CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code

[btarunr]

CTS Labs, the Israel-based IT security research company behind Tuesday's explosive AMD Ryzen security vulnerabilities report, responded to questions posed by TechPowerUp. One of the biggest of these, which is also on the minds of skeptics, is the ominous lack of proof-of-concept code or binaries being part of their initial public report (in contrast to the Meltdown/Spectre reports that went into technical details about the exploit). CTS Labs stated to TechPowerUp that it has sent AMD, along with other big tech companies a "complete research package," which includes "full technical write-ups about the vulnerabilities," "functional proof-of-concept exploit code," and "instructions on how to reproduce each vulnerability." It stated that besides AMD, the research package was sent to Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems, to help them develop patches and mitigation.

An unwritten yet generally accepted practice in the IT security industry upon discovery of such vulnerabilities, is for researchers to give companies in question at least 90 days to design a software patch, harden infrastructure, or implement other mitigation. 90 days is in stark contrast to the 24 hours AMD got from CTS Labs. CTS Labs confirmed to TechPowerUp that it indeed shared its research package with AMD (and the other companies) just 24 hours prior to making its report public, but urged those disgruntled with this decision to look at the situation objectively. "If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."



This is in contrast to the unintentional consequence of keeping Meltdown/Spectre away from the public domain for over half a year, allowing Intel's senior executives to dump company stock, and for big cloud computing providers to harden their infrastructure, giving themselves a competitive advantage over smaller providers. But unlike with Meltdown/Spectre, these vulnerabilities aren't industry-wide (i.e. they don't affect Intel), placing AMD at a disadvantage in both the stock markets, and in the retail markets.

CTS Labs, through the sequence of its actions, has attempted to shift the burden of proof from itself to AMD, which is extremely uncommon in the IT security industry. With the lack of proof-of-concept of these vulnerabilities in the public domain, an environment of fear, uncertainty, and doubt (FUD) is being developed, with AMD being occupied with testing its chips for these vulnerabilities, and still far away from releasing patches, if the vulnerabilities are real. This places anyone with a shorting position against AMD stock at a distinct advantage. The strategy of AMD investor relations and corporate communications should now be to allay many of those fears among people without access to the proof-of-concept, and to ask investors to refrain from giving in to FUD.

View at TechPowerUp Main Site

 

[_JP_]

Still looks like "boy who cried wolf", in the execution.

 

[RejZoR]

It still reeks of Intel's interefrence even if all the vulnerabilities are true. Though some are already BS from the get go, like the requirement of having a physical local admin access to the system. At that point, can it even be classified as a "vulnerability"? If you have that, you're basically managing the system. Which in the end can be run by any CPU of any kind and be "vulnerable" to anything you throw at it. Not to mention how the whole thing is being handled, Meltdown/Spectre that affected Intel the worst, public had no knowledge of it for months. Here, they give AMD a 24 hour ultimatum. That's total BS. Someone doesn't care about actual security as much as they care about attention whoring and crashing someone's stocks...

 

[W1zzard]

physical local admin access to the system

Physical access is not required, just admin privileges

 

[dorsetknob]

"Oh My GOD"
All my AMD systems Can be Compromised
Must Go OFF line Till they Solve This..................> Hang on not got an AMD System

Just in Case i must wrap all my PC's in Tin foil (that will work won't it)

 

[RejZoR]

Physical access is not required, just admin privileges

Still, when you have admin access, does it really matter at that point anymore?

 

[ssdpro]

Even if it leans more true now, all products have the possibility of security vulnerabilities. This company should have given AMD and other companies more time with the information.

AMD is very quiet now going on 48 hours so it looks like at least some of it is verified. If CTS didn't really provide the code and methods AMD would have just said "CTS hasn't provided any details or code as claimed and so far we are unable to verify these claims. We will continue to investigate and provide additional information as it becomes available". That statement hasn't come.

 

[Basard]

So do any of these hacks help one gain admin privileges?

 

[VulkanBros]

CTS Labs, the Israel-based IT security research company

- should be "CTS Labs, the Intel-based IT security research company"

 

[W1zzard]

Still, when you have admin access, does it really matter at that point anymore?

Physical access and admin access are two vastly different things. Every malware gets onto PCs through admin access, tons of computers get infected every day, so this is not a non-issue.
The difference here is that the malware can be hidden in a way that's undetectable from security software and persists through reboot, and OS reinstall, which means "buy a new computer" for 99% of the population.

So do any of these hacks help one gain admin privileges?

No

 

[owen10578]

Physical access and admin access are two vastly different things. Every malware gets onto PCs through admin access, tons of computers get infected every day, so this is not a non-issue.
The difference here is that the malware can be hidden in a way that's undetectable from security software and persists through reboot, and OS reinstall, which means "buy a new computer" for 99% of the population.

So you're saying you believe this? Without further evidence yet?

 

[oxidized]

So you're saying you believe this? Without further evidence yet?

Has he written somewhere he believes this?

 

[W1zzard]

So you're saying you believe this? Without further evidence yet?

It looks sufficiently credible to me to not ignore it, which is why we are reporting on this at TPU. You are right of course that more evidence is needed, which doesn't seem that far away, days at max, probably hours.

I feel I have an excellent understanding of what they described and am trying to provide insights, and help clear up misunderstandings.

