CTS Labs Posts Some Clarifications on AMD "Zen" Vulnerabilities

[thesmokingman]

If I have admin rights on a PC with an Intel chipset, can I not flash tha BIOS with a malware infected version or do Intel CPU's detect that tampering?

Hell yes. This brings up many questions that are not asked by this article so let me try...

By its own statements, CTS Labs tested and developed a proof of concept exploit for Asmedia controllers before it was aware these controllers were incorporated into Ryzen chipsets. Where, then, is the website AsmediaFlaws.com? Where’s the notification to tell Intel motherboard customers that the chips on their motherboards can be similarly backdoored and abused? This isn’t a theoretical; I’m writing this article from an Ivy Bridge-E system powered by an Asus X79-Deluxe motherboard with an Asmedia 1042 controller.

Where is TPU in this?

https://www.extremetech.com/computi...ty-disclosures-digs-deeper-hole#disqus_thread

 

[Xuper]

atm on Ryzen system , It's impossible to do flash modded bios without USB Flash, You need to boot USB flash via UEFI Boot setting.
Feel free to read this guide , How to flash Modded Bios (Yep So damn many hard STEP ):

https://puissanceled.com/vrac/Bios_modding/EN.html

Edit : oh i forgot something ,on my ASUS Prime X370 Pro , i updated Bios but I can't revert back to Old Bios, This does Not allow me ,I don't know it's ASUS or New Version of AMD AGESA 1.0.0.6

 

[Thimblewad]

I've thought about this a bit and well, I believe that the big corporations should have security things in check (I mean not having an admin mode as a basic user is as easy as a tick in the Active User Directory settings in Windows servers for example, a sysadmin should know his shit), but companies with not so savy IT support (there's a lot of so-called IT guys out there, A LOT) could have huge problems.

Also, most of these still seem to require physicall access so.

 

[ShurikN]

The thing I dislike the most about this entire situation is that more research and interesting info came from TPU members than editors themselves. As a matter of fact the entirety of cts articles is copy-pasted sensationalism for nothing but clicks. And it looks extremely unprofessional. You're gonna lose readership in the end, and no amount of click-bait articles will help you then.
Edit, quoted wizz by mistake.

 

[efikkan]

In general terms, if a system really remains persistently compromised across OS installs, is definitely something to take seriously, even if it takes admin privileges to get infected*. That is not to say it's an immediate threat to either consumers, enterprises or cloud providers, and is not nearly worthy the devastating effect implied by the "ryzenfall" nickname.
*) There have been ways to do privilege escalation.

Note: I'm not commenting on the validity of the claimed vulnerabilities by CTS-Labs. I would encourage everyone to remain skeptical and wait for potential evidence.

 

[Jism]

The thing I dislike the most about this entire situation is that more research and interesting info came from TPU members than editors themselves. As a matter of fact the entirety of cts articles is copy-pasted sensationalism for nothing but clicks. And it looks extremely unprofessional. You're gonna lose readership in the end, and no amount of click-bait articles will help you then.
Edit, quoted wizz by mistake.

Things go so fast these days, it's hard for a writer to keep up with all these trends, posts and whatever.

Every CPU has flaws. Live with it. It's so complex and the focus is more on performance then hardened security.

However it suprises me that the Ryzen pro has these simular flaws, when bios is modded. Ryzen pro is being sold as a 'safer' CPU compared to normal ryzen.

 

[ssdpro]

As a matter of fact the entirety of cts articles is copy-pasted sensationalism for nothing but clicks. And it looks extremely unprofessional. You're gonna lose readership in the end, and no amount of click-bait articles will help you then.

The problem is AMD hasn't handled it well. AMD has had no comment other than their strange blog post acknowledging the investigation into the claimed vulnerabilities. That post wasn't even written in clear professional terms ("certain of our processors" and doesn't even have a date). Until AMD writes/speaks and either declares the vulnerabilities fake or explains complexity it will continue being a story and TPU needs to cover it. You don't get bona fide debunks from random users named "BiGchiCKens14", you get it from the company.

 

[mcraygsx]

Nexus Gamers did good job covering this story with their own input on this.

https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs

 

[lexluthermiester]

Couldn't you guys at least be more skeptical instead of just regurgitating what CTS says? I guess it brings in clicks huh?

They are reporting news and sharing the known information. Why should they be skeptical at all? Regardless of whether or not CTS is shady or legit, the vulnerabilities in question need to be taken seriously. It would be irresponsible and unprofessional to take this news less than seriously. And if it turns out to be nonsense than they can post that news too. Is that aspect of journalism clear now?

 

[DeathtoGnomes]

They are reporting news and sharing the known information. Why should they be skeptical at all? Regardless of whether or not CTS is shady or legit, the vulnerabilities in question need to be taken seriously. It would be irresponsible and unprofessional to take this news less than seriously. And if it turns out to be nonsense than they can post that news too. Is that aspect of journalism clear now?

Idk, posting fake news because it made front page headlines seems kinda normal since Trump took office. The fact this this whole report could be part of some agenda to drive AMD stock down does not too far fetched either.

