMD. What is more they want rest of security researchers to follow their procedure when disclosing vulnerabilities for any company.

False that AMD wasn't given "a change". CTS-labs eliminated all the relevant technical details from the public announcements and the public version of paper, whereas sent AMD and others all the technical details, including PoCs. So CTS-labs has combined a fast public announcement with the hiding of the key information to avoid putting users at risk. until AMD and rest of involved companies develop the needed patches and mitigations.

CTS-labs confirmed they will make public the full details once these companies come out with patches and mitigations.


This is legal jargon. The flaws have been confirmed by people outside CTS-labs.

It is not legal jargon, an opinion as opposed to statement has two very different legal consequences in the event of being incorrect, the opinion is an attempt at waiving warranty/guarantee or the factual correctness of the claims, a statement is a clear guarantee that the information therein is true and any irregularities resulting in loss can be contested in respect to damages.

It is a breach of policy that is unethical in standard practice, going with how they personally attack AMD and how they departed from the principles of the industry then you look at how both directors are hedge fund beneficiaries of Viceroy, this is a gross violation, they also did not test exploiting Intel systems and thus makes it an intentional attack on AMD's stocks for personal gains. They used a hacked OS to test this and fixed the results to come up with positive results, their methods have been rightly criticized as contra bonos mores
 
Interesting how Juanrga misconstrues words, I never acknowledged that the person he quoted was a security expert, I said that he used a plural term and only quoted 1.

I really don't understand what he is trying to achieve with the constant "Intel are the dogs bollocks, AMD are shit" rhetoric? If he isn't paid by Intel then it's just bizarre.

In my case, I'm upgrading my PC this year at some point - an old i5-2500K, I'm now definitely buying Zen+ just because it will piss him off and I can state that the security problems he goes on about will not affect me.
 
You folks would be better off to put him on permanent ignore and let him talk to himself. Unless you like arguing with alternative facts.


gave up trying to tell people that.. i think they enjoy losing brain cells reading the garbage he posts.
 
Re-mentioning the same security expert that started all of this, one that everyone already knows about, is not mentioning "more experts". He's a known quantity at this point. It's not adding to your list of experts when he was already the first person on the list.

Amusing how you guys insist on that Dan Guido and Alex Ionescu are the same person.

It is not legal jargon, an opinion as opposed to statement has two very different legal consequences in the event of being incorrect

So it is legal jargon. ;)

they also did not test exploiting Intel systems and thus makes it an intentional attack on AMD's stocks for personal gains.

The flaws of the AMD secure processor are exclusive to AMD. E.g no Intel system can be affected by Ryzenfall, because no Intel system uses AMD secure processor...

Flaws such as Chimera could be present on Intel systems whose boards use affected ASMedia chipsets for USB controller. CTS labs tested Intel-based systems "made by HP, Dell, Lenovo, etc. and they were not affected".
 
Interesting how Juanrga misconstrues words, I never acknowledged that the person he quoted was a security expert

Ooops! When you wrote "Security Experts? Well, that's one" I believed that you had identified to Alex Ionescu and then asking me for more experts. I supposed you were familiar with him being a well-known security expert. It is interesting that you seem so worried by my mistake, when I think my mistake was favoring you, but don't worry, I have edited my post to make clear you didn't acknowledge anything. My post now reads:

No. In #65 I gave a tweet from Alex Ionescu. Then bb_forrest replied to my post in his message #73, recognizing Ionescu is a security expert and requiring me to mention more experts. In my reply #85 I gave him the link to Dan Guido's blog explaining the AMD flaws.

So two experts confirmed CTS-labs findings. And as said in my reply to him, there are more.
 
Amusing how you guys insist on that Dan Guido and Alex Ionescu are the same person.
I find it amusing you managed to come up with that conclusion when I never once said or even implied that.

Interesting how Juanrga misconstrues words, I never acknowledged that the person he quoted was a security expert, I said that he used a plural term and only quoted 1.
He must have one helluva reputation for doing that already if he's got this entire forum and Linus Torvalds calling him out. It's ashame because he does occasionally have decent info to share, but it always comes with some spin.
 
Last edited:
I find it amusing you managed to come up with that conclusion when I never once said or even implied that.

He must have one helluva reputation for doing that already if he's got this entire forum and Linus Torvalds calling him out. It's ashame because he does occasionally have decent info to share, but it always comes with some spin.

Where did Linus call him out at? Would be hilarious to see.
 
In day to day computer usage, either on Intel or AMD, would any of these bugs cause a user like me any real trauma?

"day to day computer usage" = 15 hours, or so gaming, many hours screwing away time on the Information Superhighway, 10, or so minutes checking email.
 
In day to day computer usage, either on Intel or AMD, would any of these bugs cause a user like me any real trauma?

"day to day computer usage" = 15 hours, or so gaming, many hours screwing away time on the Information Superhighway, 10, or so minutes checking email.
If you plan on giving someone administrative rights and free access to your PC, then sure!
 
Amusing how you guys insist on that Dan Guido and Alex Ionescu are the same person.



So it is legal jargon. ;)



The flaws of the AMD secure processor are exclusive to AMD. E.g no Intel system can be affected by Ryzenfall, because no Intel system uses AMD secure processor...

Flaws such as Chimera could be present on Intel systems whose boards use affected ASMedia chipsets for USB controller. CTS labs tested Intel-based systems "made by HP, Dell, Lenovo, etc. and they were not affected".

Legal jargon are terms like animus contrahendi, balance of probabilities, beyond reasonable doubt, Dolus and Culpa, pactum sunt savanda, inter vivos.

The vulnerability as stated by your relied on authority Lonescu is fixed, the method is questioned as to it being a situation where a end user allows administrative rights to be compromised or where ethan hunt absails from your roof and uploads malware onto an already logged in administrative account, it hopes the user will hit yes to the bombardment of requests to pass admin, this makes it a end user related problem.

These types of intrusions are very possible on intel systems and you can probably call them coffeeflaw, kabyflaw, skyflaw whatever you like, bypassing admin is already compromising a system and the issue lies with human management.

This has not gathered any momentum and the issue has become the gross violation of standard industry practice that is laced in mala fides and we already know why they chose to blatantly circumvent them. There was motive and it backfired, the world called BS and stocks maintained integrity.
 
Back
Top