AMD – AMD confirms CTS vulnerabilities, downplaying to avoid the financial implications

Discoveries by CTS Labs’ research into AMD flaws eliminate AMD’s competitive advantage in enterprise server segments and the company’s price competitiveness in retail aspects can no longer be justified.

PDF Download Link
The company’s rhetoric is that this is a non-issue hinges on the non-argument that administrator access must be established in order to exploit the vulnerabilities identified by CTS. This is short-sighted as the surrounding statement that most hackers will not have the know-how to exploit these vulnerabilities.
CTS have recently released a video showing the exploitation of AMD’s vulnerabilities to completely circumvent Windows Credential Guard and obtain decrypted passwords. AMD management specifically highlighted Windows Credential Guard as a key obstacle to the execution of CTS Labs’ identified exploits.
The video can be viewed in full here: https://www.youtube.com/watch?v=8YQaWIWbzhI&feature=youtu.be
Viceroy believes the practice of giving AMD discretion as to when, if and how it reports its own vulnerabilities facilitates poor corporate disclosure and keeps stakeholders in the dark. This is not how free financial markets operate for a reason and is validated by the SEC’s most recent statement relating to cybersecurity flaws: we would similarly not give fraudulent companies the discretion as to if and when they inform their investors they are a fraud.

  • Ryzen and Epyc processors facilitate tremendous freedom of access to customer’s data –The identified vulnerabilities in AMD’s EPYC and Ryzen processors give hackers the ability to entrench malware at the hardware level, making them virtually undetectable and untouchable by security products. By abusing these vulnerabilities at the Secure Processor level, malware characteristics can give hackers unlimited control over entire networks. None of the vulnerabilities identified by CTS, both firmware and hardware, require physical access to computers to be exploited. The continued sale of these processors puts customers at significant risk.
  • The security protocols that AMD have been promoting put customers at unacceptable risk to vulnerabilities identified by CTS – We expect AMD cloud customers including Microsoft Azure, Baidu, DellEMC and TenCent will flee in the short term given the serious nature of chip flaws. AMD is unlikely to be trusted in this space again.
  • One Ryzen chip could endanger an entire enterprise network – Vulnerabilities identified in the Ryzen chip allow hackers to perform credential dumps on infected Ryzen workstations even if the latest security mitigations are employed. Malware can quickly spread to other workstations throughout enterprise networks, regardless of whether they use a Ryzen chip or Intel. No prudent CISO or CTO will risk their network or their security by buying a Ryzen chip over more secure competitors.

This report expands on the financial impact of the CTS Labs vulnerabilities, specifically the impact of future earnings and possible legal liabilities that Viceroy believes will arise against the company. Viceroy have appointed lawyers to assess the reliability of the security claims made by AMD considering the basic level flaws that have been identified.

AMD – The Obituary

Viceroy analyze CTS Labs’ report exposing fatal security vulnerabilities across AMD products

PDF Download Link

CTS Labs, a cyber-security research firm, released its findings on http://www.amdflaws.com. These findings demonstrate that AMD’s key products, and it basis for profitability and growth, the EPYC and Ryzen processors, contain severe and pervasive security flaws that put users and organizations at an unacceptable and damaging risk. We understand that these flaws are difficult, some practically impossible, to patch.
We believe that AMD was compelled to release products as quickly and cheaply as possible as it was falling behind its competitors. This has led to what appears to be complete oversight or negligence of security fundamentals of AMD’s products, which promote an evidently misguided competitive advantage – particularly with its Secure Processor (a.k.a. Platform Security Processor or PSP) – of providing “the greatest peace of mind on every AMD product.”. Nothing could be further from the truth.
Viceroy, in consultation with experts, have evaluated CTS’s report. We believe the issues identified by CTS are fatal to AMD on a commercial level, and outright dangerous at an international level.
In light of CTS’s discoveries, the meteoric rise of AMD’s stock price now appears to be totally unjustified and entirely unsustainable. We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.

Date: 13 Mar 2018