 

[WikiFM]

Nexus Gamers did good job covering this story with their own input on this.

https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs

I liked it and I agree that the timing of presenting the news was sharply calculated, since AMD is about to launch Ryzen 2000 series, also very suspicious that CTS was created just after Intel was informed of Meldown, I couldn't but wonder that Intel is implicated. Nexus asked Intel about it, and of course they denied it, what they were expecting, "Yes we are involved" morons!
Anyway they agree that the flaws threat is there, and that it needs further analysis.

 

[Hood]

Of course the threats are real. Those who suggest it's all BS made up by Intel have not thought it through. Can you imagine the backlash if none of this is verified? It would be terrible. Has anyone forgotten how loudly the AMD fans crowed when Spectre/Meltdown came out? Especially at first, when AMD was saying their CPUs were not affected at all. Intel may have had a hand in the way the news was released so soon, but nothing is proven, and those stating it as a fact are sounding real paranoid. Seems like AMD fans are still suffering from "underdog syndrome", despite their glowing posts about how Ryzen put Intel in it's place.

 

[commission3r]

All the butt-hurt amd girls raging above, so pathetic.

Yes sure, you should criticize the messenger...

Also, how many people are running windows in admin mode even without knowing it? Yeah, a shitload of them!
SO if all it takes is to run an exe file and then it will be sitting low level and even OS reinstall can't flush it out, then it's a huge fucking problem and amd should be balls grilled for it! Anyone who says otherwise is a brainwashed idiot and a fanboi.

do you actually use windows?

i ask because anytime you run an exe, you need to click yes it can run
unless of course you've disabled uac

 

[evernessince]

It may be that CTS is trolling, but your assertion is off-base. For TPU to be the only site to not cover this, as you appear to want, would have been a sure way for a site-owner like W1zzard to have their site relegated to a back burner, to be 2nd or 3rd tier. People won’t go to sites that they realize just don’t cover events.

Agreed. I do wish that appropriate caution was displayed in the title / near the top of the article though. The way I read the CTS titles, TPU makes them appear legitimate despite industry wide concensus of the inverse.

This. I find it very strange AMD has stayed so quiet in last 72 hours. We still only have the STRANGE blog post about "certain of our processors" that doesn't even have a date.

It takes more than 72 hours for AMD to verify these security claims with complete certainty. There's a reason why it's common practice to give companies 3 months before revealing an exploit / bug. If AMD rushes things and makes an incorrect statement, it gets sued.

We can't all be like CTS labs and post a disclaimer that relieves them of all liability if what they say is actually false.

 

[Prince Valiant]

They are reporting news and sharing the known information. Why should they be skeptical at all? Regardless of whether or not CTS is shady or legit, the vulnerabilities in question need to be taken seriously. It would be irresponsible and unprofessional to take this news less than seriously. And if it turns out to be nonsense than they can post that news too. Is that aspect of journalism clear now?

Was another news post necessary though? Pin the thing and update as needed.

Hell yes. This brings up many questions that are not asked by this article so let me try...

Where is TPU in this?

https://www.extremetech.com/computi...ty-disclosures-digs-deeper-hole#disqus_thread

I guess they're not interested, thanks for the link.

 

[lexluthermiester]

Was another news post necessary though? Pin the thing and update as needed.

That's one solution, and might work. But the owners, admin's, editors and staff run the site and in ways they find acceptable. Outsiders complaining about aspects of the site that are not related to it's functionality are really not as constructive as people might think.

If there's an article people don't want to read, don't read it. No one is twisting anyone else's arm. Complaining about doesn't help anything.

 

[eidairaman1]

So everyday im hacking my own computer LOL

TPU never wrote anything positive about AMD. Wondering if the staff is payed by Intel, Nvidia and CTS labs.

Easy there man, this is the site that started the hardware mods for radeon cards.

I'm sure deep down most staff want AMD to do something amazing to keep prices down for both Intel and AMD users, aka the consumer no matter the camp wins.

 

[xkm1948]

Very good read from AnandTech. They had a recorded phone call with these so called CTS experts.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs


So almost all motherboards that have Asmedia chipsets, including millions of Intel motherboards, are affected by CTS self proclaimed "vuneribility" Really strange why they choose to only target AMD. I wonder.

Also the final part of their conversation is almost comical:

Anandtech: Who do you work for?
CTS: Sorry bruh gotta go.

hahaha

 

[jigar2speed]

This. I find it very strange AMD has stayed so quiet in last 72 hours. We still only have the STRANGE blog post about "certain of our processors" that doesn't even have a date.

Its not strange, its the protocol. They will have to triple confirm before they make any statement about this vulnerabilities.

 

[RejZoR]

The problem is AMD hasn't handled it well. AMD has had no comment other than their strange blog post acknowledging the investigation into the claimed vulnerabilities. That post wasn't even written in clear professional terms ("certain of our processors" and doesn't even have a date). Until AMD writes/speaks and either declares the vulnerabilities fake or explains complexity it will continue being a story and TPU needs to cover it. You don't get bona fide debunks from random users named "BiGchiCKens14", you get it from the company.

