Skip links

AMD – AMD confirms CTS vulnerabilities, downplaying to avoid the financial implications

Discoveries by CTS Labs’ research into AMD flaws eliminate AMD’s competitive advantage in enterprise server segments and the company’s price competitiveness in retail aspects can no longer be justified.

PDF Download Link
The company’s rhetoric is that this is a non-issue hinges on the non-argument that administrator access must be established in order to exploit the vulnerabilities identified by CTS. This is short-sighted as the surrounding statement that most hackers will not have the know-how to exploit these vulnerabilities.
CTS have recently released a video showing the exploitation of AMD’s vulnerabilities to completely circumvent Windows Credential Guard and obtain decrypted passwords. AMD management specifically highlighted Windows Credential Guard as a key obstacle to the execution of CTS Labs’ identified exploits.
The video can be viewed in full here: https://www.youtube.com/watch?v=8YQaWIWbzhI&feature=youtu.be
Viceroy believes the practice of giving AMD discretion as to when, if and how it reports its own vulnerabilities facilitates poor corporate disclosure and keeps stakeholders in the dark. This is not how free financial markets operate for a reason and is validated by the SEC’s most recent statement relating to cybersecurity flaws: we would similarly not give fraudulent companies the discretion as to if and when they inform their investors they are a fraud.

  • Ryzen and Epyc processors facilitate tremendous freedom of access to customer’s data –The identified vulnerabilities in AMD’s EPYC and Ryzen processors give hackers the ability to entrench malware at the hardware level, making them virtually undetectable and untouchable by security products. By abusing these vulnerabilities at the Secure Processor level, malware characteristics can give hackers unlimited control over entire networks. None of the vulnerabilities identified by CTS, both firmware and hardware, require physical access to computers to be exploited. The continued sale of these processors puts customers at significant risk.
  • The security protocols that AMD have been promoting put customers at unacceptable risk to vulnerabilities identified by CTS – We expect AMD cloud customers including Microsoft Azure, Baidu, DellEMC and TenCent will flee in the short term given the serious nature of chip flaws. AMD is unlikely to be trusted in this space again.
  • One Ryzen chip could endanger an entire enterprise network – Vulnerabilities identified in the Ryzen chip allow hackers to perform credential dumps on infected Ryzen workstations even if the latest security mitigations are employed. Malware can quickly spread to other workstations throughout enterprise networks, regardless of whether they use a Ryzen chip or Intel. No prudent CISO or CTO will risk their network or their security by buying a Ryzen chip over more secure competitors.

This report expands on the financial impact of the CTS Labs vulnerabilities, specifically the impact of future earnings and possible legal liabilities that Viceroy believes will arise against the company. Viceroy have appointed lawyers to assess the reliability of the security claims made by AMD considering the basic level flaws that have been identified.

Important Disclaimer – Please read and acknowledge before continuing

Viceroy Research LLC are an investigative financial research group registered in Delaware, USA.

Our research reports have been prepared for educational purposes only and expresses our opinions. Our reports and any statements made in connection with them are the authors’ opinions, which have been based upon publicly available facts, field research, information, and analysis through our due diligence process, and are not statements of fact. All expressions of opinion are subject to change without notice, and we do not undertake to update or supplement any reports or any of the information, analysis and opinion contained in them. We believe that the publication of our opinions about public companies that we research is in the public interest. We are entitled to our opinions and to the right to express such opinions in a public forum. You can access any information or evidence cited in this report or that we relied on to write this report from information in the public domain.

To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable, and who are not insiders or connected persons of the stocks covered herein or who may otherwise owe any fiduciary duty or duty of confidentiality to the issuer. We have a good-faith belief in everything we write; however, all such information is presented “as is,” without warranty of any kind – whether express or implied.

In no event will we be liable for any direct or indirect trading losses caused by any information available on this report. Think critically about our opinions and do your own research and analysis before making any investment decisions. We are not registered as an investment advisor in any jurisdiction. By downloading, reading or otherwise using our research reports, you agree to do your own research and due diligence before making any investment decision with respect to securities discussed herein, and by doing so, you represent to us that you have sufficient investment sophistication to critically assess the information, analysis and opinions in this report. You should seek the advice of a security professional regarding your stock transactions.

This website, all documents contained herein or any information herein should not be interpreted as an offer, a solicitation of an offer, invitation, marketing of services or products, advertisement, inducement, or representation of any kind, nor as investment advice or a recommendation to buy or sell any investment products or to make any type of investment, or as an opinion on the merits or otherwise of any particular investment or investment strategy.

Any examples or interpretations of investments and investment strategies or trade ideas are intended for illustrative and educational purposes only and are not indicative of the historical or future performance or the chances of success of any particular investment and/or strategy.

You should assume that the authors have a direct or indirect interest/position in all stocks (and/or options, swaps, and other derivative securities related to the stock) and bonds covered herein, and therefore stand to realize monetary gains in the event that the price of either declines.

The authors may continue transacting directly and/or indirectly in the securities of issuers covered herein for an indefinite period and may be long, short, or neutral at any time hereafter regardless of their initial recommendation.