AMD Responds To CTS Labs Vulnerability Claims

[rgMekanic]

Last week we wrote about possible AMD security flaws that were announced by CTS Labs. Today, AMD has released their assessment of CTS Labs' claims in a community post. AMD makes it clear that the issues identified by CTS Labs have nothing to do with Meltdown and Spectre, but are associated with the firmware that manages the AMD Secure Processor, as well as the chipset used in some AM4 and TR4 motherboards.

AMD Notes that all issues raised in the CTS Labs report require administrative access to the machine in order to implement, meaning before any of these exploits could be used, an attacker would already have full control of the system, and can essentially, do whatever they want. Despite this, AMD is releasing a firmware patch that will be available via BIOS update, and will not have any expected impact on system performance to address the issues. An article on PCPer goes into more depth.

In addition CTS Labs has posted a video on YouTube, showing proof-of-concept for the Masterkey-1 exploit. In the video CTS Labs shows them installing a modified BIOS for a TYAN motherboard which makes the screen flicker during boot.

The integrity of CTS Labs has come into question, since they published the vulnerabilities last week, to where even Linus Torvalds spoke about it in his signature style. I find it interesting that CTS Labs has decided to disable comments and hige the like/dislike ratio for the video above. And I find it impressive that AMD is going to release a patch for this, despite the fact the attacker must already have full access to the machine, as well as know what motherboard it is using in order to write a custom BIOS. Still seems quite shady to me.

 

[bugleyman]

Owning a system that you already own. Impressive "exploit."

In other news, locks are flawed because people already inside your house can steal stuff.

 

[darrpara]

Owning a system that you already own. Impressive "exploit."

In other news, locks are flawed because people already inside your house can steal stuff.

It is even worse than that. This is like saying locks are flawed if you have the key to get in because once you get in you can open the door from the inside without a key.

 

[Axehandler]

Kinda like showing you how a lock works then complaining that there is an security issue...

 

[ChadD]

If the best exploit you can come up with involves faking a machines BIOS... which is highly machine specific and dodgy as hell if not impossible to pull off in the real world... but then to top it off you have to have already broken in using some other method first. LMAO is about all you can say.

Kudos to AMD for saying ok sure we could make this bit of code a bit more secure I guess. Put it on the level of every other non News grabbing bug that gets discovered and patched daily. Claiming this crap as some show stopping AMD bug was highly stupid as clearly the guys that found it where smart enough to understand it wasn't really a big deal. Makes you wonder how much they had shorted AMD stock prior.

 

[naib]

http://www.tomshardware.com/news/cts-labs-amd-ryzenfall-ryzen-epyc,36660.html

CTS Labs told us that it bucked the industry-standard 90-day response time because, after it discussed the vulnerabilities with manufacturers and other security experts, it came to believe that AMD wouldn't be able to fix the problems for "many, many months, or even a year."

 

[M76]

We can make your screen flicker during boot, if we already have full access to your machine! Be afraid! Clear case of a straight up smearjob, but of the very cheap kind.
I doubt Intel put them up to this. It's more like "we're friends with intel so we do this for them". I don't think anyone with the pull required to make this happen is stupid enough to do it at intel. This only makes them look worse. Complaining about the neighbor's lawn while sitting on a giant landfill themselves.

 

[viper1152012]

Good jorb pointing that out Courageous Terrific Labs, but did you know its easy to unlock a door when the roof is exploited?

Kudos to AMD for the meh it's fixed approach. Keep owning them U fine Sirs

 

[mullet]

AMD wins my $$$$$$$$$$$$

 

[KazeoHin]

So AMD takes a week to do what CTS thought would take more than 90 days?

 

[kju1]

And I find it impressive that AMD is going to release a patch for this, despite the fact the attacker must already have full access to the machine, as well as know what motherboard it is using in order to write a custom BIOS. Still seems quite shady to me.

I find it a little disturbing that you are willing to dismiss a vulnerability even though it requires local access to exploit today. Its still something that should be fixed. Granted it doesnt get the same priority as remote exploits but its still desirable to patch and close the hole. The risk posture might mean patch later but it will almost never say "patch never".

I applaud AMD for taking the time to patch this thereby letting their customers making their own risk mitigation decisions.

EDIT: To be fair thats my take on how I read your statement in context of the post overall. if thats not your intent then the above doesnt necessarily apply

 

[OutOfPhase]

Owning a system that you already own. Impressive "exploit."

