AMD Responds To CTS Labs Vulnerability Claims

Shintai said:
So all flaws confirmed just as Spectre. But they still have to release Spectre patches as far as I know.
Click to expand...

Yes, all 'flaws' confirmed. I just read some more breaking news on an AMD flaw: it appears if you take a bucket of water, and throw it on a powered up system running an AMD processor, you can make it unbootable. This flaw hasn't been confirmed on Intel hardware yet, due to lack of testing.

You're welcome, go run with it now. :D
 
Charlie_D said:
Yes, all 'flaws' confirmed. I just read some more breaking news on an AMD flaw: it appears if you take a bucket of water, and throw it on a powered up system running an AMD processor, you can make it unbootable. This flaw hasn't been confirmed on Intel hardware yet, due to lack of testing.

You're welcome, go run with it now. :D
Click to expand...

can i like this twice?
 
naib said:
Umm... That's what I wrote. What I linked from January wasn't todo with spectre (coincidentally made public at the same time ) BUT an oversight in AMD's PSP where a custom firmware loaded would provide full access

This is exactly the same thing and is old news
Click to expand...
Not exactly... you said (replying to me saying they are real flaws) it was a flaw known since January (linking a post from or quoting a Google Project Zero team member dated January 3rd). I replied, quoting AMD saying specifically that these are unrelated to that exact flaw. What am I misunderstanding / missing here?
 
skydriver said:
I think the "real" story is fake news for profit. That's how I see it , maybe I'm wrong? If that's the case it really shouldn't be a nothing burger.
Click to expand...

I agree. If the SEC doesn't investigate this, there's a real problem. There need to be consequences if they were attempting to manipulate the market using deceptive tactics. Again, the exploits seem real but they hyped them in a very misleading way.
 
Chebsy said:
Are CTS labs sponsored by Intel or Nvidia ?? ;);)
Click to expand...

I think CTS is blatantly trying to hype their own business, and Doing It Wrong(tm). You don't get to be a trusted security advisor / consultant who dumps vulnerabilities in an irresponsible fashion.

Now to be sure, I suspect NV and Intel smirked a bit, but both know it is a fools errand to throw stones in this glass house game.
 
you mean a person with admin rights can exploit the system?

gee hope they dont delete anything or reboot or uninstall anything or copy and paste either. Sue Microsoft now!
 
thesmokingman said:
TPU is handing out bans to anyone claiming Knives are sharp and can kill, etc or even buckets of water!
Click to expand...

I'll take your word for it on what the qualification for 'shit post' was, since they're gone. I would have assumed they would be the 'OMG, SO BAD!!!1! INTEL FOREVER' posts, personally.

EDIT: Allow me to say: I'm not specifically an AMD fan, or an Intel fan. I'm too old for that shit. I enjoy calling it out when I see it though, because as I get older society expects me to become ever more crotchety and judgmental. I bow to the collective will.
 
Charlie_D said:
I'll take your word for it on what the qualification for 'shit post' was, since they're gone. I would have assumed they would be the 'OMG, SO BAD!!!1! INTEL FOREVER' posts, personally.

EDIT: Allow me to say: I'm not specifically an AMD fan, or an Intel fan. I'm too old for that shit. I enjoy calling it out when I see it though, because as I get older society expects me to become ever more crotchety and judgmental. I bow to the collective will.
Click to expand...

It's the only real perk of getting older, you have to roll with it.
 
The comments laughing at this for "pwning a system you already pwned" aren't quite getting the full impact of something like this. This isn't about the initial compromise of a system. This exploit gives the attacker an advanced persistence mechanism that cannot be mitigated or removed through the use of an AV tool or by re-imaging a system. A firmware level RAT is nothing to shrug off. A RAT in place through this technique could allow an attacker to stay in place for as long as that system remains in service.

Also, writing a BIOS update with the RAT rolled in isn't too hard after the initial compromise. After first popping a box, a simple WMI query will tell you EVERYTHING you need to know about the system's hardware. Then a quick trip to the manufacturer's website will give you a clean firmware image to download and modify to your liking.
 
The other Paul in a GTR said:
The comments laughing at this for "pwning a system you already pwned" aren't quite getting the full impact of something like this. This isn't about the initial compromise of a system. This exploit gives the attacker an advanced persistence mechanism that cannot be mitigated or removed through the use of an AV tool or by re-imaging a system. A firmware level RAT is nothing to shrug off. A RAT in place through this technique could allow an attacker to stay in place for as long as that system remains in service.

Also, writing a BIOS update with the RAT rolled in isn't too hard after the initial compromise. After first popping a box, a simple WMI query will tell you EVERYTHING you need to know about the system's hardware. Then a quick trip to the manufacturer's website will give you a clean firmware image to download and modify to your liking.
Click to expand...
Actually, I think you aren't understanding that any system in existence is fucked in the situation that allows these "exploits."
 
