CTS-Labs Posts Ryzen Windows Credential Guard Bypass Proof-of-concept Video

[ikeke]

FWIW this is how wccftech handled this.

https://wccftech.com/report-alleges-amd-ryzen-epyc-cpus-suffer-13-fatal-security-flaws/

I held TPU to higher quality previously.

 

[R-T-B]

Again? Does TPU have a financial motive?

Yes, and it's called advertising. I'm pretty sure w1zzard has been quite open on that front. Any other accusations are just silly. He's covering this just as much as meltdown/spectre.

 

[hardcore_gamer]

Handed out a couple of short bans, tired of seeing this kind of shitposting

I hope you take this as constructive criticism. As journalists, you're supposed to represent us when you do a Q&A with a company. I'd rate TPU's Q&A with the CTS labs much lower than Anandtech's . Focusing on technical details isn't an excuse for not asking questions about their motives, hyperbole and inaccuracies in the website they've created, their relationships with short-sellers and the way they've handled this whole thing. There's a reason why the readers are disappointed. If I just read TPU and no other tech news sources, I'd have probably believed viceroy reaserch's claim that AMD is doomed and their shares are worth $0. That's my 2 cents of finger wagging as a TPU reader of many years.

 

[Vya Domus]

I gotta say , the dude types pretty fast. Pretty much the only noteworthy observation.

They already dug up their hole , there ain't no getting out of it.

 

[Ferrum Master]

It still looks like...

sudo rm -rf /*

and actually it is a joke...

 

[mtcn77]

I hope you take this as constructive criticism. As journalists, you're supposed to represent us when you do a Q&A with a company. I'd rate TPU's Q&A with the CTS labs much lower than Anandtech's . Focusing on technical details isn't an excuse for not asking questions about their motives, hyperbole and inaccuracies in the website they've created, their relationships with short-sellers and the way they've handled this whole thing. There's a reason why the readers are disappointed. If I just read TPU and no other tech news sources, I'd have probably believed viceroy reaserch's claim that AMD is doomed and their shares are worth $0. That's my 2 cents of finger wagging as a TPU reader of many years.

Considering I'm a tech-hobbyist myself and having started following the media on TechPowerUp originally, the content isn't as engaging as it used to be. One-sided story-telling and sensational half-truths never passed before as the orthodox coverage here. Just my fair share of criticism given enough musing about the subject.

 

[cadaveca]

As journalists

There are no journalists here on TPU. You are trying to hold us to a standard that doesn't exist. Anyone who says they are a journalist must hold a degree for that, and none of us do.

Yes, we have tech news aggregation. Yes, we cover popular topics. Yes, we have opinions. But just because we cover a news story doesn't mean we hold to the opinion presented in the story. What it actually means is that we value your opinion, and want to hear what you think about the subject, presented in the light it is given. It's not financially motivated, either... we just care about what you think, and want to hear what you have to say. So please, say it, but please don't misinterpret our intent.

 

[Vya Domus]

You are trying to hold us to a standard that doesn't exist. Anyone who says they are a journalist must hold a degree for that, and none of us do.

Nice formal excuse. Why even say that ? I honestly can't tell if that was meant to be a joke of some sort.

Any entity covering news/rumors/interviews and showing it to a public counts as journalism.

 

[phanbuey]

I kind of like that TPU went purely technical... Everything out there tries to tell me how to think while being extremely vague on detail.

This was actually kind of refreshing - I learned quite a bit reading about these vulnerabilities.

 

[Patriot]

There are no journalists here on TPU. You are trying to hold us to a standard that doesn't exist. Anyone who says they are a journalist must hold a degree for that, and none of us do.

Yes, we have tech news aggregation. Yes, we cover popular topics. Yes, we have opinions. But just because we cover a news story doesn't mean we hold to the opinion presented in the story. What it actually means is that we value your opinion, and want to hear what you think about the subject, presented in the light it is given. It's not financially motivated, either... we just care about what you think, and want to hear what you have to say. So please, say it, but please don't misinterpret our intent.

https://en.wikipedia.org/wiki/Journalism Degree not required... you deliver the news and are therefore Journalists, even bloggers are considered journalists and as such must declare contributions and slants.

Edit, turns out the truth is dubbed low quality, time to find a new news site.

 

[Xzibit]

Nice formal excuse. Why even say that ? I honestly can't tell if that was meant to be a joke of some sort.

Any entity covering news/rumors/interviews and showing it to a public counts as journalism.

