Monday, March 20th 2017

Initial AMD Technical Assessment of CTS Labs Research

On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users' data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.

The security issues identified by the third-party researchers are not related to the AMD "Zen" CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail above, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.

Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.

The security issues identified can be grouped into three major categories. The table above describes the categories, the AMD assessment of impact, and planned actions.

AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.
Add your own comment

98 Comments on Initial AMD Technical Assessment of CTS Labs Research

#1
Durvelle27
Will intel make a statement since some of their chipsets are affected as well
Posted on Reply
#2
Steevo
I wonder if anyone will come respond to this revelation, that administrative access is required, which means you would have complete control of a machine anyway...

Nah probably not, that would require more work than the typical "low quality" poster is capable of.
Posted on Reply
#3
R-T-B
Durvelle27 said:
Will intel make a statement since some of their chipsets are affected as well
Their chipsets are not affected. Some board makers have thrown ASMedia chips on Intel boards, but that does not make the ASMedia parts an Intel part.

Steevo said:
I wonder if anyone will come respond to this revelation, that administrative access is required, which means you would have complete control of a machine anyway...

Nah probably not, that would require more work than the typical "low quality" poster is capable of.
Administrative access has never granted you control of the negative rings.

Honestly, there shouldn't BE negative rings. But there are, and here we are.
Posted on Reply
#4
Xzibit
btarunr said:
Yes, there are vulnerabilities, but no, you won't be able to short AMD in the foreseeable future.

Enterprise interest in EPYC was only beginning. All the enterprises that were exploring EPYC will just have to wait a few more weeks for a product that's more secure without a performance impact.

I doubt if AMD will ever partner with ASMedia after 400-series. This raises chances of an NVIDIA nForce revival. NVIDIA already holds IP/licenses for chipset-related stuff, and it won't mind selling a $30-50 piece of silicon to clients, and a $70-100 silicon to enterprises. Enterprises will catalyze nForce's return because they trust the NVIDIA brand, and it made Opteron chipsets in the past.
I just looked again at the X470 Asus boards

2 out of the 3 still have a vulnerable ASMedia chip 1142




Maybe the TUF one does as well but is not visible due to the TUF logo
Posted on Reply
#5
xkm1948
Meanwhile 3 more collaborating professors in the college of science at my institution has put down money for me to build TR based HEDT for their lab. At the end of the day performance/price speaks louder than any smearing campaign does.
Posted on Reply
#6
Zubasa
Xzibit said:
I just looked again at the X470 Asus boards

2 out of the 3 still have a vulnerable ASMedia chip 1142




Maybe the TUF one does as well but is not visible due to the TUF logo
Given the relationship between ASUS and ASmedia, I doubt they will use any other chips in the forseeable future. :laugh:
Posted on Reply
#7
TheLostSwede
Xzibit said:
I just looked again at the X470 Asus boards

2 out of the 3 still have a vulnerable ASMedia chip 1142




Maybe the TUF one does as well but is not visible due to the TUF logo
You're aware that ASMedia made the actual chipset, right? As in the X470 in this case. So using their USB 3.x host controllers are just an additional part that makes no real difference in these cases.
Posted on Reply
#9
oxidized
xkm1948 said:
Meanwhile 3 more collaborating professors in the college of science at my institution has put down money for me to build TR based HEDT for their lab. At the end of the day performance/price speaks louder than any smearing campaign does.
Nice way to circumvent the problem, i remember you a few days ago diminishing these findings and throw garbage at those CTS Labs, and now here you are playing the performance/price card to try and save their faces like you're some kind of employee or something. This was so low, honestly.
Posted on Reply
#10
HTC
Still think this is a Windows problem when using Zen based hardware.

Nowhere in the several CTS Labs topics does it mention any other OS other then Windows. If it were a Zen hardware problem, other OSs could also be used to make use of these exploits, no?
Posted on Reply
#11
R-T-B
HTC said:
Still think this is a Windows problem when using Zen based hardware.

