Friday, March 16th 2018

CTS-Labs Responds to a TechPowerUp Technical Questionnaire

Yesterday, we had a very productive phone call with CTS-Labs, the firm behind the "AMD Flaws" critical security vulnerabilities exposé of the "Zen" microarchitecture. Our questions focus on the practicality of exploiting these vulnerabilities, and should provide more insight to the skepticism centered on needing admin privileges, flashing BIOS ROMs, and other localized hacks that would render any machine, not just "Zen" powered, vulnerable. Feel free to follow up with questions in the comments section, if we can help explain something.
TechPowerUp (TPU): Regarding Masterkey. Could you elaborate on the attack vector for this? AMD makes the claim that the on-chip ROM in Secure Processor fully validates the firmware read from NAND. You mention metadata parsing, which I assume is stored in the NAND, so when this is modified in a certain way the hash check gets bypassed? With Secure Processor validation broken, the UEFI signature checks for the main BIOS can be bypassed, too? Or is it additionally required to modify the main BIOS, too, for that to work?
CTS-Labs (CTS): First a small clarification: the BIOS and PSP firmwares, as well as certain non-volatile storage data are typically stored on a single SPI flash chip on the motherboard. When you install a BIOS update, both UEFI and PSP firmwares get replaced. MASTERKEY-1 through MASTERKEY-3 allow three distinct ways of installing malware on the PSP in spite of digital signature verification. The way this process works is: The PSP immutable ROM runs first, and then validates the beginning of the mutable PSP firmware inside the SPI flash. The PSP firmware then loads its other built-in modules, such as fTPM or SEV. This is when MASTERKEY kicks in to allow execution of unsigned code on the PSP's ARM processor. This can happen even before the PSP releases the main CPU from its initial halted state. Secure Boot is defeated from that point on (both UEFI Secure Boot and PSP Secure Boot).

Re-flashing the BIOS, a prerequisite for MASTERKEY, often does not require physical access to the device. We've tested this on motherboards by Tyan, ASUS, MSI, Gigabyte, Biostar, and others. It works by running an EXE.

TPU: Did you use an official flashing software, or create your own method that replicates the commands used by this software?
CTS: We used a modified version of the original BIOS update software. That allowed us to bypass some protections that exist in the original version.

TPU: You mention a few motherboard companies above, do you feel this means that all motherboards are affected, or are some more secure than others?
CTS: On motherboards where flashing is not possible because the BIOS image is encapsulated and signed by an additional layer of OEM-specific digital signature, we think it may still be possible to install a malicious BIOS that exploits MASTERKEY by either: (a) Using RYZENFALL or FALLOUT to achieve code execution on SMM, and disable signature verification that is implemented in SMM, or (b) Use RYZENFALL-4 to achieve code execution on the PSP and then use the PSP to write to the SPI flash. Both of these methods are theories we've been running in our lab. They may work, but we haven't tested them. Results may vary from hardware to hardware.

Previous work on this subject: www.mitre.org/sites/default/files/publications/defeating-signed-bios-enforcement.pdf, embedi.com/blog/bypassing-intel-boot-guard/

TPU: Do you think it's feasible for users to solder a pull-down wire onto the WP# [write-protect] pin of the BIOS chip? To permanently, physically, engage its write protection.
CTS: Off the top of my head (and of course I haven't tested this) - Turning on Write-Protect for the whole chip would not work, because that would break Non-volatile Storage features that are needed by both UEFI and the PSP.

TPU: Can you elaborate on how the Ryzenfall attack works? Is the Secure Processor exposed as device on the PCI bus? and attacked directly? Or does the attack leverage issues in the CPU's memory controller?
CTS: We don't feel comfortable talking about RYZENFALL at this time.