In other news, locks are flawed because people already inside your house can steal stuff.

Technically, it is more like people you ever invited into your house or got through the lock could remain invisible in your house forever - even if you sell it and the new owner changes all the locks.

 

[naib]

I applaud AMD for taking the time to patch this thereby letting their customers making their own risk mitigation decisions.

I took this as AMD laying the beatdown on CTS while they were fresh in everyones minds... had they released a patch in say 3months people would have mostly forgotten about CTS. providing details of the fix so shortly after CTS bullshit press statements re-affirms they are so full of shit

 

[WhoMe]

I'm impressed how fast they responded to this. I doubt many cared about it for obvious reasons, but it's nice of AMD to do something fast just to be on the safe side (and earn some good PR). AMD I will seriously considering you in my next build (Intel has a lot of work to do in the next few years if they want my money again).

 

[TurboGLH]

I'm impressed how fast they responded to this. I doubt many cared about it for obvious reasons, but it's nice of AMD to do something fast just to be on the safe side (and earn some good PR). AMD I will seriously considering you in my next build (Intel has a lot of work to do in the next few years if they want my money again).

It was smart on their part to get ahead of it. There's a vocal minority, here and elsewhere, that won't stop beating their drums against AMD in any way they can, regardless of how big or small. Better to get info out there and get a fix in the pipeline, especially if the timeline to do so is substantially lower than CTS claimed was likely.

 

[pgaster]

Viceroy Research: “We believe AMD is worth $0.00, and will have no choice but to file for Chapter 11 Bankruptcy in order to effectively deal with the repercussions of recent discoveries.”

When is AMD filing?
Did the stock hit $0 today?

Don't tell me these guys were wrong too...

 

[Nobu]

I'm impressed how fast they responded to this. I doubt many cared about it for obvious reasons, but it's nice of AMD to do something fast just to be on the safe side (and earn some good PR). AMD I will seriously considering you in my next build (Intel has a lot of work to do in the next few years if they want my money again).

It shows that they are confident that a fix is possible, and likely won't take long to implement. It also shows how little cts knows about how firmware and microcode work.

 

[Mega6]

CTS has already won with their Idiocy. Congrads to them, well played Fauxters.

 

[Derangel]

CTS has already won with their Idiocy. Congrads to them, well played Fauxters.

Not really. Their goal was to short AMD's stock. AMD's stock was not remotely effected by the news. So CTS and Viceroy failed.

 

[Mega6]

Do you think customers are lining up to do business with the great AMD Hackers? Uneducated customers I would imagine, which appears to be a lot. AMD releasing a patch sort of "vidicates" these CTS guys in the eyes of some.

 

[panhead]

So, did Viceroy and CTS Labs make the profit they wanted shorting AMD stock?

 

[Master_shake_]

amd right now

 

[Brackle]

So basically like everyone said other then a few Shills....A huge big nothingburger.

 

[skydriver]

So basically like everyone said other then a few Shills....A huge big nothingburger.

I think the "real" story is fake news for profit. That's how I see it , maybe I'm wrong? If that's the case it really shouldn't be a nothing burger.

 

[Anarchist4000]

I think the "real" story is fake news for profit. That's how I see it , maybe I'm wrong? If that's the case it really shouldn't be a nothing burger.

Attempted fake news for profit might be more accurate.

 

[thebufenator]

Quick, ACTIVATE THE BAT SIGNAL!!!!!

We need the counter point on why Intel is better and AMD still sucks!!

 

[Nobu]

I think the "real" story is fake news for profit. That's how I see it , maybe I'm wrong? If that's the case it really shouldn't be a nothing burger.

They're real flaws, so not really "nothing," but also not nearly as serious as they were made out to be, nor as unpatchable.

They're non-trivial to exploit (require admin/"metal" access), and can be patched easily enough (say, a couple weeks, then a week or two to distribute them). Most users will be patched before they can even become a target, and the ones who might not be will likely have better security measures than the average user admin.

 

[MaZa]

I think they will make the firmware update, even though it is completely unnecessary, just to shut the IDF up. Even if this "vulnerability" is ridiculous it still provides some ammunition for Intel fanatics and that may affect potential sales if some poor sod who is buying a new PC happens to believe their ramblings.

 

[velusip]

So, did Viceroy and CTS Labs make the profit they wanted shorting AMD stock?

I don't know what level of short they bought, but AMD's stock has been trending down for a couple of months, and this little fiasco had no effect. I'm assuming it was a relatively small short intended to increase daily volalitity and allow some buy-ins during a good time to buy.

