TechReport:
(Emphasis added.)
(sigh)
The banksters are going to destroy the world if we let them...
Cheers,
Scott.
Security firm discloses range of Ryzen, Epyc, and AMD chipset vulnerabilities
by Jeff Kampman — 1:19 PM on March 13, 2018
CTS Labs, an Israeli security research firm, purports to have discovered 13 separate security vulnerabilities related to AMD hardware across four categories of exploits. This surprise news arrives without any form of coordinated disclosure or pre-developed vendor mitigations.
The firm claims that flaws in AMD's Secure Processor, a separate ARM processor on AMD Zen CPUs that performs various encryption and root-of-trust functions, can be exploited to run arbitrary code. The "Masterkey" vulnerability requires the attacker to install a modified BIOS containing the exploit payload, either through physical access or—as CTS Labs claims—exploiting another one of the vulnerabilities the firm discovered to write to system flash in system management mode.
CTS Labs goes on to describe three other classes of vulnerabilities that it's branded "Ryzenfall," "Fallout," and "Chimera." Both the Ryzenfall and Fallout vulnerabilities require a local user account with administrator or root privileges to run the required malware, a level of access that generally would suggest that all bets are off on a system's security to begin with. Chimera purports to exploit undescribed "hardware backdoors" in ASMedia intellectual property that apparently makes up the Promontory chip powering AMD AM4 chipsets.
[...]
The chaotic nature of today's disclosure has led to many questions about the source and motivations of the firms behind this research. Astute social-media users have noted that Viceroy Research, a financial-analysis group that reportedly engages in short selling of various companies' securities, appears to have coordinated the release of a report provocatively titled "The Obituary" alongside the CTS Labs whitepaper. Viceroy posits that AMD will have no choice but to file for Chapter 11 bankruptcy as a result of the news and that its stock is ultimately worthless, claims that seem vastly out of proportion with the magnitude of the purported vulnerabilities that CTS Labs has discovered.
CTS Labs' disclaimer on its AMD vulnerability website also exposes a potential conflict of interest. The firm notes that it "may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." If that's the case, it might explain why CTS Labs didn't engage in any form of coordinated disclosure of these vulnerabilities with AMD or give the company an opportunity to develop and deploy patches for those vulnerabilities.
[...]
(Emphasis added.)
(sigh)
The banksters are going to destroy the world if we let them...
Cheers,
Scott.