TPU: To execute the Chimera attack (and others) you mention "vendor supplied driver". Shouldn't any signed kernel mode driver be sufficient as long as it implements IO space access (for PCI config space on CF8) and some method of writing to physical memory, either directly or through memory mapping a specified range to user space?
CTS: You are exactly right. Any signed driver that provides access to IO spaces is sufficient to interact with the backdoors. There is a vendor-supplied driver that does this.

TPU: Are those vendor supplied drivers publicly available for download?
CTS: Yes.

TPU: As far as we know, the BIOS chip is connected to the CPU socket and not to the chipset. This means that Chimera is not able to write to the flash directly and has to write code to system RAM first, which then gets executed, and performs the write into NAND?
CTS: To the best of my knowledge, all Zen architecture chips have an integrated southbridge, but the Promontory chipset is nonetheless used on most (all?) Ryzen and Ryzen Pro workstations. Promontory provides additional USB, SATA, and PCI-E ports to AMD systems. On one laptop that we've tested (ASUS GL702ZC), the USB ports on one side of the machine are routed to the chipset, while others are routed to the CPU. The USB ports connected to the CPU don't support 10 Gb USB 3.1.

The backdoors in AMD Promontory let attackers inject malware into the chip on runtime. We did not attempt to achieve persistency on Promontory. Promontory's firmware is stored inside the BIOS image, and is written into the chipset's 8051 processor by a UEFI module every time the computer boots. If that UEFI module happens to be missing, Promontory will boot from its built-in ROM firmware. So, to clarify, attackers can freely patch the 8051 code memory on runtime.

TPU: Does that mean that users could protect themselves against Chimera-based keyloggers by not using certain USB ports on their system?
CTS: For keyloggers that record USB traffic from within the chipset, I believe so.

TPU: Your whitepaper describes that the ASMedia chip has backdoors both in software and hardware. Could you elaborate on the hardware part, is it patchable somehow?
CTS: The Ryzen chipset is an ASIC chip. What this means is that after fabrication, the chip's structure of logic gates can no longer be changed [unlike on an FPGA]. We have found what we believe to be manufacturer backdoors implemented on the ASIC level. If our understanding is correct, removing these backdoors is impossible. It may still be possible to find a workaround, for example by blocking access to certain IO regions at the hypervisor level.

Other backdoors with similar functionality exist in the chipset firmware as well. These can be removed by a firmware update.

TPU: Do you have any plans to release more details on these vulnerabilities to the public?
CTS: We have no such plans. We've delivered full details of the vulnerabilities to AMD, Microsoft, US-CERT, Dell, HP, Cisco, Symantec, FireEye, and CrowdStrike. Our package includes full technical write-ups, functional proof-of-concept exploits and procedures on how to run the exploits. We will wait for these companies to come out with patches and mitigations before releasing technical details to the public.

Once MASTERKEY is patched and the patches have had time to disseminate, we are thinking of partnering up with libreboot or coreboot to develop a way to shutdown the PSP. Doing this would completely eradicate the attack surface for vulnerabilities such as FALLOUT and RYZENFALL. AMD has recently offered a BIOS option to disable the PSP, but according to our testing that feature merely disables the fTPM... other functionalities remain open, and the Secure Processor remains vulnerable to RYZENFALL or FALLOUT. If there was a real option to halt the PSP's ARM processor, that would be a great security feature.

TPU: Do you think users of other CPU vendors, like Intel, are affected?
CTS: Only if they have a motherboard carrying an ASMedia USB host controller. These controllers are typically found on PC motherboards made by Taiwanese manufacturers. We've looked into quite a few computers made by HP, Dell, Lenovo, etc. and they were not affected.

TPU: A huge number of Intel motherboards uses ASMedia chips, too, mostly for additional USB 3 ports. Does that mean these are affected by vulnerabilities similar to Chimera? Does it make a difference that the chips on Intel motherboards are connected via PCIe? Which chips are we talking about?
CTS: All ASMedia USB host controllers sit on the PCI-E bus. I am talking about ASM1042, ASM1142 and ASM1143. Motherboards that have these chips have the CHIMERA backdoors as well.