I think they will make the firmware update, even though it is completely unnecessary, just to shut the IDF up. Even if this "vulnerability" is ridiculous it still provides some ammunition for Intel fanatics and that may affect potential sales if some poor sod who is buying a new PC happens to believe their ramblings.

Regardless of the level of urgency, system breaking or general maintenance, it's a legitimate flaw which needs patching.

Under normal circumstances this would have been handled discreetly and yielded some bug bounty to the researchers. Since they didn't take that route, it's crystal clear they meant to do harm.

Other than the little fuckwits at CTS Labs and Trail of Bits, business as usual for AMD.

 

[ol1bit]

Kudos to AMD. Smack them back into oblivion!

 

[naib]

They're real flaws, so not really "nothing," but also not nearly as serious as they were made out to be, nor as unpatchable.

They're non-trivial to exploit (require admin/"metal" access), and can be patched easily enough (say, a couple weeks, then a week or two to distribute them). Most users will be patched before they can even become a target, and the ones who might not be will likely have better security measures than the average user admin.

It was a flaw that was known about since Jan 2018... http://seclists.org/fulldisclosure/2018/Jan/12 This then prompted AMD to provide the end-user (Ryzen) means to "disable" the PSP (whether it really does is something different, it did cause a change on my system).
So the CTS spin is an even bigger nothingburger... they didn't actually find anything that wasn't already known and worked on

 

[Shintai]

So all flaws confirmed just as Spectre. But they still have to release Spectre patches as far as I know.

 

[ole-m]

It was a flaw that was known about since Jan 2018... http://seclists.org/fulldisclosure/2018/Jan/12 This then prompted AMD to provide the end-user (Ryzen) means to "disable" the PSP (whether it really does is something different, it did cause a change on my system).
So the CTS spin is an even bigger nothingburger... they didn't actually find anything that wasn't already known and worked on

the fact that we are mitigating this on intel systems is also worth noting.
We're not outright preventing it, but we're making it slightly more difficult but any technical person with google skills and the hardware in front can easily do it still.
Or with admin rights on the host operating system on our KabyLake machines.

It works as intended still.

 

[deton8]

I feel like AMD loses by even acknowledging this obvious chicanery, but I guess patching it in record time is the next best thing.

Hopefully CTS labs made no money so other jokers aren't tempted to try similar schemes.

 

[thebufenator]

So all flaws confirmed just as Spectre. But they still have to release Spectre patches as far as I know.

You and J. Two peas in a pod

 

[Todd Walter]

I find it a little disturbing that you are willing to dismiss a vulnerability even though it requires local access to exploit today. Its still something that should be fixed. Granted it doesnt get the same priority as remote exploits but its still desirable to patch and close the hole. The risk posture might mean patch later but it will almost never say "patch never".

I applaud AMD for taking the time to patch this thereby letting their customers making their own risk mitigation decisions.

EDIT: To be fair thats my take on how I read your statement in context of the post overall. if thats not your intent then the above doesnt necessarily apply

Local *ROOT* access. You are already owned if the attacker has that.

 

[Nobu]

It was a flaw that was known about since Jan 2018... http://seclists.org/fulldisclosure/2018/Jan/12 This then prompted AMD to provide the end-user (Ryzen) means to "disable" the PSP (whether it really does is something different, it did cause a change on my system).
So the CTS spin is an even bigger nothingburger... they didn't actually find anything that wasn't already known and worked on

AMD explicitly said that it's not the flaw from January...

The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

 

[lostin3d]

Next thing they'll be telling us that P@ssword or 12345678 are major risks to security and it could take years for some people to change. Well. . . .at least there they might be right. Honestly this just seems like a free publicity grab, probably trying to set themselves up to impress some investors.

 

[naib]

AMD explicitly said that it's not the flaw from January...

Umm... That's what I wrote. What I linked from January wasn't todo with spectre (coincidentally made public at the same time ) BUT an oversight in AMD's PSP where a custom firmware loaded would provide full access

This is exactly the same thing and is old news

 

[naib]

the fact that we are mitigating this on intel systems is also worth noting.
We're not outright preventing it, but we're making it slightly more difficult but any technical person with google skills and the hardware in front can easily do it still.
Or with admin rights on the host operating system on our KabyLake machines.

It works as intended still.

What? What I linked to has nothing to do with intel. This is specific to AMD's PSP