CTS whatever idiots gave AMD 24 hours to investigate. That's not enough time for anything, let alone give a statement. Now, compare that to Spectre/Meltdown where Intel had months to deal with it during which time execs sold Intel shares, tried to cover it up until it exploded with outrage from users who found out about it. But people are giving AMD shit for not responding in a one single day. Not to mention this one really isn't as bad of an issue as people make it to be. Spectre and Meltdown were true exploits with privilege escalation issue where non admin could access admin stuff and system. With Ryzen stuff, sure, it's still a valid thing, but to get it working in the first place you have to meet a bunch of rather absurd conditions, of which first one is having admin access.

What I see as an issue is selling of used chips thar are compromised where user had direct access to chip as admin and modified it. That is however a legit concern. Still, I wonder how such CPU would cause a concern in terms of what useful can you actually put into it permanently that would then work in a destination system as a security or privacy risk.

 

[thesmokingman]

Very good read from AnandTech. They had a recorded phone call with these so called CTS experts.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs


So almost all motherboards that have Asmedia chipsets, including millions of Intel motherboards, are affected by CTS self proclaimed "vuneribility" Really strange why they choose to only target AMD. I wonder.

Also the final part of their conversation is almost comical:

Anandtech: Who do you work for?
CTS: Sorry bruh gotta go.

hahaha

Don't forget this gem.

IC: Can you confirm that money changes hands with Trail of Bits?


(This was publicly confirmed by Dan Guido earlier, stating that they were expecting to look at one test out of curiosity, but 13 came through so they invoiced CTS for the work. Reuters reports that a $16000 payment was made as ToB’s verification fee for third-party vulnerability checking)


YLZ: I would rather not make any comments about money transactions and things of that nature. You are free to ask Trail of Bits.

In context, the first news was predicated on Guido's statements that these are all real exploits. And then $16,000 dollars later CTS now has a pedestal upon which preach their sermon.



And then most comical is their statement that they have 16 years of experience in the field. What field???

IC: Can you elaborate as to why you did not wait for those numbers to come through before going live?


ILO: It’s our first time around. We haven’t – I guess we should have – this really is our first rodeo.

What's even more appalling given the context is that they said that they discovered the ASMedia bugs about a year ago. That is more than ample time to legitimately report their findings. But no they sit on it waiting for the right moment to spank AMD specifically. Why AMD specifically when as they claim the bugs/back doors affect every motherboard that uses said ASMedia chips?

What we found are these backdoors that we have been describing that come built into the chips – there are two sets of backdoors, hardware backdoors and software backdoors, and we implemented clients for those backdoors. The client works on AMD Ryzen machines but it also works on any machine that has these ASMedia chipsets and so quite a few motherboards and other PCs are affected by these vulnerabilities as well.

This shit stinks to high heaven.

 

[R0H1T]

Fair to say CTS is FoS

They've got lots to hide & no real answers to tough/straight questions.

 

[Assimilator]

I have to say, I'm really liking this anti-s**tposting feature. Being able to read through a thread knowing that all the visible posts are the high-quality ones that actually contribute to the topic at hand, as opposed to having to read every post and discard the contents of the rubbish ones, will really make my life easier. It will also encourage people to post higher quality content if they don't want to get "censored".

At the end of the day, while there is room for abuse of this feature, and it's a slippery slope and a thin red line... TPU would not have had to implement it if certain people didn't keep posting statements that are outright untrue, complete nonsense, or are of the form "LOL company <X> is teh evil because of <FUD>". I'd also encourage you to remember that these are TPU's forums, not yours, and as such they can do whatever they damn well please.

On to the topic at hand...

While I agree that actually exploiting these vulnerabilities is nowhere near as easy as Meltdown/Spectre, the fact of the matter remains that they are still vulnerabilities. Let's say that an attacker builds a phishing email that looks like it's from a motherboard vendor, and sends it to a list of email addresses obtained from one of the hundreds of account dumps online. That email redirects to a phishing website that recommends users to download an EXE from it to "patch" their computer's Ryzen vulnerabilitieis. That EXE, of course, contains code that exploits some, or all, of those vulnerabilities. Users are gonna download that file, run it, say "yes" when prompted by UAC, and boom, they're compromised.

So discarding these as "real" vulnerabilities because they need admin access is shortsighted, because users (as always) are the weakest link in computer security.

 

[librin.so.1]

They keep mentioning
>Windows Credential Guard
>Windows-based enterprise networks
>Signed driver on Windows (for chimera)

I wonder why they haven't even mentioned Linux, which, when it comes to EPYC line and to a lesser degree, Threadripper line, is basically what any sensible enterprise would be running on those.
The complete lack of mention is really odd. At the very least, they're expected to mention that it's untested, if they haven't touched that bit. But these guys? Nothing.
(Of course there's also OS X, but I am not sure if any current Apple systems have AMD cpus in them at all.)

 

[lanlagger]

I am really sad seing this Low quality posts and attitude from TPU personal !!
let me explain:
Low quality posts from TPU staff - you basically gave free Press (all they ever could wanted) to Stock price manipulators (multiple times - when lot of other tech portals stopped after first news, waiting for some more credible source confirmations).
Low quality attitude from TPU staff - sadly in this case self explanatory