TPU: Have you tested whether the Secure Processor in Vega GPUs is vulnerable?
CTS: We haven't looked into that.

TPU: How do you respond to people saying that once an attacker has administrative access, you are f'd anyway? How are the attacks you uncovered more severe?
CTS: This is misleading and incorrect. Attackers think of machines not as individual nodes but as part of a network. Gaining local administrative access on a compromised computer inside an organization is easy for attackers. The challenge is moving laterally from there to other machines, and maintaining access for the future. That is exactly what these vulnerabilities provide.

TPU: Are you in two-way communication with AMD? How are things moving forward, if you can reveal that?
CTS: AMD only sent us a confirmation that they received the materials. We are curious what's taking them so long. It only took CrowdStrike one day to have a good understanding of the vulnerabilities. It took two days for Microsoft Security to be completely on top of it, and Trail of Bits validated our research in its entirety within five days.

TPU: What's your recommendation to users and companies at this time? Should people be scared and disconnect their systems from the Internet?
CTS: I think that high-security organizations, such as banks, that happen to have deployments of vulnerable AMD equipment should certainly be concerned - because of the possibility of APT actors using the vulnerabilities to conduct lateral movement, and malware setting up camp inside the Secure Processor. It is up to each company to conduct its own risk analysis.

TPU: How do you respond to the chaos and cynicism that has erupted because of the manner in which you made your public disclosures?
CTS: We are a small group of security researchers. We have no past experience with making publications, and there is no question we messed this one up. We certainly learned some hard lessons here.

TPU: Thank you for responding to our questions, we'll stay in touch.
CTS: Absolutely. Thank you.

If you have any additional technical questions, or haven't understood something, let us know in the comments section, we will answer what we can by ourselves and forward select questions to CTS for better explanation.
Add your own comment

64 Comments on CTS-Labs Responds to a TechPowerUp Technical Questionnaire

#26
Dave65
xkm1948Acknowledged all AsMedia based USB chipsets are vulnerable, yet still targeting just one specific company. If there is any concern it should be Intel MoBo which has way higher market share and they got 0 mention. Fishy AF.

CTS can spin this whatever they want. At least this end user is not buying into their BS.

Security experts, including Linus, weighs in on the situation after thr anandtech phone call.

www.realworldtech.com/forum/?threadid=175139&curpostid=175169


Lets see what they say after TPU phone call
Totally agree, they pretty much have ZERO credibility with "most" people.. I guess only AMD uses AsMedia:/
Posted on Reply
#27
HD64G
Since they found the AsMedia bug but ignored the effect for Intel systems running on this chipset and named the website AMDFlaws.com, there is no doubt at all for me that they just attacked AMD in purpose instead of trying to help computer security in general as any security company should do. Their motives are mystery for now but they (the guys behind that job I mean) are flawed as professionals themselves for sure...
Posted on Reply
#28
bug
Dave65Totally agree, they pretty much have ZERO credibility with "most" people.. I guess only AMD uses AsMedia:/
What's with people obsession with CTS Labs' credibility? We already established they're a no-name that handled this as badly as possible. Thus, next to zero credibility.
But if a convict is telling me the person next to in me in a bus is picking my pocket, I'd be concerned about my pocket first and then with the convict's rap sheet.

So far, the news is every party they've contacted so far was able to confirm their findings. Save for AMD.
Posted on Reply
#29
ikeke
W1zzardThe chipset has certain functionality (including a backdoor) implemented in physical circuitry, which is fixed and can not be modified, so unpatchable. The other vulnerability in the chipset _firmware_ (which is software), is patchable.
It's just what they are saying, though? I see no proof, just a lot of hot air from CTSlabs.

edit: also, if they want to see how AMD is "unable" to fix issues then perhaps you can point them towards latest example that i know of, which is a fix for, well-well AMD-PSP :rolleyes:
seclists.org/fulldisclosure/2018/Jan/12

