• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

CTS Labs Posts Some Clarifications on AMD "Zen" Vulnerabilities

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
41,789 (8.19/day)
Location
Hyderabad, India
Processor AMD Ryzen 7 2700X
Motherboard ASUS ROG Strix B450-E Gaming
Cooling AMD Wraith Prism
Memory 2x 16GB Corsair Vengeance LPX DDR4-3000
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) Creative Sound Blaster Recon3D PCIe
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Microsoft Sidewinder X4
Software Windows 10 Pro
CTS-Labs the research group behind the AMD "Zen" CPU vulnerabilities, posted an addendum to its public-release of the whitepaper, in an attempt to dispel some of the criticism in their presentation in the absence of technical details (which they shared with AMD and other big tech firms). In their clarification whitepaper, quoted below, they get into slightly more technical details on each of the four vulnerability classes.



Clarification About the Recent Vulnerabilities
[CTS Labs] would like to address the many technical points and misunderstandings with a few technical clarifications about the vulnerabilities. The vulnerabilities described in our site are second-stage vulnerabilities. What this means is that the vulnerabilities are mostly relevant for enterprise networks, organizations and cloud providers.

Computers on enterprise networks occasionally get compromised - whether through phishing attempts, zero-day exploits or employees downloading the wrong file. High-security enterprise networks are equipped to deal with these kinds of "every-day" attacks. They do this by keeping their systems up to date, enabling security features, and employing additional measures such as endpoint security solutions.

The vulnerabilities described in amdflaws.com could give an attacker that has already gained initial foothold into one or more computers in the enterprise a significant advantage against IT and security teams.

The only thing the attacker would need after the initial local compromise is local admin privileges and an affected machine. To clarify misunderstandings - there is no need for physical access, no digital signatures, no additional vulnerability to reflash an unsigned BIOS. Buy a computer from the store, run the exploits as admin - and they will work (on the affected models as described on the site).

Attackers in possession of these vulnerabilities would receive the following additional capabilities:
  • Persistency: Attackers could load malware into the AMD Secure Processor before the CPU starts. From this position they can prevent further BIOS updates and remain hidden from security products. This level of persistency is extreme - even if you reinstall the OS or try to reflash the BIOS - it won't work. The only way to remove the attacker from the chip, would be to start soldering out chips. (we have seen a motherboard that had a socket where you can switch chips - then you could just put a new SPI chip).
  • Stealth: Sitting inside the AMD Secure Processor or the AMD Chipset is, at the moment, outside the reach of virtually all security products. AMD chips could become a safe haven for attackers to operate from.
  • Network Credential Theft: The ability to bypass Microsoft Credentials Guard and steal network credentials, for example credentials left by the IT department on the affected machine. We have a PoC version of mimikatz that works even with Credential Guard enabled. Stealing domain credentials could help attackers to move to higher value targets in the network.
  • Specific AMD Secure Processor features for cloud providers, such as Secure Encrypted Virtualization, could be circumvented or disabled by these vulnerabilities.
What was it tested on?
These are the machines we have tested the vulnerabilities on. On our site, every red circle in the vulnerabilities map represents a working PoC that was tested in our lab.

This is the list of hardware that has been tested in our lab:
  • BIOSTAR B350 GT3 Ryzen Motherboard.
  • GIGABYTE AB350-GAMING 3
  • HP EliteDesk 705 G3 SFF Ryzen Pro machine
  • HP Envy X360 Ryzen Mobile Laptop
  • TYAN B8026T70AV16E8HR EPYC SERVER
  • GIGABYTE MZ31-AR0 EPYC SERVER
RYZENFALL, FALLOUT
Requirements
  • Physical access is not required. An attacker would only need to be able to run an EXE with local admin privileges on the machine.
Impact:
  • Write to SMM memory, leading to code execution in SMM.
  • Reading and/or tampering with Credential Guard VTL-1 memory through the PSP.
  • Ryzenfall-4, which achieves code execution inside the PSP, leads to all the attacker capabilities described above, as well as the capability to tamper with the PSP and its security features.
  • An attacker can use RYZENFALL or FALLOUT to bypass Windows Credential Guard, steal network credentials, and then use these to move laterally through Windows-based enterprise networks
MASTERKEY
Requirements:
  • Physical access is not required. An attacker would only need to be able to run an EXE with local admin privileges on the machine.
  • Wait for reboot.
Impact:
The MASTERKEY set of vulnerabilities enable an attacker to execute unsigned code inside the PSP. Totaling a complete compromise of the Secure Processor. The exploit reflashes the BIOS to take advantage of the vulnerability:
  • On some motherboards - this works out of the box. This is because PSP firmware is often ignored by BIOS signature checks.
  • In other cases - RYZENFALL #1-2 could be used as a prerequisite for MASTERKEY to achieve code execution in SMM and bypass BIOS signature checks made in SMM code.
  • Even if all else fails, we believe using RYZENFALL-4 to write to SPI flash from inside the PSP is probably possible.
CHIMERA
Requirements:
  • Physical access is not required. An attacker would only need to be able to run an EXE with local admin privileges on the machine.
Impact:
The CHIMERA set of vulnerabilities are a set Manufacturer Backdoors left on the AMD Chipset, developed by Taiwanese company ASMedia.
  • This allows for an attacker to inject malicious code into the chip and take over the chipset (Read/Write/Execute).
  • One set of backdoors in implemented in firmware, while the other is implemented in the actual logic gates of the chip (ASIC). Both yield to the same impact.