Nowhere in the several CTS Labs topics does it mention any other OS other then Windows. If it were a Zen hardware problem, other OSs could also be used to make use of these exploits, no?
It would require tools, but according to the released exploits there is no reason it could not be done under other OSes. It is not a Windows flaw, more that the interface drivers and tools needed only exist for windows.
Posted on Reply
#12
HTC
R-T-B said:
It would require tools, but according to the released exploits there is no reason it could not be done under other OSes.
If the target system were using Linux instead of Windows, could these exploits still be carried out?

Seems to me these exploits take advantage of poor Windows security to be able to succeed.
Posted on Reply
#13
R-T-B
HTC said:
If the target system were using Linux instead of Windows, could these exploits still be carried out?

Seems to me these exploits take advantage of poor Windows security to be able to succeed.
Yes, if you had the appropriate tools. The permissions are there. Root roughly = admin.
Posted on Reply
#14
OneMoar
There is Always Moar
so much for unpatchable

out with a whimper and a fart
Posted on Reply
#15
btarunr
Editor & Senior Moderator
Let me try to do a Viceroy.

An Obituary of "AMD Flaws"

Yes, there are vulnerabilities, but no, you won't be able to short AMD in the foreseeable future. The only way short-selling research firms will make money (or recover 0.000% ROI) now is through riling up class-actions against AMD "for selling vulnerable products," which too will fail because plenty of precedents are being set in Meltdown/Spectre class-actions against Intel, and anything that succeeds against AMD will end up succeeding against Intel, too.

AMD has laid a straightforward mitigation/patching road-map for the 13 vulnerabilities. Enterprise interest in EPYC is in its infancy and only gaining momentum. All the enterprises that were exploring EPYC will now just have to wait a few more weeks for a product that's more secure, and without a performance impact. AMD Flaws only advertised EPYC.

I doubt if AMD will ever partner with ASMedia after 400-series. This raises chances of an NVIDIA nForce revival. NVIDIA already holds IP/licenses for chipset-related stuff, and it won't mind selling a $30-50 piece of silicon to clients, and a $70-100 silicon to enterprises. Enterprises will catalyze nForce's return because they trust the NVIDIA brand, and it made Opteron chipsets in the past.

Cybersec researcher Alex Stamos justified his Facebook hiring with these prophetic words: "Short-seller driven vulnerability research is going to end in tears. Hopefully due to lost money, and not because naive researchers go to prison."
Posted on Reply
#16
FR@NK
Steevo said:
I wonder if anyone will come respond to this revelation, that administrative access is required
For the masterkey exploit the system could be infected with a malware bios before the system is even delivered to the end user...even before the OS is installed; so you dont need admin access to compromise these systems. Anyone who might have physical access to the system at any time during manufacture or delivery could flash a malware bios with a small handheld device without even booting the operating system or even powering the system up. As of right now there very well might be systems out there that are infected and because of how the embedded "secure processor" operates the end user wouldn't have any way of knowing the system is compromised. Even systems that are completely isolated from any network could have been infected during manufacture/delivery and are such compromised.

Hopefully AMD can fix this exploit and then every system out there will need to reflash the bios to confirm its free of any malware.
Posted on Reply
#17
thesmokingman
Didn't they say it would take AMD up to a year to patch this, thus they erred on the side of public safety and gave AMD no time? Up to a year to patch if they even could lol.

FR@NK said:
For the masterkey exploit the system could be infected with a malware bios before the system is even delivered to the end user...even before the OS is installed; so you dont need admin access to compromise these systems. Anyone who might have physical access to the system at any time during manufacture or delivery could flash a malware bios with a small handheld device without even booting the operating system or even powering the system up. As of right now there very well might be systems out there that are infected and because of how the embedded "secure processor" operates the end user wouldn't have any way of knowing the system is compromised. Even systems that are completely isolated from any network could have been infected during manufacture/delivery and are such compromised.

