AMD Responds To CTS Labs Vulnerability Claims

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
5,910
Last week we wrote about possible AMD security flaws that were announced by CTS Labs. Today, AMD has released their assessment of CTS Labs' claims in a community post. AMD makes it clear that the issues identified by CTS Labs have nothing to do with Meltdown and Spectre, but are associated with the firmware that manages the AMD Secure Processor, as well as the chipset used in some AM4 and TR4 motherboards.

AMD Notes that all issues raised in the CTS Labs report require administrative access to the machine in order to implement, meaning before any of these exploits could be used, an attacker would already have full control of the system, and can essentially, do whatever they want. Despite this, AMD is releasing a firmware patch that will be available via BIOS update, and will not have any expected impact on system performance to address the issues. An article on PCPer goes into more depth.

In addition CTS Labs has posted a video on YouTube, showing proof-of-concept for the Masterkey-1 exploit. In the video CTS Labs shows them installing a modified BIOS for a TYAN motherboard which makes the screen flicker during boot.

The integrity of CTS Labs has come into question, since they published the vulnerabilities last week, to where even Linus Torvalds spoke about it in his signature style. I find it interesting that CTS Labs has decided to disable comments and hige the like/dislike ratio for the video above. And I find it impressive that AMD is going to release a patch for this, despite the fact the attacker must already have full access to the machine, as well as know what motherboard it is using in order to write a custom BIOS. Still seems quite shady to me.
 

Axehandler

Gawd
Joined
Dec 19, 2007
Messages
635
Kinda like showing you how a lock works then complaining that there is an security issue...


60eedae3deb38e54662a076cedb4d799.gif
 

ChadD

Supreme [H]ardness
Joined
Feb 8, 2016
Messages
5,503
If the best exploit you can come up with involves faking a machines BIOS... which is highly machine specific and dodgy as hell if not impossible to pull off in the real world... but then to top it off you have to have already broken in using some other method first. LMAO is about all you can say.

Kudos to AMD for saying ok sure we could make this bit of code a bit more secure I guess. Put it on the level of every other non News grabbing bug that gets discovered and patched daily. Claiming this crap as some show stopping AMD bug was highly stupid as clearly the guys that found it where smart enough to understand it wasn't really a big deal. Makes you wonder how much they had shorted AMD stock prior.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289

M76

[H]F Junkie
Joined
Jun 12, 2012
Messages
12,789
We can make your screen flicker during boot, if we already have full access to your machine! Be afraid! Clear case of a straight up smearjob, but of the very cheap kind.
I doubt Intel put them up to this. It's more like "we're friends with intel so we do this for them". I don't think anyone with the pull required to make this happen is stupid enough to do it at intel. This only makes them look worse. Complaining about the neighbor's lawn while sitting on a giant landfill themselves.
 

viper1152012

[H]ard|Gawd
Joined
Jun 20, 2012
Messages
1,025
Good jorb pointing that out Courageous Terrific Labs, but did you know its easy to unlock a door when the roof is exploited?

Kudos to AMD for the meh it's fixed approach. Keep owning them U fine Sirs
 

kju1

2[H]4U
Joined
Mar 27, 2002
Messages
3,460
And I find it impressive that AMD is going to release a patch for this, despite the fact the attacker must already have full access to the machine, as well as know what motherboard it is using in order to write a custom BIOS. Still seems quite shady to me.

I find it a little disturbing that you are willing to dismiss a vulnerability even though it requires local access to exploit today. Its still something that should be fixed. Granted it doesnt get the same priority as remote exploits but its still desirable to patch and close the hole. The risk posture might mean patch later but it will almost never say "patch never".

I applaud AMD for taking the time to patch this thereby letting their customers making their own risk mitigation decisions.

EDIT: To be fair thats my take on how I read your statement in context of the post overall. if thats not your intent then the above doesnt necessarily apply ;)
 

OutOfPhase

Supreme [H]ardness
Joined
May 11, 2005
Messages
4,817
Owning a system that you already own. Impressive "exploit."

In other news, locks are flawed because people already inside your house can steal stuff.

