AMD CPU Attack Vectors and Vulnerabilities

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,510
This is a very interesting way to go about announcing a "Severe Security Advisory on AMD Processors (PDF). The previous white paper link comes from the site, AMDFlaws.com. It is suggesting that AMD's entire new EPYC and Ryzen processor lines are open to thirteen "Critical Security Vulnerabilities and Manufacturer Backdoors." This comes at the suggestion of CTS-Labs, an Israel based security company. We are unsure if any of this has been replicated and verified or if any variants of these attack vectors are in the wild.

Check out the video.

This all seems to be a very well produced announcement of these issues if those do in fact exist. I am getting with our security expert today in order to discuss the validities of these complaints. No matter what becomes of that, this is a very odd way of announcing security issues. Simply announcing these types of issues with no forewarning is also considered extremely irresponsible and AMD did not get warning of more than 24 hours in advance. We will be reaching out to AMD for further comment, but I doubt we will hear much since it will have to take time to validate and investigate.

The AMDFlaws.com domain was registered with GoDaddy on the 22nd of February and ownership of that domain is hidden by Domains By Proxy, LLC. That again strikes me as odd for a security company to hide the identity of domain ownership.

EDIT:
 
Last edited:
"CTS-Labs, an Israel based security company"

Doesn't Intel do a lot of businesses in Israel?
You would be very correct, sir.

Select a location to learn what it's like to work at Intel in Israel.



Haifa ›
Intel's Israel Development Centre (IDC) was established in 1974 as Intel's first design and development center outside of the United States.



Jerusalem ›
The Israel Development Centre has expanded geographically to several Israel locations, including Jerusalem, where the focus is on network and communications components.



Petach Tikva ›
Intel's design and development center in Petach Tikva is leading the development of components and software in the cellular communications market.



Qiryat Gat ›
Intel's fab in Qiryat Gat represents the largest single investment ever made in Israel by the private sector.



Yakum ›
The Intel design and development center in Yakum provides chipsets for mobile platforms.
 
whois.jpg
 
^^^ Care to clue us in as to what info in particular we should be focusing on? Creation date? What?
 
  • Like
Reactions: Uncle
like this
I don't think a security company would just do free research and release the information without some monetary incentives. Fairly aggressive PR stunts if intel was involved.
Research or development?
 
"The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly."
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/#

Another article covering the topic, if true this to me points to a marketing and smear campaign rather than a legitimate independent security research. In any case, who paid for the research? that is not covered in their legal disclaimer or any information in the white paper.
 
See you banned Razor1 and look what he had to do :) In all seriousness tho it seems odd a security firm would hide their identity of site ownership. I wonder what AMD will have to say about this. Seems odd to me compared how these things normally get handled.
 
Sure looks suspicious, even if this is true, a lot of the issues seems to be PEBKAC, not in the same league as Spectre or Meltdown.
 
Interesting disclaimer at the bottom of the white paper.

"Although we have a good faith belief
in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
 
Are you saying that, if Intel was the one funding that publication, that its legit, above board, and not a smear campaign?

I am saying if it is all true, then the source is irrelevant.

Quite frankly, if I was Intel, I would have commisioned the research to be done to find out of my competitiors had flaws and I would not hesitate to reveal the information.

As long as the information is accurate, then you can get as mad as you want about how it came to light. At the end of the day, accurate information about flaws should be known.

Now, AMD should have been given more time with the data, and that is a bit cheesy they were not.
 
Anandtech also pointed at the strange whois records, they obviously had no real desire to notify AMD with any sort of a proper lead time. amdflaws.com registered Feb 22, 2018 and the whitepaper hosted on safefirmware.com which was registered June 9, 2017 under the same sort of anonymous registrar. This is also CTS-Labs first disclosure of any kind. Seems like they took that weird fake "Skyfall and Solace" experiment and ran with it to give a marketing name to any of their findings and get their name out there. I couldn't find any real records of how the company was founded or funded but their name is a little tough to google for. Overall seems very fishy.

Tin foil zone: Project Zero disclosed meltdown June 1 to the bigger involved companies, was safefirmware.com registered after that as a place to hold whatever anti-AMD PR recovery campaign they could find? Why are they even hosted on separate domains?

Edit: correct date
 
Last edited:
^^^ Care to clue us in as to what info in particular we should be focusing on? Creation date? What?

As Kyle noted, hiding the ownership of the domain is suspicious. CTS-Labs put their splash screen right at the start of the videos; if they created the domain, why hide it?

It's extremely irresponsible to announce security vulnerabilities without disclosing them to the responsible party and giving them time to address it. Google's Project Zero reported Spectre and Meltdown to Intel and AMD on 6/1/17, and the public disclosure occurred 7 months later. Now we have not only disclosure of possibly severe, but unverified, vulnerabilities announced without the opportunity for mitigation, but a website registered solely to promote the vulnerabilties.

Extremely irresponsible at best, assuming everything reported is accurate. Potentially corporate libel. Giving CTS-Labs every benefit of the doubt, why put users at risk with this announcement? Hmm....
 