View at TechPowerUp Main Site
 
Joined
Dec 29, 2010
Messages
2,387 (0.61/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1300 G2
Mouse Logitech G600
Keyboard Corsair K95
An attacker would only need to be able to run an EXE with local admin privileges on the machine.

/facepalm
 
Joined
Nov 12, 2014
Messages
296 (0.12/day)
Location
Ilirska Bistrica, Slovenia
System Name Thermaltake
Processor AMD Ryzen 5 5600X @ 4.7 GHz
Motherboard Gigabyte B550 Aorus Elite V2
Cooling AMD Wraith Prism
Memory 2 x 8 GB Crucial Ballistix @ 3400 MHz
Video Card(s) STRIX Vega 64
Storage Kingston SSDNow V300 120GB | Kingston 240GB NVMe | Samsung Spinpoint F3 1TB | Seagate Barracuda 2TB
Display(s) 34" ultrawide LG 34GL750B
Case Thermaltake V3 Black Edition (modded)
Audio Device(s) ALC 1220 120dB SNR HD Audio
Power Supply Thermaltake Hamburg 530 W - 80 Plus
Mouse Logitech G502 HERO
Keyboard Genius Scorpion K9 (RGB)
Software Windows 10 Pro x64
Until we get some actual clarification from AMD that this is true: I call it BS.
 
Low quality post by Aldain
Joined
Oct 2, 2004
Messages
13,791 (2.22/day)
"attacker only needs to run an EXE with admin rights"

That's one hell of an "IF", given any company that gives anything on their security doesn't have admin rights available to the users on workstations.

Real definition of an exploit or flaw is privilege escalation while not having any admin rights to begin with. That's what real exploits or flaws are. That you can gain admin access to an otherwise secure system. And all the "you just flash a BIOS". Motherboards often die when you flash them with official and specifically designed BIOS for the board. And these people make it sound like you can just patch any BIOS easily and make it a persistent threat/backdoor. It means the attacker needs to specifically know what motherboard you're using, what BIOS version you're using and modify it accordingly. That's again one huge load of "IF" to make it feasible for a mass deployment on home user systems that often have admin rights but are too much work for a targeted attack just so you end up finding bunch of gay porn on the system.

In all honesty, majority of companies and home users shouldn't really worry about it. Sure, if it can be fixed, AMD should work on eliminating these issues, but I wouldn't really worry about it. Companies that employ good policy of running workstations that clueless normies use under restricted policies and they are fine. As for normies with home computers, if you run OS in limited mode, good for you. If not, use a good antivirus and you should be fine as well.

It seems whole lot of panic for nothing here. Spectre and Meltdown were of higher concern because they wee true exploits that didn't require admin rights. You could poke the data from caches without any iirc.
 
Joined
Dec 29, 2010
Messages
2,387 (0.61/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1300 G2
Mouse Logitech G600
Keyboard Corsair K95
Pro Tip, don't give your passwords to an attacker, exploit prevented roflmao. :rolleyes:
 
Low quality post by xorbe
Joined
Feb 14, 2012
Messages
2,133 (0.61/day)
System Name msdos
Processor 8086
Motherboard mainboard
Cooling passive
Memory 640KB + 384KB extended
Video Card(s) EGA
Storage 5.25"
Display(s) 80x25
Case plastic
Audio Device(s) modchip
Power Supply 45 watts
Mouse serial
Keyboard yes
Software disk commander
Benchmark Scores still running
Viceroy is going to send TPU a thank you card at this rate.
 