Technically, it is more like people you ever invited into your house or got through the lock could remain invisible in your house forever - even if you sell it and the new owner changes all the locks.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
I applaud AMD for taking the time to patch this thereby letting their customers making their own risk mitigation decisions.
I took this as AMD laying the beatdown on CTS while they were fresh in everyones minds... had they released a patch in say 3months people would have mostly forgotten about CTS. providing details of the fix so shortly after CTS bullshit press statements re-affirms they are so full of shit
 

WhoMe

Gawd
Joined
Jan 3, 2018
Messages
827
I'm impressed how fast they responded to this. I doubt many cared about it for obvious reasons, but it's nice of AMD to do something fast just to be on the safe side (and earn some good PR). AMD I will seriously considering you in my next build (Intel has a lot of work to do in the next few years if they want my money again).
 

TurboGLH

Gawd
Joined
Dec 19, 2002
Messages
695
I'm impressed how fast they responded to this. I doubt many cared about it for obvious reasons, but it's nice of AMD to do something fast just to be on the safe side (and earn some good PR). AMD I will seriously considering you in my next build (Intel has a lot of work to do in the next few years if they want my money again).

It was smart on their part to get ahead of it. There's a vocal minority, here and elsewhere, that won't stop beating their drums against AMD in any way they can, regardless of how big or small. Better to get info out there and get a fix in the pipeline, especially if the timeline to do so is substantially lower than CTS claimed was likely.
 

pgaster

[H]ard|Gawd
Joined
May 17, 2008
Messages
1,377
Viceroy Research: “We believe AMD is worth $0.00, and will have no choice but to file for Chapter 11 Bankruptcy in order to effectively deal with the repercussions of recent discoveries.”

When is AMD filing?
Did the stock hit $0 today?

Don't tell me these guys were wrong too...
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
7,908
I'm impressed how fast they responded to this. I doubt many cared about it for obvious reasons, but it's nice of AMD to do something fast just to be on the safe side (and earn some good PR). AMD I will seriously considering you in my next build (Intel has a lot of work to do in the next few years if they want my money again).
It shows that they are confident that a fix is possible, and likely won't take long to implement. It also shows how little cts knows about how firmware and microcode work.
 

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,556
CTS has already won with their Idiocy. Congrads to them, well played Fauxters.
 

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,556
Do you think customers are lining up to do business with the great AMD Hackers? Uneducated customers I would imagine, which appears to be a lot. AMD releasing a patch sort of "vidicates" these CTS guys in the eyes of some.
 

Brackle

Old Timer
Joined
Jun 19, 2003
Messages
7,994
So basically like everyone said other then a few Shills....A huge big nothingburger.
 

skydriver

Limp Gawd
Joined
Jan 12, 2015
Messages
138
So basically like everyone said other then a few Shills....A huge big nothingburger.


I think the "real" story is fake news for profit. That's how I see it , maybe I'm wrong? If that's the case it really shouldn't be a nothing burger.
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
7,908
I think the "real" story is fake news for profit. That's how I see it , maybe I'm wrong? If that's the case it really shouldn't be a nothing burger.
They're real flaws, so not really "nothing," but also not nearly as serious as they were made out to be, nor as unpatchable.

They're non-trivial to exploit (require admin/"metal" access), and can be patched easily enough (say, a couple weeks, then a week or two to distribute them). Most users will be patched before they can even become a target, and the ones who might not be will likely have better security measures than the average user admin.
 

MaZa

2[H]4U
Joined
Sep 21, 2008
Messages
3,441
I think they will make the firmware update, even though it is completely unnecessary, just to shut the IDF up. Even if this "vulnerability" is ridiculous it still provides some ammunition for Intel fanatics and that may affect potential sales if some poor sod who is buying a new PC happens to believe their ramblings.
 

velusip

[H]ard|Gawd
Joined
Jan 24, 2005
Messages
1,579
So, did Viceroy and CTS Labs make the profit they wanted shorting AMD stock? :p
I don't know what level of short they bought, but AMD's stock has been trending down for a couple of months, and this little fiasco had no effect. I'm assuming it was a relatively small short intended to increase daily volalitity and allow some buy-ins during a good time to buy.

I think they will make the firmware update, even though it is completely unnecessary, just to shut the IDF up. Even if this "vulnerability" is ridiculous it still provides some ammunition for Intel fanatics and that may affect potential sales if some poor sod who is buying a new PC happens to believe their ramblings.
Regardless of the level of urgency, system breaking or general maintenance, it's a legitimate flaw which needs patching.