If you need admin access to make an exploit work, I am not sure how valuable or critical such an exploit can be. It would take physical access, social engineering / phishing for a password for admin access, or other exploits that get you admin access. But, once you have admin access, what do you need this exploit for? As yet another way someone with admin access has to rootkit a machine?
 
FearTheCow said:
Actually, I think you aren't understanding that any system in existence is fucked in the situation that allows these "exploits."
Click to expand...

Because of the long game. Say I'm a hacker involved in industrial espionage and am being paid to continuously discover trade secrets from a competitor. I pop a server belonging to a company and am copying source code or hardware designs until one day they discover me or they re image the server. I've lost my foothold on that box and need to work to get that back. With firmware level persistence they can try all they want, but they aren't getting me out of their network, and my employers get everything they need.

So what is it that you claim I am not understanding? You have to plan the long game to be successful. Being happy with a single compromise is short sighted. As long as people in charge think like that, I'll always have a job.
 
FearTheCow said:
Actually, I think you aren't understanding that any system in existence is fucked in the situation that allows these "exploits."
Click to expand...
The other Paul in a GTR said:
Because of the long game. Say I'm a hacker involved in industrial espionage and am being paid to continuously discover trade secrets from a competitor. I pop a server belonging to a company and am copying source code or hardware designs until one day they discover me or they re image the server. I've lost my foothold on that box and need to work to get that back. With firmware level persistence they can try all they want, but they aren't getting me out of their network, and my employers get everything they need.

So what is it that you claim I am not understanding? You have to plan the long game to be successful. Being happy with a single compromise is short sighted. As long as people in charge think like that, I'll always have a job.
Click to expand...
And how did you gain access in the first place again?
 
FearTheCow said:
And how did you gain access in the first place again?
Click to expand...


This isn't an initial compromise exploit. This is an exploit to gain an advanced persistence mechanism. Initial compromise is irrelevant to this.


Fuck it. I spear phished an employee, who opened a macro enabled word doc, which called back to my malicous domain, which installed the dropper, which loaded the multi staged payload, giving me the shell through a reverse call back bypassing the firewall, which I used to pivot to another box, which the admin had cached creds on, which I used to move to the DC, which I then exploited to gain a domain admin account, which allowed me to utilize psexec, which finally let me hit the server where the company's source is on, which I then FINALLY used this exploit on to install the persistent shellcode in the BIOS.

Shit. You happy?
 
Nope, still comes down to an initial major fuck up(s). So again, a non issue.
 
The other Paul in a GTR said:
You're right. I know nothing.

http://shadyhackerwebsite.com/wp-content/gallery/cert/MVIMG_20180321_213655.jpg
Click to expand...
https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Considering the company that verified that the exploits are theoretically possible says it would be difficult to do, take time, and investments out of the reach of most, you tryingbtobthrow a cert around is Kind of meaningless now isn't it?

But wait, there's more! If CTS-labs had informed AMD like is standard practice in this situation, these exploits would of been fixed with absolutely zero chance of anyone being able to use them, so why is your problem as an IT security "expert" with incredibly difficult flaws to even exploit instead of the way this was released and handled?
 
FearTheCow said:
Nope, still comes down to an initial major fuck up(s). So again, a non issue.
Click to expand...

You can say that about almost all exploits. Tricking a user into running something is the #1 attack vector of everything.

That does not mean we should dismiss such exploits as non-issues. Especially in this case, where an exploit leaves your HARDWARE compromised, and storage wipe or replacement does not fix the problem.

Rational responses, as always, are the key. No, we should not run around windmilling our arms that the world is ending. The CTS publications are a bit absurd, and the subsequent media reporting has been largely clickbait. But there is an actual issue, and we do need to fix it. Yes, I'm happy it would be pretty hard to pull off. Let's make it harder.

Edit: and YES, F CTS in the F for not following responsible disclosure. Asshats.
 
Todd Walter said:
Local *ROOT* access. You are already owned if the attacker has that.
Click to expand...

And leaving extra ways for them to get around is such a great idea. Sure you might be owned but lets not let them have any extra tools in their bag...
 
kju1 said:
And leaving extra ways for them to get around is such a great idea. Sure you might be owned but lets not let them have any extra tools in their bag...
Click to expand...
Very true, it needs to be addressed, and AMD has said they will address it. Is this a critical exploit though? It seems that it is, only if your system was critically vulnerable by other means in the first place.
How and why CTS mishandled this, when compared to normal security flaw reporting, is the story here.
 
Gorankar said:
Very true, it needs to be addressed, and AMD has said they will address it. Is this a critical exploit though? It seems that it is, only if your system was critically vulnerable by other means in the first place.
How and why CTS mishandled this, when compared to normal security flaw reporting, is the story here.
Click to expand...

I think CTS thought this would be a great publicity plan, and it backfired spectacularly. As it should. The difference between a white hat and grey/black is precisely in responsible handling.
 
You must log in or register to reply here.
Back
Top