Low quality post by thesmokingman
Joined
Dec 29, 2010
Messages
2,387 (0.61/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1300 G2
Mouse Logitech G600
Keyboard Corsair K95
Seriously, why the eff is TPU giving this crap news space?
 
Joined
Oct 2, 2004
Messages
13,791 (2.22/day)
I mean, sure, it's a legit security risk, but given how many IF's are there and whole lot of dependencies, AMD needs to address it and fix it for the future, but all the panic and drama is totally unnecessary as it's almost impossible to exploit these in practice. This whole thing is indeed getting way too much attention and drama than it deserves.
 
Low quality post by aldo5
Joined
Sep 12, 2016
Messages
44 (0.02/day)
TPU looks like have already given administrator right to CTS-Labs and Vicersory (and no matter what cpu is inside). TPU admins are the only one who do treat a newly created MailBox company as if their claims has some value before proven.
 
Joined
Mar 18, 2008
Messages
5,672 (1.15/day)
System Name Virtual Reality / Bioinformatics
Processor Undead CPU
Motherboard Undead TUF X99
Cooling Noctua NH-D15
Memory GSkill 128GB DDR4-3000
Video Card(s) EVGA RTX 3090 FTW3 Ultra
Storage Samsung 960 Pro 1TB + 860 EVO 2TB + WD Black 5TB
Display(s) 32'' 4K Dell
Case Fractal Design R5
Audio Device(s) BOSE 2.0
Power Supply Seasonic 850watt
Mouse Logitech Master MX
Keyboard Corsair K70 Cherry MX Blue
VR HMD HTC Vive + Oculus Quest 2
Software Windows 10 P
No shit, somebody runs something with local admin privilege and my machine is hacked. What was it called? F*ucking common sense?

Just go kill yourself already CTS clowns.
 
Joined
Feb 8, 2017
Messages
15 (0.01/day)
Processor i5-2500k
Motherboard gigabyte Z77X-UD5H
Cooling scythe mugen 2
Memory 4GB x4 DDR3 1866Mhz
Video Card(s) GTX 970 Asus Strix 3.5GB
Storage 480gb SSD + loads of TB's HDD's
Display(s) 1920x1080 60Hz 23'' Samsung BX2350
Case Cooler Master Silencio 650
Power Supply corsair HX750 v2
Software windows 8.1 64bit
"...An attacker would only need to be able to run an EXE with local admin privileges on the machine..." ...ONLY... :kookoo:
 
Joined
Mar 18, 2008
Messages
5,672 (1.15/day)
System Name Virtual Reality / Bioinformatics
Processor Undead CPU
Motherboard Undead TUF X99
Cooling Noctua NH-D15
Memory GSkill 128GB DDR4-3000
Video Card(s) EVGA RTX 3090 FTW3 Ultra
Storage Samsung 960 Pro 1TB + 860 EVO 2TB + WD Black 5TB
Display(s) 32'' 4K Dell
Case Fractal Design R5
Audio Device(s) BOSE 2.0
Power Supply Seasonic 850watt
Mouse Logitech Master MX
Keyboard Corsair K70 Cherry MX Blue
VR HMD HTC Vive + Oculus Quest 2
Software Windows 10 P
So TPU has started censoring posts that does not agree with the news as "low quality post"

Interesting.

Captddured.JPG

Caddddpture.JPG
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
22,829 (3.60/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
So TPU has started censoring posts that does not agree with the news as "low quality post"
yup i spent most of the day writing this addon, it should be useful for many threads. other staff said "just delete those useless posts", i wanted to at least keep them around to not censor

Edit: this is not enabled yet for the main site post view (in case you were looking for those hidden posts)
 
Last edited:
Joined
Jul 18, 2016
Messages
391 (0.21/day)
System Name Gaming PC / I7 XEON
Processor I7 4790K @stock / XEON W3680 @ stock
Motherboard Asus Z97 MAXIMUS VII FORMULA / GIGABYTE X58 UD7
Cooling X61 Kraken / X61 Kraken
Memory 32gb Vengeance 2133 Mhz / 24b Corsair XMS3 1600 Mhz
Video Card(s) Gainward GLH 1080 / MSI Gaming X Radeon RX480 8 GB
Storage Samsung EVO 850 500gb ,3 tb seagate, 2 samsung 1tb in raid 0 / Kingdian 240 gb, megaraid SAS 9341-8
Display(s) 2 BENQ 27" GL2706PQ / Dell UP2716D LCD Monitor 27 "
Case Corsair Graphite Series 780T / Corsair Obsidian 750 D
Audio Device(s) ON BOARD / ON BOARD
Power Supply Sapphire Pure 950w / Corsair RMI 750w
Mouse Steelseries Sesnsei / Steelseries Sensei raw
Keyboard Razer BlackWidow Chroma / Razer BlackWidow Chroma
Software Windows 1064bit PRO / Windows 1064bit PRO
So everyday im hacking my own computer LOL

TPU never wrote anything positive about AMD. Wondering if the staff is payed by Intel, Nvidia and CTS labs.
 