I found it funny. In more ways then one.

Picture TPU applying for Press Passes to the next Tech show or Product launch event and being declined by not having a "Degree".

Want the perks but none of the responsibility.

 

[btarunr]

Focusing on technical details isn't an excuse for not asking questions about their motives, hyperbole and inaccuracies in the website they've created, their relationships with short-sellers and the way they've handled this whole thing.

I think they made their motives pretty clear in this non-technical article:

https://www.techpowerup.com/242480/...-labs-make-their-positions-known-on-amd-flaws

 

[eidairaman1]

It's obvious what cts is trying to do, so i denounce anything they do. I trust the developer of the arch on fixes before a 3rd party such as CTS.

I wonder if AMD might pursue a lawsuit for libel.

 

[hat]

Each of these "vulnerabilities" seem overblown to me. A lot of these seem to rely on getting access to deeper systems which, in my opinion as an enthusiast, block people from doing whatever they want (I mean, I'd love to be able to edit my own Pascal GPU BIOS like I did in the old days). To actually be attacked with these particular vulnerabilities, you already have to be in a perfect storm of shit anyways. I'd be less worried about these vulnerabilities themselves and more worried about how somebody was able to compromise my systems to the point where these vulnerabilities became an option for them.

I also suspect ulterior motives myself given the nature of these CTS people and those connected to them. At best they seem to have found some vulnerabilities of questionable (in my opinion) severity (they're bad, but really hard to pull off) and are looking to profit from it. They're definitely not a legitimate security firm in my eyes, and their report is obviously made to benefit them, not to merely alert those concerned to the vulnerabilities.

That said, I've followed up on this for a while and read a lot of comments before immediately reaching for my e-torch and e-pitchfork... I don't dismiss the flaws as fake, rather overhyped because they would be very difficult to use in an actual attack against target systems. I also lump CTS in the came category as patent trolls and people who sue other people because their phone also has "rounded corners".

 

[Patriot]

It's obvious what cts is trying to do, so i denounce anything they do. I trust the developer of the arch on fixes before a 3rd party such as CTS.

I wonder if AMD might pursue a lawsuit for libel.

Yup. It's a bug, its a flaw... but an exploit is something that gets you admin access, doesn't require it...
STH had a nice write-up on it from a legal perspective.

 

[evernessince]

I hope you take this as constructive criticism. As journalists, you're supposed to represent us when you do a Q&A with a company. I'd rate TPU's Q&A with the CTS labs much lower than Anandtech's . Focusing on technical details isn't an excuse for not asking questions about their motives, hyperbole and inaccuracies in the website they've created, their relationships with short-sellers and the way they've handled this whole thing. There's a reason why the readers are disappointed. If I just read TPU and no other tech news sources, I'd have probably believed viceroy reaserch's claim that AMD is doomed and their shares are worth $0. That's my 2 cents of finger wagging as a TPU reader of many years.

CTS labs may have multiple motives but what we know for sure it that they were paid quite a bit to look into these issues and that they will not reveal their client or even the industry that their client is in. I mean they spent $14,000 just to validate their exploits.

So honestly from what we know: They tried to act altruistic in their original disclosure all the while doing a hit and run on AMD. Their legal disclaimer directly contradicted that and they definitely received money for the job done in addition to leaking information to short sellers, possibly getting extra cash in that manner as well.

The security community agrees as well. Any future work by these guys is going to be tained by "well who's paying them this time?". I would not be surprised at all if this is the last public report this company does. They would be far better off creating a new company and trying to trick people that way.

 

[lexluthermiester]

And TPU apparently lol.

Tpu has dug itself into the hole to the point that they have no option but to cover this or else they will admit they were wrong in covering that 1st story without any research.

I held TPU to higher quality previously.

This TPU bashing crap needs to stop. Bashing CTS for for what you perceive as various wrongs is one thing. Bashing TPU staff and the founder for reporting actual industry news is quite another. They are doing their job. Nothing more, nothing less. If you people can't figure out that very simple concept, then maybe this isn't someplace for you to be.

Edit; just watched that video. This is, as demonstrated, not insignificant. This is serious and can be done quickly as the video shows.

 

[Jadawin]

Edit; just watched that video. This is, as demonstrated, not insignificant. This is serious and can be done quickly as the video shows.

No, it is not serious. If you are already in a privilidged shell, nothing else matters anymore. Not the OS, not the CPU. The system is yours. With or without flaws. And I expect a well regarded website like TPU to point that out to readers.