I doubt it is Intel: they have a long-term perspective, and this will be either proved true or false in the next week or two. It won't help them sell to their main customers (Dell, Lenovo, etc) but it will bite them hard in the butt if they are found to be behind it and it's false.

My bet is this is someone who has a short position on AMD stock.
 
Haha, The disclaimer is the highlight of the day.

"Although we have a good faith belief
in our analysis and believe it to be objective and unbiased, you are advised that we may have,
either directly or indirectly, an economic interest in the performance of the securities of the
companies whose products are the subject of our reports."

Theses guys must have fallen off of a goddamn tree just before they came up with this. Too bad the fucking thing was not done in crayons...lol :)
 
I doubt it is Intel: they have a long-term perspective, and this will be either proved true or false in the next week or two. It won't help them sell to their main customers (Dell, Lenovo, etc) but it will bite them hard in the butt if they are found to be behind it and it's false.

My bet is this is someone who has a short position on AMD stock.
That's a good theory or just somebody trying to make a name for themselves to get investors

This one is golden:
The vulnerabilities may allow malicious actors to proliferate through corporate networks using stolen network credentials

Because stolen credentials aren't a problem on other chips? :facepalm:

EDIT: Or this one:
Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.

Also applies to anything newer than a potato

EDIT2:
Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges
Translation: if you are pwned the can pwn you more :rolleyes:

EDIT3: Yep every single thing on there requires full system access to exploit. I wonder what Israel's standard for libel is...
 
Last edited:
Haha, The disclaimer is the highlight of the day.

"... you are advised that we may have,either directly or indirectly,
an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
If what they discovered is true, it's perfectly legal (in the US) for them to take a short position on AMD before announcing it.
It's not insider trading as the law defines it -- it's not insider information. But it will be highly profitable. :)
 
White Paper said:
Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.

GASP! Flashing shady BIOS images can compromise security? That nice young man with the Ethereum shirt that offered to fix my computer for free had an ulterior motive!
 
"CTS-Labs, an Israel based security company"

Doesn't Intel do a lot of businesses in Israel?

Sure. They're probably right next door to AMD Israel Advanced Micro Devices .

Probably an Intel smear campaign. I believe all these exploits need root access or physical access to hardware.

Think you mean local attacks. Which is exactly what Meltdown is also.

I don't think a security company would just do free research and release the information without some monetary incentives. Fairly aggressive PR stunts if intel was involved.

They all do it. It's essentially advertising for them, for possible future business. Get their name out there, I mean. How many of us even know who CTS Labs even were, before any of this?

It's either that or bug hunters. When companies offer thousands of dollars for each bug, it can be well worth it to research for vulnerabilities for different companies. Could also just be a non-profit.


So far, all I'm seeing is both Intel and AMD have vulnerabilities in their chips. Fanboys from both sides come to defend whatever side they follow with well...no good information really.
 
It is only a "smear campaign" if none of it is true.
OK, just for the sake of argument, let's say that everything they claim is true. It could still be a smear campaign. Just highly exaggerate the claims and word them to make things look as grim as possible. Then release the "report" with little or no warning to the victim, and use a website that can't be traced back to original authors. And the icing on the cake is to create a new company in another country to be the front for the effort. Using these techniques I could smear Mother Theresa. When people use highly unethical methods, you must question their "facts". When you look at their claims, you find that they all require a highly compromised system (administrator privileges, relflashing the BIOS with a "custom" version, using a modified and signed device driver) to use any of the exploits identified. Once a system is that compromised, you are screwed anyway, regardless of the underlying hardware.
 
whitepaper highlights:

masterkey - Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update

ryzenfall - Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

fallout - Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

chimera - vulnerabilities are an array of hidden manufacturer backdoors inside AMD's Promontory chipsets. There exist two sets of backdoors, differentiated by their implementation: one is implemented within the firmware running on the chip, while the other is inside the chip's ASIC hardware.

###

MasterKey needs physical access, ryzenfall and fallout appear to be digital signature exploits and chimera are AMD backdoors built on firmware or ASIC.
 
Think you mean local attacks. Which is exactly what Meltdown is also.

Meltdown can escape a hypervisor. These "AMD flaws" don't appear to be able to. That's a huge difference alone. I think Meltdown doesn't even require admin access, just local execution. These all require elevated access

ryzenfall and fallout appear to be digital signature exploits and chimera are AMD backdoors built on firmware or ASIC.

The bit about signatures is just fluff since Windows wont even load an unsigned driver unless you have already gained admin access. See my analysis in previous post
 
Meltdown can escape a hypervisor. These "AMD flaws" don't appear to be able to. That's a huge difference alone. I think Meltdown doesn't even require admin access, just local execution. These all require elevated access

The way I see it, if you have access to a machine already, gaining elevated rights will be a small cake walk for some. Nothing I can pull off, but many others will.

Actually going through a red team inspection right now.
 
The way I see it, if you have access to a machine already, gaining elevated rights will be a small cake walk for some. Nothing I can pull off, but many others will.

Actually going through a red team inspection right now.

Not the same. JavaScript, for instance, is local execution but is a low privileged process that could nonetheless exploit Meltdown without any other privilege escalation (at least prior to OS/browser patches)
Physical access == pwned
Local execution != physical access
 
Back
Top