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
12,312 (3.49/day)
Location
Concord, NH
System Name Apollo
Processor Intel Core i9 9880H
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Full Size Wireless Apple Magic Keyboard
Software MacOS 10.15.7
If you already have admin access as a malicious user, the box is already compromised. This is like saying, "Hey, look what I can do when I can do anything already."
 
Joined
Jul 16, 2014
Messages
5,568 (2.12/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G604
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
CTS labs is newly created. So to even post anything by this unproven, unrated, unqualified company whose first official report and obvious intention is to slam AMD is a new low for TPU.


watch the youtube video.
 
Last edited:
Joined
Dec 29, 2010
Messages
2,387 (0.61/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1300 G2
Mouse Logitech G600
Keyboard Corsair K95
If you already have admin access as a malicious user, the box is already compromised. This is like saying, "Hey, look what I can do when I can do anything already."

I know right? I am losing brain cells reading this as news.

could give an attacker that has already gained initial foothold into one or more computers in the enterprise
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
16,768 (3.33/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) BenQ XL2720Z (144Hz, 3D Vision 2, 1080p) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
The twists keep coming with this one. Look forward to reading this article properly later.
 
Joined
Feb 17, 2017
Messages
840 (0.50/day)
Location
Italy
Processor i7 2600K
Motherboard Asus P8Z68-V PRO/Gen 3
Cooling ZeroTherm FZ120
Memory G.Skill Ripjaws 4x4GB DDR3
Video Card(s) MSI GTX 1060 6G Gaming X
Storage Samsung 830 Pro 256GB + WD Caviar Blue 1TB
Display(s) Samsung PX2370 + Acer AL1717
Case Antec 1200 v1
Audio Device(s) aune x1s
Power Supply Enermax Modu87+ 800W
Mouse Logitech G403
Keyboard Qpad MK80
yup i spent most of the day writing this addon, it should be useful for many threads. other staff said "just delete those useless posts", i wanted to at least keep them around to not censor
We did many times, cmon please, don't just cherry pick with confirmation bias.

You're surely not interested in my opinion in particular, but i'll give it anyway. Just ignore these people, they just feel their brand is being targeted and they feel the obligation to defend it at all costs.
 
Joined
Apr 12, 2013
Messages
4,320 (1.40/day)
Looks like CTS labs' non existent reputation is taking a beating, here's hoping more sites (including TPU) don't give web space to them - hedge fund managers cum investment (research?) analysts cum attention seekers - anymore.
 

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
41,789 (8.19/day)
Location
Hyderabad, India
Processor AMD Ryzen 7 2700X
Motherboard ASUS ROG Strix B450-E Gaming
Cooling AMD Wraith Prism
Memory 2x 16GB Corsair Vengeance LPX DDR4-3000
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) Creative Sound Blaster Recon3D PCIe
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Microsoft Sidewinder X4
Software Windows 10 Pro
So TPU has started censoring posts that does not agree with the news as "low quality post"

Interesting.

View attachment 98372
It's censorship if we delete posts. This is our new anti-sh**post feature. You can still click on that bar to view the sh**post.
 
Joined
Jul 16, 2014
Messages
5,568 (2.12/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G604
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
It's censorship if we delete posts. This is our new anti-sh**post feature. You can still click on that bar to view the sh**post.
not be an ass, but I think your BS sniffer is off a bit, so maybe do some research on CTS now? Gamers Nexus did some research and posted a video on how CTS is more or less a Trolling everyone. (before you posted this)
 
Low quality post by LogitechFan
Joined
Nov 19, 2014
Messages
113 (0.05/day)
Location
Toronto
All the butt-hurt amd girls raging above, so pathetic.

Yes sure, you should criticize the messenger...

Also, how many people are running windows in admin mode even without knowing it? Yeah, a shitload of them!
SO if all it takes is to run an exe file and then it will be sitting low level and even OS reinstall can't flush it out, then it's a huge fucking problem and amd should be balls grilled for it! Anyone who says otherwise is a brainwashed idiot and a fanboi.
 
Top