(hmm, perhaps they even acknowledge this specific issue as known to them, as per AT interview, but they have not followed up on its fix status www.anandtech.com/show/12536/our-interesting-call-with-cts-labs "In fact the one vulnerability that came out with AMD that was a lower level vulnerability that came out about 3 months ago and I believe they still have not come out with a patch. And now we are talking about 13 of them." )
Posted on Reply
#32
john_
Those guys knew about ASMedia problems for 6 years? But didn't informed anybody? Maybe they where cashing out that knowledge all this time. Then probably someone came and convince them to use this information as part of a huge campaign against AMD, to make a quick and much bigger financial gain. TPU should have pressed them more in the "Why haven't you disclosed those ASMedia vulnerabilities to the public sooner, as you did with AMD? Why did you associated the ASMedia problems with AMD, considering that you confirm that the problem exists on Intel motherboards too?" part. But I guess those guys set certain parameters before accepting to answer that phone call.
Posted on Reply
#33
ikeke
If i were to hazard a guess then these guys have inside info from previous employer, who wont be very happy with them going after a quick buck.

Unit 8200, i mean.
Posted on Reply
#34
Aquinus
Resident Wat-man
W1zzardTPU: How do you respond to people saying that once an attacker has administrative access, you are f'd anyway? How are the attacks you uncovered more severe?
CTS: This is misleading and incorrect. Attackers think of machines not as individual nodes but as part of a network. Gaining local administrative access on a compromised computer inside an organization is easy for attackers. The challenge is moving laterally from there to other machines, and maintaining access for the future. That is exactly what these vulnerabilities provide.
I'm confused by this answer. If you have admin access on a box, you already have access to the network through that box but, these vulnerabilities don't get you access to other boxes. It's more like digging your feet into the box you've already compromised. This sounds like a non-answer. If anything it can keep a machine infected but, it doesn't help you get into other machines on a network.
Posted on Reply
#36
john_
AquinusI'm confused by this answer. If you have admin access on a box, you already have access to the network through that box but, these vulnerabilities don't get you access to other boxes. It's more like digging your feet into the box you've already compromised. This sounds like a non-answer. If anything it can keep a machine infected but, it doesn't help you get into other machines on a network.
That's another part I have a problem to believe. I mean, who pays for a network of 1000 PCs, for example, if one PC that's get infected with malware, is enough to bring down the whole system? I think this is deliberate and tries to scare admins to not replace an older Intel system with a modern AMD one. "If you buy EVEN ONE new Ryzen/Epyc system, and put it in the same network with the 999 secure Intel PCs, then ALL PCs are in danger".

For people who say that they don't have much experience communicating their findings to the public, they do have a hell of a great experience in destroying someone's reputation and making it sure that everyone will avoid that someone's products at all costs. Not avoid investing a great deal of money buying many of those products, but even avoiding the minimum investment that is needed to buy just one of those products.
Posted on Reply
#37
rtwjunkie
PC Gaming Enthusiast
I just want to say thanks for the TPU follow-up which was done. The questions were technical in nature, but non-technical enough that most of the public could understand. It went a long way to making some sense of the debacle they created. It still leaves a lot to be answered, and I look forward to AMD's digestion of this.
Posted on Reply
#38
FR@NK
xkm1948Acknowledged all AsMedia based USB chipsets are vulnerable, yet still targeting just one specific company. If there is any concern it should be Intel MoBo which has way higher market share and they got 0 mention. Fishy AF.
Dave65I guess only AMD uses AsMedia:/
HD64GSince they found the AsMedia bug but ignored the effect for Intel systems running on this chipset
Intel chipsets don't have any AsMedia vulnerabilities!

But some motherboards manufacturers add an AsMedia chip to their intel platform boards but you cant blame intel for that. Blame falls on AsMedia and the motherboard manufacturer.