Hopefully AMD can fix this exploit and then every system out there will need to reflash the bios to confirm its free of any malware.
Are you shittin' me? Do you not see the folly in your own logic?
Posted on Reply
#18
_Flare
honestly, everything with a firmware could´ve been compromised in that way.

this whole thing will end up like:
A kitchen-knife orginally ment for bread and butter works, could be be exploited with no deeper metalurgic or martial art knowings as a murderer-weapon.

thats obvious
Posted on Reply
#19
phanbuey
_Flare said:
honestly, everything with a firmware could´ve been compromised in that way.

this whole thing will end up like:
A kitchen-knife orginally ment for bread and butter works, could be be exploited with no deeper metalurgic or martial art knowings as a murderer-weapon.

thats obvious
Agree - I think it's very disingenuous the way they advertised (and that's what this was, advertising) these flaws...

AMD nailed it with their response
"Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. "

CTS, in a way, are right, these ARE flaws, and they do need to be fixed -- just as any sane household should store their kitchen knives in a way to prevent them from cutting things that aren't food; but coming up with a website called "kitchenkniveskill.com" and pointing out a single knife company as the culprit is extremely dishonest. Especially when the site was originally targeting a different knife company altogether, and then pivoted because they saw a larger gain. And in essence, any household that already stores their knives appropriately is virtually immune to these particular flaws.

The whole thing is a technically true but realistically dishonest mess.
Posted on Reply
#20
R-T-B
_Flare said:
honestly, everything with a firmware could´ve been compromised in that way.
No. This is why signatures exist: To avoid being able to flash just anything.

Pascal is an excellent example of an unmoddable bios using signatures.

phanbuey said:
The whole thing is a technically true but realistically dishonest mess.
I agree with that.
Posted on Reply
#21
lexluthermiester
thesmokingman said:
Are you shittin' me? Do you not see the folly in your own logic?
Actually, he's right. To flash a bios/uefi firmware you don't need admin access, you only need physical access. The only situation were you need admin access is if you are going to render the attack remotely.

R-T-B said:
Pascal is an excellent example of an unmoddable bios using signatures.
Which is crazy stupid.
Posted on Reply
#22
phanbuey
lexluthermiester said:

Which is crazy stupid.
<div class="youtube-embed" data-id="5SASDbkpqew"><img src="https://i.ytimg.com/vi/5SASDbkpqew/hqdefault.jpg" /><div class="youtube-play"></div><a href="https://www.youtube.com/watch?v=5SASDbkpqew" target="_blank" class="youtube-title"></a></div>

basically IT Security (or any Security) in a nutshell
Posted on Reply
#23
First Strike
Steevo said:
I wonder if anyone will come respond to this revelation, that administrative access is required, which means you would have complete control of a machine anyway...

Nah probably not, that would require more work than the typical "low quality" poster is capable of.
Don't expect too much of administrative privileige. Admin priv can't do everything, but a Secure Processor/Management Engine can.
Posted on Reply
#24
Patriot
FR@NK said:
For the masterkey exploit the system could be infected with a malware bios before the system is even delivered to the end user...even before the OS is installed; so you dont need admin access to compromise these systems. Anyone who might have physical access to the system at any time during manufacture or delivery could flash a malware bios with a small handheld device without even booting the operating system or even powering the system up. As of right now there very well might be systems out there that are infected and because of how the embedded "secure processor" operates the end user wouldn't have any way of knowing the system is compromised. Even systems that are completely isolated from any network could have been infected during manufacture/delivery and are such compromised.

Hopefully AMD can fix this exploit and then every system out there will need to reflash the bios to confirm its free of any malware.
You can force flash just about anything with physical access... If you buy a x79 board from bang good you can be sure that rom is infected...
Posted on Reply
Add your own comment