Tuesday, March 20th 2018
Initial AMD Technical Assessment of CTS Labs Research
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users' data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD "Zen" CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail above, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.
Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
The security issues identified can be grouped into three major categories. The table above describes the categories, the AMD assessment of impact, and planned actions.
AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.
The security issues identified by the third-party researchers are not related to the AMD "Zen" CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
The security issues identified can be grouped into three major categories. The table above describes the categories, the AMD assessment of impact, and planned actions.
AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.
98 Comments on Initial AMD Technical Assessment of CTS Labs Research
Nah probably not, that would require more work than the typical "low quality" poster is capable of.
Honestly, there shouldn't BE negative rings. But there are, and here we are.
2 out of the 3 still have a vulnerable ASMedia chip 1142
Maybe the TUF one does as well but is not visible due to the TUF logo
www.station-drivers.com/index.php?option=com_remository&Itemid=352&func=fileinfo&id=3361&lang=en
No change log though. This covers ALL the Asmedia USB3.1 controllers out there.
Nowhere in the several CTS Labs topics does it mention any other OS other then Windows. If it were a Zen hardware problem, other OSs could also be used to make use of these exploits, no?
Seems to me these exploits take advantage of poor Windows security to be able to succeed.
out with a whimper and a fart
An Obituary of "AMD Flaws"
Yes, there are vulnerabilities, but no, you won't be able to short AMD in the foreseeable future. The only way short-selling research firms will make money (or recover 0.000% ROI) now is through riling up class-actions against AMD "for selling vulnerable products," which too will fail because plenty of precedents are being set in Meltdown/Spectre class-actions against Intel, and anything that succeeds against AMD will end up succeeding against Intel, too.
AMD has laid a straightforward mitigation/patching road-map for the 13 vulnerabilities. Enterprise interest in EPYC is in its infancy and only gaining momentum. All the enterprises that were exploring EPYC will now just have to wait a few more weeks for a product that's more secure, and without a performance impact. AMD Flaws only advertised EPYC.
I doubt if AMD will ever partner with ASMedia after 400-series. This raises chances of an NVIDIA nForce revival. NVIDIA already holds IP/licenses for chipset-related stuff, and it won't mind selling a $30-50 piece of silicon to clients, and a $70-100 silicon to enterprises. Enterprises will catalyze nForce's return because they trust the NVIDIA brand, and it made Opteron chipsets in the past.
Cybersec researcher Alex Stamos justified his Facebook hiring with these prophetic words: "Short-seller driven vulnerability research is going to end in tears. Hopefully due to lost money, and not because naive researchers go to prison."
Hopefully AMD can fix this exploit and then every system out there will need to reflash the bios to confirm its free of any malware.
this whole thing will end up like:
A kitchen-knife orginally ment for bread and butter works, could be be exploited with no deeper metalurgic or martial art knowings as a murderer-weapon.
thats obvious
AMD nailed it with their response
"Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. "
CTS, in a way, are right, these ARE flaws, and they do need to be fixed -- just as any sane household should store their kitchen knives in a way to prevent them from cutting things that aren't food; but coming up with a website called "kitchenkniveskill.com" and pointing out a single knife company as the culprit is extremely dishonest. Especially when the site was originally targeting a different knife company altogether, and then pivoted because they saw a larger gain. And in essence, any household that already stores their knives appropriately is virtually immune to these particular flaws.
The whole thing is a technically true but realistically dishonest mess.
Pascal is an excellent example of an unmoddable bios using signatures.I agree with that.
basically IT Security (or any Security) in a nutshell
www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/