Discoveries by CTS Labs’ research into AMD flaws eliminate AMD’s competitive advantage in enterprise server segments and the company’s price competitiveness in retail aspects can no longer be justified.
PDF Download Link
The company’s rhetoric is that this is a non-issue hinges on the non-argument that administrator access must be established in order to exploit the vulnerabilities identified by CTS. This is short-sighted as the surrounding statement that most hackers will not have the know-how to exploit these vulnerabilities.
CTS have recently released a video showing the exploitation of AMD’s vulnerabilities to completely circumvent Windows Credential Guard and obtain decrypted passwords. AMD management specifically highlighted Windows Credential Guard as a key obstacle to the execution of CTS Labs’ identified exploits.
The video can be viewed in full here: https://www.youtube.com/watch?v=8YQaWIWbzhI&feature=youtu.be
Viceroy believes the practice of giving AMD discretion as to when, if and how it reports its own vulnerabilities facilitates poor corporate disclosure and keeps stakeholders in the dark. This is not how free financial markets operate for a reason and is validated by the SEC’s most recent statement2 relating to cybersecurity flaws: we would similarly not give fraudulent companies the discretion as to if and when they inform their investors they are a fraud.
- Ryzen and Epyc processors facilitate tremendous freedom of access to customer’s data –The identified vulnerabilities in AMD’s EPYC and Ryzen processors give hackers the ability to entrench malware at the hardware level, making them virtually undetectable and untouchable by security products. By abusing these vulnerabilities at the Secure Processor level, malware characteristics can give hackers unlimited control over entire networks. None of the vulnerabilities identified by CTS, both firmware and hardware, require physical access to computers to be exploited. The continued sale of these processors puts customers at significant risk.
- The security protocols that AMD have been promoting put customers at unacceptable risk to vulnerabilities identified by CTS – We expect AMD cloud customers including Microsoft Azure, Baidu, DellEMC and TenCent will flee in the short term given the serious nature of chip flaws. AMD is unlikely to be trusted in this space again.
- One Ryzen chip could endanger an entire enterprise network – Vulnerabilities identified in the Ryzen chip allow hackers to perform credential dumps on infected Ryzen workstations even if the latest security mitigations are employed. Malware can quickly spread to other workstations throughout enterprise networks, regardless of whether they use a Ryzen chip or Intel. No prudent CISO or CTO will risk their network or their security by buying a Ryzen chip over more secure competitors.
This report expands on the financial impact of the CTS Labs vulnerabilities, specifically the impact of future earnings and possible legal liabilities that Viceroy believes will arise against the company. Viceroy have appointed lawyers to assess the reliability of the security claims made by AMD considering the basic level flaws that have been identified.