 

[lexluthermiester]

No, it is not serious.

That is only your misinformed opinion. When the company effected by these problems commits resources to releasing full bios revisions for said problems, they are automatically qualified as serious.

If you are already in a privileged shell, nothing else matters anymore. Not the OS, not the CPU. The system is yours. With or without flaws. And I expect a well regarded website like TPU to point that out to readers.

Thanks for the tip. Because really, that hasn't been mentioned already by other users...
This constant and pathetically lame referencing to "priviledged shell" or "admin authority" and whatnot is not the issue certain "people" are trying(and failing) to make it out to be. Finding systems on a network that have admin is not a difficult task, nor is artificially granting admin to a system that doesn't have it. If you don't understand these points, you have the problem.

 

[Xzibit]

Edit; just watched that video. This is, as demonstrated, not insignificant. This is serious and can be done quickly as the video shows.

The people who got payed $14,000 by CTS-Labs differ with you.

There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers

 

[RejZoR]

The reason they slowly drag out videos is to keep their relevancy up. Why release it all at once if you can drag your name through news for weeks and months. CTS Labs is shit. For a bunch of smart people they act really dumb.

 

[lexluthermiester]

There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers

Most not all. The majority of the script-kiddies out there are of little concern, true, but it's the ones with real skills that are of concern. And there are a lot of them. Do you want to be the nitwit who told their boss it was nothing to worry about and then was victimized by the very same problem? You'd be out of a job so fast it would make your head spin. EVERY vulnerability like this is a serious vulnerability which requires serious attention and consideration. It would be irresponsible, negligent, reckless and unprofessional to treat this with less seriousness than any other system cracking vulnerability.

The reason they slowly drag out videos is to keep their relevancy up. Why release it all at once if you can drag your name through news for weeks and months. CTS Labs is shit. For a bunch of smart people they act really dumb.

Enough with the FUD. Try taking off the tin hat and seeing the problems for what they are.

 

[Xzibit]

Most not all. The majority of the script-kiddies out there are of little concern, true, but it's the ones with real skills that are of concern. And there are a lot of them. Do you want to be the nitwit who told their boss it was nothing to worry about and then was victimized by the very same problem? You'd be out of a job so fast it would make your head spin. EVERY vulnerability like this is a serious vulnerability which requires serious attention and consideration. It would be irresponsible, negligent, reckless and unprofessional to treat this with less seriousness than any other system cracking vulnerability.

Drama much?

People in such positions wouldn't be screaming the sky is falling either or running to replace the entire network when ever they get whim of a new exploit.

Lets weight this one out. Forum warriors screaming the sky is falling vs Security firm with 6yrs experience in the industry that got payed to review it with all the tools. Hmm.. tough call >Sarcasm<

 

[john_]

but it's the ones with real skills that are of concern

They are probably busy trying to bypass the latest Meltdown and Spectre patches, or find other vulnerabilities, because all big corporations/banks/whatever and all governments are still using equipment based on Intel CPUs.

EVERY vulnerability like this is a serious vulnerability

It's only serious because CTS gave no time to AMD to prepare patches before the info gone public. But it's not as serious as Meltdown was and let's not forget that Intel had to work for a couple of more months after Meltdown was known to prepare patches for older CPUs and fix some of the first patches that where leading to system instability. I wonder if there where IT heads spinning when Meltdown was gone public and until the date Intel gave stable patches for all latest generation CPUs. Also in the case of ASmedia we have no reply from Intel, motherboard manufacturers or ASMedia itself, as fas as I know, so probably some heads are still spinning, while trying to disable throught the BIOS, ASMedia chips on board of Intel motherboards.

 

[lexluthermiester]

Drama much?

Only responding to your comment. I didn't start it.

People in such positions wouldn't be screaming the sky is falling either or running to replace the entire network when ever they get whim of a new exploit.

Perhaps not, but what they will do is fix the problem by updating the affected systems and review their network security SOP's, looking for and implementing better methodologies as needed. No network is perfect and there is always room for improvement. These vulnerabilities serve as yet another wake-up-call to the dangers that exist in the technological world and why it is important to stay on top of your game.

Forum warriors screaming the sky is falling

No one is screaming the "the sky is falling". Us "forum warriors" are advocating that these problems are to be taken seriously. Anything less would be...

irresponsible, negligent, reckless and unprofessional