Wednesday, March 14th 2018

CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code

CTS Labs, the Israel-based IT security research company behind Tuesday's explosive AMD Ryzen security vulnerabilities report, responded to questions posed by TechPowerUp. One of the biggest of these, which is also on the minds of skeptics, is the ominous lack of proof-of-concept code or binaries being part of their initial public report (in contrast to the Meltdown/Spectre reports that went into technical details about the exploit). CTS Labs stated to TechPowerUp that it has sent AMD, along with other big tech companies a "complete research package," which includes "full technical write-ups about the vulnerabilities," "functional proof-of-concept exploit code," and "instructions on how to reproduce each vulnerability." It stated that besides AMD, the research package was sent to Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems, to help them develop patches and mitigation.

An unwritten yet generally accepted practice in the IT security industry upon discovery of such vulnerabilities, is for researchers to give companies in question at least 90 days to design a software patch, harden infrastructure, or implement other mitigation. 90 days is in stark contrast to the 24 hours AMD got from CTS Labs. CTS Labs confirmed to TechPowerUp that it indeed shared its research package with AMD (and the other companies) just 24 hours prior to making its report public, but urged those disgruntled with this decision to look at the situation objectively. "If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."
This is in contrast to the unintentional consequence of keeping Meltdown/Spectre away from the public domain for over half a year, allowing Intel's senior executives to dump company stock, and for big cloud computing providers to harden their infrastructure, giving themselves a competitive advantage over smaller providers. But unlike with Meltdown/Spectre, these vulnerabilities aren't industry-wide (i.e. they don't affect Intel), placing AMD at a disadvantage in both the stock markets, and in the retail markets.

CTS Labs, through the sequence of its actions, has attempted to shift the burden of proof from itself to AMD, which is extremely uncommon in the IT security industry. With the lack of proof-of-concept of these vulnerabilities in the public domain, an environment of fear, uncertainty, and doubt (FUD) is being developed, with AMD being occupied with testing its chips for these vulnerabilities, and still far away from releasing patches, if the vulnerabilities are real. This places anyone with a shorting position against AMD stock at a distinct advantage. The strategy of AMD investor relations and corporate communications should now be to allay many of those fears among people without access to the proof-of-concept, and to ask investors to refrain from giving in to FUD.
Add your own comment

93 Comments on CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code

#1
_JP_
Still looks like "boy who cried wolf", in the execution.
Posted on Reply
#2
RejZoR
It still reeks of Intel's interefrence even if all the vulnerabilities are true. Though some are already BS from the get go, like the requirement of having a physical local admin access to the system. At that point, can it even be classified as a "vulnerability"? If you have that, you're basically managing the system. Which in the end can be run by any CPU of any kind and be "vulnerable" to anything you throw at it. Not to mention how the whole thing is being handled, Meltdown/Spectre that affected Intel the worst, public had no knowledge of it for months. Here, they give AMD a 24 hour ultimatum. That's total BS. Someone doesn't care about actual security as much as they care about attention whoring and crashing someone's stocks...
Posted on Reply
#3
W1zzard
"RejZoR said:
physical local admin access to the system
Physical access is not required, just admin privileges
Posted on Reply
#4
dorsetknob
"YOUR RMA REQUEST IS CON-REFUSED"
"Oh My GOD"
All my AMD systems Can be Compromised
Must Go OFF line Till they Solve This..................> Hang on not got an AMD System o_O:nutkick:

Just in Case i must wrap all my PC's in Tin foil (that will work won't it:roll:)
Posted on Reply
#5
RejZoR
"W1zzard said:
Physical access is not required, just admin privileges
Still, when you have admin access, does it really matter at that point anymore?
Posted on Reply
#6
ssdpro
Even if it leans more true now, all products have the possibility of security vulnerabilities. This company should have given AMD and other companies more time with the information.