 

[Durvelle27]

 

[laszlo]

It looks sufficiently credible to me to not ignore it, which is why we are reporting on this at TPU. You are right of course that more evidence is needed, which doesn't seem that far away, days at max, probably hours.

I feel I have an excellent understanding of what they described and am trying to provide insights, and help clear up misunderstandings.

so in your opinion having admin privileges and needed know-how only amd systems are vulnerable? intel cpu's don't execute the admin code ?

if the findings are correct i bet can be reproduced on all available hardware .....

 

[IceScreamer]

Really curious what will happen. Considering how dubious those researches seem these appear to be legitimate vulnerabilities.

 

[the54thvoid]

It looks sufficiently credible to me to not ignore it, which is why we are reporting on this at TPU. You are right of course that more evidence is needed, which doesn't seem that far away, days at max, probably hours.

I feel I have an excellent understanding of what they described and am trying to provide insights, and help clear up misunderstandings.

How does one execute remote admin privileges? You would need to allow access initially via relevant software (remote diagnostics?) or have a prior malware installed to allow such access?

 

[W1zzard]

How does one execute remote admin privileges? You would need to allow access initially via relevant software (remote diagnostics?) or have a prior malware installed to allow such access?

Malware, through same methods that infects thousands of PC each day.

 

[newtekie1]

"If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."

This is in contrast to the unintentional consequence of keeping Meltdown/Spectre away from the public domain for over half a year, allowing Intel's senior executives to dump company stock, and for big cloud computing providers to harden their infrastructure, giving themselves a competitive advantage over smaller providers.

This is putting a monetary goal in front of keep things secure and that's BS if CTS is trying to be taken seriously. Telling the public does not help anything in these situations, it makes things worse, and any real security firm would know that. You give the information to the company it affects, AMD in this case, and at least give them some time to develop patches or updates to fix the vulnerabilities. Again, 90 days is standard, because the sooner you let the public know the vulnerabilities exist, the sooner malicious people know the vulnerabilities exist and begin to start exploiting them. What CTS did was basically hand hackers instructions on how to exploit these vulnerabilities immediately without giving AMD any time to fix them. That isn't keeping people secure, that is just CTS trying to make a name for themselves by putting their own profit ahead of the public's security.

How does one execute remote admin privileges? You would need to allow access initially via relevant software (remote diagnostics?) or have a prior malware installed to allow such access?

How do you think pretty much all other malware infects systems? How do you think ransomware works? I'll give you a hint: Admin Level Code.

90% of writing malicious programs these days is tricking the users into running it on their systems.

The difference here is that the malware can be hidden in a way that's undetectable from security software and persists through reboot, and OS reinstall, which means "buy a new computer" for 99% of the population.

Exactly, this is the scary part. I don't think we've seen a good BIOS virus in decades!

 

[xkm1948]

Oh look, more BS from the scam company CTS

 

[Kaotik]

This is putting a monetary goal in front of keep things secure and that's BS if CTS is trying to be taken seriously. Telling the public does not help anything in these situations, it makes things worse, and any real security firm would know that. You give the information to the company it affects, AMD in this case, and at least give them some time to develop patches or updates to fix the vulnerabilities. Again, 90 days is standard, because the sooner you let the public know the vulnerabilities exist, the sooner malicious people know the vulnerabilities exist and begin to start exploiting them. What CTS did was basically hand hackers instructions on how to exploit these vulnerabilities immediately without giving AMD any time to fix them. That isn't keeping people secure, that is just CTS trying to make a name for themselves by putting their own profit ahead of the public's security.

They even admit in their whitepaper that they have economic intereset in the issue, which leads to Viceroy Research, who released pretty much instantly after the "whitepaper" release "AMD Obituary" saying that AMD stock price should be $0.00 and they need to file for Chapter 11 bankruptcy. Viceroy Research is already under investigation in Germany on similar matters https://www.cnbc.com/2018/03/12/reu...ys-viceroys-prosieben-report-broke-rules.html

Also, to repeat what probably has been said already several times.
One of the "vulnerabilities" requires admin access and malicious BIOS, the rest require admin access and vendor signed malicious drivers.
In the point where your system, network or some such could be vulnerable to these would require you to have someone with malicious intent and admin access to your systems - and at that point every single possible system is already compromised, no matter if it's AMD or anyone else.

 

[Dave65]

I don't trust Israel on anything expecially Political stuff.

Same here..

 

[newtekie1]

Also, to repeat what probably has been said already several times.
One of the "vulnerabilities" requires admin access and malicious BIOS, the rest require admin access and vendor signed malicious drivers.
In the point where your system, network or some such could be vulnerable to these would require you to have someone with malicious intent and admin access to your systems - and at that point every single possible system is already compromised, no matter if it's AMD or anyone else.

The one vulnerability allows malicious BIOS to be installed. That is a pretty big issue actually. Beyond the normal malware we see today, because it allows the malware to persist even after a reformat and OS re-install, even after a full replacement of the storage drives. That actually is pretty bad.

 

[Countryside]

If this thing keeps rolling on CTS might even afford to get some real office space.

Anyway im waiting for AMDs offcial response and after that we can get this show on the road.

 

[Fleurious]

So refreshing to see the Oxford comma being used in an article.

Also, regardless of their excuse, 24hrs notice before going public was a stupid decision.