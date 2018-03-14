We look at the vulnerabilities and impacts.

This article discusses investor implications for the recently found security problems with Advanced Micro Devices (NASDAQ:AMD) PC and server chips. While it is now abundantly clear that this security disclosure was part of a coordinated short attack, there will be no discussion of the ethics of the Israeli security company CTS-labs, or the research firm, Viceroy Research, or any hedge funds, including Nine Wells Capital Management, that may have orchestrated the release of the information.

Firstly, we note that the security flaw is legitimate and confirmed by credible researchers. Although other credible researchers have panned the revelation. Why the disconnect?

Let’s look at what CTS Labs is claiming (image below from www.amdflaws.com ).

CTS Labs claims that there are four classes of vulnerabilities – Fallout, Masterkey, Ryzenfall, and Chimera.

Furthermore, CTS labs claims that several of these have been exploited and proven (image below from www.amdflaws.com )

This looks bad, doesn’t it? So many red dots indicating successful exploits!

It does not help that, to conduct short raid on AMD stock, CTS labs gave AMD virtually no notice to analyze or offer fixes. There is little doubt that AMD is scrambling to evaluate and fix these vulnerabilities.

But, here is where the CTS-labs story falls short: to exploit any of these vulnerabilities, the attackers needs administrative access to the system. The Fallout vulnerability not only needs administrative level access but also needs the perpetrator to flash the BIOS (see notes under each vulnerability below - also from www.amdflaws.com ).

In other words, all of these stated exploits are second level exploits that come into picture only after the systems administrative access is compromised. This is like saying a thief can break into a home and do some damage or hide some bombs if the thief finds the key to the house.

This sounds absurd at the outset and therefore is being treated with contempt by many security experts. If the attacker has admin level privileges, then they can inflict considerable damage even if these vulnerabilities do not exist.

However, the vulnerabilities are real in the sense that AMD security measures are expected to not allow these kinds of exploits. In other words, AMD chips are not performing as designed and these are legitimate flaws until AMD releases fixes to address these flaws.

The risk here is that an attacker who gains the administrator access through a different security hack or an employee with evil intent can use these exploits to plant malicious code into the system undetected by current security tools. The malware could cause long term damage completely unnoticed.

To summarize, the vulnerability is legitimate but is a second level risk that is not deserving of the hype created by CTS-labs.

What Does This Mean To AMD Investors?

Based on what we know so far, here is our view of investor impact:

This second level bug does not reach the proportion of Meltdown and Spectre which can be exploited by remote users without any special privileges.

AMD has gotten virtually no time to evaluate the vulnerability or the fixes and will likely be providing updates on a continual basis over the next several days and weeks. The stock could be volatile depending on the nature of AMD’s disclosures and the Company’s PR skills.

These vulnerabilities are likely largely a non-issue for consumers but could be of consequence to cloud vendors.

The performance penalty from the future fixes, if any, is likely to be minimal. Since the issues are at supervisory level, the odds are that any fixes will impact the booting and management of the system and not user application performance. Performance slowdowns like what Intel saw with Meltdown and Spectre are unlikely.

The Chimera vulnerability is due to a Ryzen companion chipset based on Asustek IP. EPYC systems do not use this chipset and therefore are not vulnerable. There is some doubt as to whether the companion chipset can be fixed without a hardware spin. However, even if this were to require a chip spin, this affects only Ryzen PRO and Ryzen Workstation chips which AMD has not yet sold in any meaningful volume. To the extant hardware fixes are needed, given the second level nature of this vulnerability, we are skeptical that AMD will implement any such changes retroactively but will phase-in fixes into future designs.

Most importantly, the vulnerabilities for the Company’s high impact Ryzen Mobile and EPYC seem fixable through firmware or software.

Bottom Line

The security flaws found by CTS, while legitimate, appear to be much ado about very little.

We expect AMD to fix, most, if not all, of the vulnerabilities in software or firmware with very little performance impact.

AMD may have to redesign the companion Asus IP based chipset for future designs.

AMD’s high profile EPYC effort may face longer qualification cycles as customers evaluate the implications and AMD fixes the vulnerabilities.

Currently, we see little or no implication for the high volume AMD Ryzen Mobile SKUs.

Overall, we see some potential delays in EPYC qualification but relatively small impact for AMD from this security disclosure.

Disclosure: I am/we are long AMD.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.