AMD is very quiet now going on 48 hours so it looks like at least some of it is verified. If CTS didn't really provide the code and methods AMD would have just said "CTS hasn't provided any details or code as claimed and so far we are unable to verify these claims. We will continue to investigate and provide additional information as it becomes available". That statement hasn't come.
Posted on Reply
#7
Basard
So do any of these hacks help one gain admin privileges?
Posted on Reply
#8
VulkanBros
CTS Labs, the Israel-based IT security research company
- should be "CTS Labs, the Intel-based IT security research company"
Posted on Reply
#9
W1zzard
"RejZoR said:
Still, when you have admin access, does it really matter at that point anymore?
Physical access and admin access are two vastly different things. Every malware gets onto PCs through admin access, tons of computers get infected every day, so this is not a non-issue.
The difference here is that the malware can be hidden in a way that's undetectable from security software and persists through reboot, and OS reinstall, which means "buy a new computer" for 99% of the population.

"Basard said:
So do any of these hacks help one gain admin privileges?
No
Posted on Reply
#10
owen10578
"W1zzard said:
Physical access and admin access are two vastly different things. Every malware gets onto PCs through admin access, tons of computers get infected every day, so this is not a non-issue.
The difference here is that the malware can be hidden in a way that's undetectable from security software and persists through reboot, and OS reinstall, which means "buy a new computer" for 99% of the population.
So you're saying you believe this? Without further evidence yet?
Posted on Reply
#11
oxidized
"owen10578 said:
So you're saying you believe this? Without further evidence yet?
Has he written somewhere he believes this?
Posted on Reply
#12
W1zzard
"owen10578 said:
So you're saying you believe this? Without further evidence yet?
It looks sufficiently credible to me to not ignore it, which is why we are reporting on this at TPU. You are right of course that more evidence is needed, which doesn't seem that far away, days at max, probably hours.

I feel I have an excellent understanding of what they described and am trying to provide insights, and help clear up misunderstandings.
Posted on Reply
#14
laszlo
"W1zzard said:
It looks sufficiently credible to me to not ignore it, which is why we are reporting on this at TPU. You are right of course that more evidence is needed, which doesn't seem that far away, days at max, probably hours.

I feel I have an excellent understanding of what they described and am trying to provide insights, and help clear up misunderstandings.
so in your opinion having admin privileges and needed know-how only amd systems are vulnerable? intel cpu's don't execute the admin code ?

if the findings are correct i bet can be reproduced on all available hardware .....
Posted on Reply
#15
IceScreamer
Really curious what will happen. Considering how dubious those researches seem these appear to be legitimate vulnerabilities.
Posted on Reply
#16
the54thvoid
"W1zzard said:
It looks sufficiently credible to me to not ignore it, which is why we are reporting on this at TPU. You are right of course that more evidence is needed, which doesn't seem that far away, days at max, probably hours.

I feel I have an excellent understanding of what they described and am trying to provide insights, and help clear up misunderstandings.
How does one execute remote admin privileges? You would need to allow access initially via relevant software (remote diagnostics?) or have a prior malware installed to allow such access?
Posted on Reply
#17
W1zzard
"the54thvoid said:
How does one execute remote admin privileges? You would need to allow access initially via relevant software (remote diagnostics?) or have a prior malware installed to allow such access?
Malware, through same methods that infects thousands of PC each day.
Posted on Reply
#18
newtekie1
Semi-Retired Folder
"btarunr said:
"If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."

This is in contrast to the unintentional consequence of keeping Meltdown/Spectre away from the public domain for over half a year, allowing Intel's senior executives to dump company stock, and for big cloud computing providers to harden their infrastructure, giving themselves a competitive advantage over smaller providers.
This is putting a monetary goal in front of keep things secure and that's BS if CTS is trying to be taken seriously. Telling the public does not help anything in these situations, it makes things worse, and any real security firm would know that. You give the information to the company it affects, AMD in this case, and at least give them some time to develop patches or updates to fix the vulnerabilities. Again, 90 days is standard, because the sooner you let the public know the vulnerabilities exist, the sooner malicious people know the vulnerabilities exist and begin to start exploiting them. What CTS did was basically hand hackers instructions on how to exploit these vulnerabilities immediately without giving AMD any time to fix them. That isn't keeping people secure, that is just CTS trying to make a name for themselves by putting their own profit ahead of the public's security.


