One of the reports that caused a lot of controversy this week was the news from CTS-Labs, about the discovery of 13 security vulnerabilities in AMD's Ryzen and EPYC processors, as well as in ASMedia chipsets. The first impression of a lot of enthusiast was that this is a smear campaign, not just because nobody had ever heard of this firm, but also due to the unusual and highly mediatized disclosure, the surrounding doom and gloom, and a 25-page short seller report from Viceroy Research that appeared a mere three hours after the initial announcement.
AnandTech's Ian Cutress and RealWorldTech's David Kanter had a conference call with CTS-Labs, you can read their conclusions over here. The site concludes there a definitely a lot of weird and inconsistent elements. It is likely that the vulnerabilities are real, but further confirmation is still required:
One, if the vulnerabilities exist: It is very likely that these vulnerabilities are real. A secondary attack vector that could install monitoring software might be part of a multi-layer attack, but offering a place for indiscriminant monitoring of compromised systems can be seen as an important hole to fix. At this point, the nearest trusted source we have that these vulnerabilities are real is from Alex Ionescu, a Windows Internals Expert who works for CrowdStrike, one of the companies that CTS-Labs says has the full disclosure documents. That is still a stage a bit far from us to warrant a full confirmation. Given that Trail of Bits required 4-5 days to examine CTS-Labs work, I suspect it will take AMD a similar amount of time to do so. If that is the case, AMD might have additional statements either on Friday or Monday, either confirming or rebutting the issues, and discussing future action.