Whereas AMD is being targeted because AMD's chipset has the Asmedia hardware built in, so some blame does fall on AMD for the AsMedia vulnerabilities built in to their chipset.
XzibitYup, Just checked my old Asus SaberTooth Z77, has ASMedia 1042.
Asus is to blame for that as they added the Asmedia chip to their board. Disable that controller and use the x79 usb ports.
CTS-LabsRe-flashing the BIOS, a prerequisite for MASTERKEY, often does not require physical access to the device.
My biggest concern with masterkey is that the hardware could have the malware BIOS installed by someone at the factory or somewhere in-between before the new system gets delivered to the customer. I'm sure you could get a handheld device that would be possible to flash the bios chip without even powering up the system. The customer would have no way to detect the malware on the new system.
Posted on Reply
#39
Xzibit
FR@NKAsus is to blame for that as they added the Asmedia chip to their board. Disable that controller and use the x79 usb ports.
I get that. They are a lot of board makers that took that liberty throughout the years. Various post on other forums are starting to link and recall several of them over the years.

Be interesting if TPU can compile a list from its review database

ASM1142
Asus Sabertooth Z170 Mark 1
Asus X99-Deluxe II
Asus ROG Rampage V Edition 10
Asus ROG Maximus VIII Hero
Asus Z170-A
Asus X99-E-10G WS
AsRock Fatal1ty Z170
AsRock Fatal1ty X99 Pro Gaming
ASRock Fata1ty X99X
ASRock Beebox-S
ASRock X99 Taichi
ASRock X99E-ITX
ASRock X99 OC Formula
ASRock Z170 OC Formula
ASRock Z170 Extreme4 & Extreme4+
MSI Z170A Xpower Gaming
MSI Z170A Gaming M9 ACK
MSI X99A TomaHawk
MSI X99A Gaming Pro Carbon
MSI X99A GodLike Gaming
MSI Z170A Xpower Gaming Titanium Ed.
Gigabyte Z170X Gaming 6
Gigabyte Brix BKi5A
Gigabyte Z170XP-SLI
Supermicro X7170-OCE
Supermicro C7270-CG
Supermicro C7270-PG Pro Gaming
Supermicro SuperO C7Z170-M
ECS Liva One
EVGA Z170 Classified


Update:

ASM1042
Asus Maximus VIII Extreme
Asus Z97 Pro
Asus P8Z77-V
ASRock Z68M-ITX
ASRock Z77E-ITX
ASRock Fatal1ty Z68 Pro Gen3
ASRock X79 Extreme4-M
ASRock X99X Killer Fatal1ty
ASRock Z68 Extreme 4
BioStar TZ68K+
MSI Z97 Gaming 9 AC
MSI X99A GodLike Gaming - Has more then one of the vulnerable chips
MSI X99S-MPower
MSI Z270 XPower Gaming Titanium
SuperMicro C7Z97-OCE
SuperMicro X7X99-OCE

^This is just a list from one sites review database
Posted on Reply
#40
OneMoar
There is Always Moar
so how exactly do you implement a backdoor on the hardware level care to explain what exactly this hardware backdoor is and how to access it ? because I can't find anything in there disclosure about exactly what this hardware level backdoor is or how to access it or what evidence they have that its unpatchable

if you are accessing it via software then guess what ITS PATCHABLE





I gotta love how vague they are explaining this using terms like 'if our understanding is correct' so basically they don't fully understand there own report what ....

and enabling wp does not enable wp for the entire chip just the rom portion. and then there is ... CMOS storage != bios chip and on boards that do use a portion of the main rom for that its in a reserved isolated address the fact that they don't even know that much is gasoline on the credibility tire fire

also if you have admin you can move laterally through any network that that machine is connected via other attack vectors. to so again if you have admin you are already pwnd

also teaming up with liberboot/coreboot are you fkin kidding me ?