"the54thvoid said:
How does one execute remote admin privileges? You would need to allow access initially via relevant software (remote diagnostics?) or have a prior malware installed to allow such access?
How do you think pretty much all other malware infects systems? How do you think ransomware works? I'll give you a hint: Admin Level Code.

90% of writing malicious programs these days is tricking the users into running it on their systems.

"W1zzard said:
The difference here is that the malware can be hidden in a way that's undetectable from security software and persists through reboot, and OS reinstall, which means "buy a new computer" for 99% of the population.
Exactly, this is the scary part. I don't think we've seen a good BIOS virus in decades!
Posted on Reply
#19
xkm1948
Oh look, more BS from the scam company CTS
Posted on Reply
#20
Kaotik
"newtekie1 said:
This is putting a monetary goal in front of keep things secure and that's BS if CTS is trying to be taken seriously. Telling the public does not help anything in these situations, it makes things worse, and any real security firm would know that. You give the information to the company it affects, AMD in this case, and at least give them some time to develop patches or updates to fix the vulnerabilities. Again, 90 days is standard, because the sooner you let the public know the vulnerabilities exist, the sooner malicious people know the vulnerabilities exist and begin to start exploiting them. What CTS did was basically hand hackers instructions on how to exploit these vulnerabilities immediately without giving AMD any time to fix them. That isn't keeping people secure, that is just CTS trying to make a name for themselves by putting their own profit ahead of the public's security.
They even admit in their whitepaper that they have economic intereset in the issue, which leads to Viceroy Research, who released pretty much instantly after the "whitepaper" release "AMD Obituary" saying that AMD stock price should be $0.00 and they need to file for Chapter 11 bankruptcy. Viceroy Research is already under investigation in Germany on similar matters https://www.cnbc.com/2018/03/12/reuters-america-update-1-german-watchdog-says-viceroys-prosieben-report-broke-rules.html

Also, to repeat what probably has been said already several times.
One of the "vulnerabilities" requires admin access and malicious BIOS, the rest require admin access and vendor signed malicious drivers.
In the point where your system, network or some such could be vulnerable to these would require you to have someone with malicious intent and admin access to your systems - and at that point every single possible system is already compromised, no matter if it's AMD or anyone else.
Posted on Reply
#21
Dave65
"Capitan Harlock said:
I don't trust Israel on anything expecially Political stuff.
Same here..
Posted on Reply
#22
newtekie1
Semi-Retired Folder
"Kaotik said:
Also, to repeat what probably has been said already several times.
One of the "vulnerabilities" requires admin access and malicious BIOS, the rest require admin access and vendor signed malicious drivers.
In the point where your system, network or some such could be vulnerable to these would require you to have someone with malicious intent and admin access to your systems - and at that point every single possible system is already compromised, no matter if it's AMD or anyone else.
The one vulnerability allows malicious BIOS to be installed. That is a pretty big issue actually. Beyond the normal malware we see today, because it allows the malware to persist even after a reformat and OS re-install, even after a full replacement of the storage drives. That actually is pretty bad.
Posted on Reply
#23
Countryside
If this thing keeps rolling on CTS might even afford to get some real office space.

Anyway im waiting for AMDs offcial response and after that we can get this show on the road.
Posted on Reply
#24
Fleurious
So refreshing to see the Oxford comma being used in an article.

Also, regardless of their excuse, 24hrs notice before going public was a stupid decision.
Posted on Reply
#25
ArchStupid
"Capitan Harlock said:
I don't trust Israel on anything expecially Political stuff.
"Dave65 said:
Same here..
Very relevant.
How to spot the racists.
Posted on Reply
Add your own comment