Under normal circumstances this would have been handled discreetly and yielded some bug bounty to the researchers. Since they didn't take that route, it's crystal clear they meant to do harm.

Other than the little fuckwits at CTS Labs and Trail of Bits, business as usual for AMD.
 
  • Like
Reactions: MaZa
like this

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
They're real flaws, so not really "nothing," but also not nearly as serious as they were made out to be, nor as unpatchable.

They're non-trivial to exploit (require admin/"metal" access), and can be patched easily enough (say, a couple weeks, then a week or two to distribute them). Most users will be patched before they can even become a target, and the ones who might not be will likely have better security measures than the average user admin.
It was a flaw that was known about since Jan 2018... http://seclists.org/fulldisclosure/2018/Jan/12 This then prompted AMD to provide the end-user (Ryzen) means to "disable" the PSP (whether it really does is something different, it did cause a change on my system).
So the CTS spin is an even bigger nothingburger... they didn't actually find anything that wasn't already known and worked on
 

Shintai

Supreme [H]ardness
Joined
Jul 1, 2016
Messages
5,678
So all flaws confirmed just as Spectre. But they still have to release Spectre patches as far as I know.
 

ole-m

Limp Gawd
Joined
Oct 5, 2015
Messages
452
It was a flaw that was known about since Jan 2018... http://seclists.org/fulldisclosure/2018/Jan/12 This then prompted AMD to provide the end-user (Ryzen) means to "disable" the PSP (whether it really does is something different, it did cause a change on my system).
So the CTS spin is an even bigger nothingburger... they didn't actually find anything that wasn't already known and worked on

the fact that we are mitigating this on intel systems is also worth noting.
We're not outright preventing it, but we're making it slightly more difficult but any technical person with google skills and the hardware in front can easily do it still.
Or with admin rights on the host operating system on our KabyLake machines.

It works as intended still.
 

deton8

Limp Gawd
Joined
Sep 27, 2007
Messages
454
I feel like AMD loses by even acknowledging this obvious chicanery, but I guess patching it in record time is the next best thing.

Hopefully CTS labs made no money so other jokers aren't tempted to try similar schemes.
 
Joined
May 10, 2016
Messages
634
I find it a little disturbing that you are willing to dismiss a vulnerability even though it requires local access to exploit today. Its still something that should be fixed. Granted it doesnt get the same priority as remote exploits but its still desirable to patch and close the hole. The risk posture might mean patch later but it will almost never say "patch never".

I applaud AMD for taking the time to patch this thereby letting their customers making their own risk mitigation decisions.

EDIT: To be fair thats my take on how I read your statement in context of the post overall. if thats not your intent then the above doesnt necessarily apply ;)

Local *ROOT* access. You are already owned if the attacker has that.
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
7,908
It was a flaw that was known about since Jan 2018... http://seclists.org/fulldisclosure/2018/Jan/12 This then prompted AMD to provide the end-user (Ryzen) means to "disable" the PSP (whether it really does is something different, it did cause a change on my system).
So the CTS spin is an even bigger nothingburger... they didn't actually find anything that wasn't already known and worked on
AMD explicitly said that it's not the flaw from January...
le article said:
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
 

lostin3d

[H]ard|Gawd
Joined
Oct 13, 2016
Messages
2,043
Next thing they'll be telling us that P@ssword or 12345678 are major risks to security and it could take years for some people to change. Well. . . .at least there they might be right. Honestly this just seems like a free publicity grab, probably trying to set themselves up to impress some investors.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
AMD explicitly said that it's not the flaw from January...
Umm... That's what I wrote. What I linked from January wasn't todo with spectre (coincidentally made public at the same time ) BUT an oversight in AMD's PSP where a custom firmware loaded would provide full access

This is exactly the same thing and is old news
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
the fact that we are mitigating this on intel systems is also worth noting.
We're not outright preventing it, but we're making it slightly more difficult but any technical person with google skills and the hardware in front can easily do it still.
Or with admin rights on the host operating system on our KabyLake machines.

It works as intended still.
What? What I linked to has nothing to do with intel. This is specific to AMD's PSP
 
Top