that project has gone exactly nowhere in the 19 years it has existed it works on a barely a handful of boards from at greatly reduced functionality www.coreboot.org/Supported_Motherboards

so again I postulate the question why are we even talking to these people they quite simply haven't a goddamn clue
Posted on Reply
#42
lexluthermiester
phanbueyso am I missing something?
Yes, there are ways to crack a network once you're inside and have admin authoritatives to even one machine on that network. Such access can be structured to grant admin access to many other machines on the same network, regardless of domains.
Posted on Reply
#43
cadaveca
My name is Dave
OneMoarso how exactly do you implement a backdoor on the hardware level care to explain what exactly this hardware backdoor is and how to access it ? because I can't find anything in there disclosure about exactly what this hardware level backdoor is or how to access it or what evidence they have that its unpatchable

if you are accessing it via software then guess what ITS PATCHABLE
Intel ME (which also has a "backdoor") is exactly what you are asking about. So, you can disable the ME now via some creative hacking of the ME firmware (you couldn't for like a decade before this, since like 2008), but AMD's equivalent, the PSP, might not have the capability to be disabled in a similar fashion. It was documented that the Intel ME could be disabled because the NSA wanted it that way (this needs verification, I'm sure). But anyway, whoever it was, they wanted it, it was implemented, and now the public has this capability. Then we got the ME hack...

We just need similar for the PSP (oh look, apparently according to this CTS news a reason to disable is present), and a big part of this problem is solved.
Posted on Reply
#44
OneMoar
There is Always Moar
cadavecaIntel ME (which also has a "backdoor") is exactly what you are asking about. So, you can disable the ME now via some creative hacking of the ME firmware (you couldn't for like a decade before this, since like 2008), but AMD's equivalent, the PSP, might not have the capability to be disabled in a similar fashion. It was documented that the Intel ME could be disabled because the NSA wanted it that way (this needs verification, I'm sure). But anyway, whoever it was, they wanted it, it was implemented, and now the public has this capability. Then we got the ME hack...

We just need similar for the PSP (oh look, apparently according to this CTS news a reason to disable is present), and a big part of this problem is solved.
but me's backdoor wasn't 'hardware' it was in the 'me' blobs the hack involves removing those files from the uefi image thats all it does or setting the HAP bit to 1

which isn't hardware its a firmware flag
Posted on Reply
#45
cadaveca
My name is Dave
A firmware flag that disables the hardware at boot. which is the only hope that we would have with AMD's PSP. You see, that HAP bit wasn't even discovered until recently... nearly a decade later. So it is more than possible that similar exists for AMD, but hasn't been found yet.
Posted on Reply
#46
OneMoar
There is Always Moar
cadavecaA firmware flag that disables the hardware at boot. which is the only hope that we would have with AMD's PSP. You see, that HAP bit wasn't even discovered until recently... nearly a decade later. So it is more than possible that similar exists for AMD, but hasn't been found yet.
except just removing the me modules from the bios is suffient the flag is just anouther way todo that
the HAP firmware flag turns it off removing the modules from the image kills it dead ...

can you really call that a 'hardware' bug
cts is claiming this is some hardwired thing in the asic which is complete malarky

even if it was it doesn't matter if it is because whatever software you need to run to take advantage of said thing can be soft patched
Posted on Reply
#47
R-T-B
The unpatchable ASIC-level backdoors are in the chipset gents, not the PSP. :rolleyes:
Posted on Reply
#48
phanbuey
lexluthermiesterYes, there are ways to crack a network once you're inside and have admin authoritatives to even one machine on that network. Such access can be structured to grant admin access to many other machines on the same network, regardless of domains.
Right but my question is - how do any of these exploits, which can only be run after you already have local admin access locally, help you do that?
Posted on Reply
#49
W1zzard
OneMoarcts is claiming this is some hardwired fpga thing which is complete malarky
asic != fpga
Posted on Reply
#50
eidairaman1
The Exiled Airman
Well time to move along. Until AMD responds to any of this I'm nit holding my breath
Posted on Reply
Add your own comment
Dec 19th, 2024 01:36 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts