• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

CTS-Labs Responds to a TechPowerUp Technical Questionnaire

cadaveca

My name is Dave
Joined
Apr 10, 2006
Messages
17,232 (2.54/day)
A firmware flag that disables the hardware at boot. which is the only hope that we would have with AMD's PSP. You see, that HAP bit wasn't even discovered until recently... nearly a decade later. So it is more than possible that similar exists for AMD, but hasn't been found yet.
 

OneMoar

There is Always Moar
Joined
Apr 9, 2010
Messages
8,794 (1.65/day)
Location
Rochester area
System Name RPC MK2.5
Processor Ryzen 5800x
Motherboard Gigabyte Aorus Pro V2
Cooling Thermalright Phantom Spirit SE
Memory CL16 BL2K16G36C16U4RL 3600 1:1 micron e-die
Video Card(s) GIGABYTE RTX 3070 Ti GAMING OC
Storage Nextorage NE1N 2TB ADATA SX8200PRO NVME 512GB, Intel 545s 500GBSSD, ADATA SU800 SSD, 3TB Spinner
Display(s) LG Ultra Gear 32 1440p 165hz Dell 1440p 75hz
Case Phanteks P300 /w 300A front panel conversion
Audio Device(s) onboard
Power Supply SeaSonic Focus+ Platinum 750W
Mouse Kone burst Pro
Keyboard SteelSeries Apex 7
Software Windows 11 +startisallback
A firmware flag that disables the hardware at boot. which is the only hope that we would have with AMD's PSP. You see, that HAP bit wasn't even discovered until recently... nearly a decade later. So it is more than possible that similar exists for AMD, but hasn't been found yet.
except just removing the me modules from the bios is suffient the flag is just anouther way todo that
the HAP firmware flag turns it off removing the modules from the image kills it dead ...

can you really call that a 'hardware' bug
cts is claiming this is some hardwired thing in the asic which is complete malarky

even if it was it doesn't matter if it is because whatever software you need to run to take advantage of said thing can be soft patched
 
Last edited:
Joined
Aug 20, 2007
Messages
21,405 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
The unpatchable ASIC-level backdoors are in the chipset gents, not the PSP. :rolleyes:
 
Joined
Nov 13, 2007
Messages
10,679 (1.72/day)
Location
Austin Texas
System Name Planet Espresso
Processor 13700KF @ 5.5GHZ 1.285v - 235W cap
Motherboard MSI 690-I PRO
Cooling Thermalright Phantom Spirit EVO
Memory 48 GB DDR5 7600 MHZ CL36
Video Card(s) RTX 4090 FE
Storage 2TB WD SN850, 4TB WD SN850X
Display(s) Alienware 32" 4k 240hz OLED
Case Jonsbo Z20
Audio Device(s) Yes
Power Supply Corsair SF750
Mouse Xlite V2
Keyboard 65% HE Keyboard
Software Windows 11
Benchmark Scores They're pretty good, nothing crazy.
Yes, there are ways to crack a network once you're inside and have admin authoritatives to even one machine on that network. Such access can be structured to grant admin access to many other machines on the same network, regardless of domains.

Right but my question is - how do any of these exploits, which can only be run after you already have local admin access locally, help you do that?
 
Low quality post by Vya Domus
Joined
Jan 8, 2017
Messages
9,389 (3.29/day)
System Name Good enough
Processor AMD Ryzen R9 7900 - Alphacool Eisblock XPX Aurora Edge
Motherboard ASRock B650 Pro RS
Cooling 2x 360mm NexXxoS ST30 X-Flow, 1x 360mm NexXxoS ST30, 1x 240mm NexXxoS ST30
Memory 32GB - FURY Beast RGB 5600 Mhz
Video Card(s) Sapphire RX 7900 XT - Alphacool Eisblock Aurora
Storage 1x Kingston KC3000 1TB 1x Kingston A2000 1TB, 1x Samsung 850 EVO 250GB , 1x Samsung 860 EVO 500GB
Display(s) LG UltraGear 32GN650-B + 4K Samsung TV
Case Phanteks NV7
Power Supply GPS-750C
Low quality post by Aquinus

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
13,162 (2.82/day)
Location
Concord, NH, USA
System Name Apollo
Processor Intel Core i9 9880H
Motherboard Some proprietary Apple thing.
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Logitech G915, GL Clicky
Software MacOS 12.1
I bet , that's why they made a fancy website packed full of FUD.
...and with a name like "Ryzenfall," I would expect them to start talking considering even the name seems deliberately chosen to spread FUD.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
41,882 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Well time to move along. Until AMD responds to any of this I'm nit holding my breath
 
Low quality post by DeathtoGnomes
Joined
Jul 16, 2014
Messages
8,195 (2.18/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Last edited:

OneMoar

There is Always Moar
Joined
Apr 9, 2010
Messages
8,794 (1.65/day)
Location
Rochester area
System Name RPC MK2.5
Processor Ryzen 5800x
Motherboard Gigabyte Aorus Pro V2
Cooling Thermalright Phantom Spirit SE
Memory CL16 BL2K16G36C16U4RL 3600 1:1 micron e-die
Video Card(s) GIGABYTE RTX 3070 Ti GAMING OC
Storage Nextorage NE1N 2TB ADATA SX8200PRO NVME 512GB, Intel 545s 500GBSSD, ADATA SU800 SSD, 3TB Spinner
Display(s) LG Ultra Gear 32 1440p 165hz Dell 1440p 75hz
Case Phanteks P300 /w 300A front panel conversion
Audio Device(s) onboard
Power Supply SeaSonic Focus+ Platinum 750W
Mouse Kone burst Pro
Keyboard SteelSeries Apex 7
Software Windows 11 +startisallback
asic != fpga
fixed
sorry I was laughing so hard I got there fud mixed up
my point stands if its a hardwired backdoor then what exactly is it and how do you access it
because as far as I know its not possible to implement a backdoor in hardware without some software component to expose it so You can access it

you can create some functionality and some registers that say if you write X to Y address or set Z register then allow XY action

you still can patch that at the bios level or even at the os level via blocking those addresses /register access

and even if you could I can't see you doing anything with that that you couldn't already do with administrative access and other exploits

unless you are probing the chip with a paperclip and sewing needle .... :roll:

since its seemly the theme of the week I am gonna take a complete flying guess here and say whatever this supposed 'hardware exploit' is its probably some kind of service or programing flag/interface for the oem modern chipsets have TONS of undocumented registers and such that the OEM uses todo various things in the chipsets manufacturing/programing process. hell

some arm chips have a 'magic' set of registers that if you set grants unrestricted access to all of the SOC's memory, or force it to boot in a different mode for service
 
Last edited:

cadaveca

My name is Dave
Joined
Apr 10, 2006
Messages
17,232 (2.54/day)
The unpatchable ASIC-level backdoors are in the chipset gents, not the PSP. :rolleyes:
I know. However, there is a flaw in the Intel ME, and all they can really do is disable it... but just how secure is that disabling, and can you re-enable it? This is part of the problem with "bugs" such as this. An attacker with local access to the machine can do a tonne of damage, of course, and if you want true security, that should not be possible. You know this particular ME issue revolves around using default passwords such as just "admin" for this access? Not many people even know about Intel's AMT.

since its seemly the theme of the week I am gonna take a complete flying guess here and say whatever this supposed 'hardware exploit' is its probably some kind of service or programing flag/interface for the oem modern chipsets have TONS of undocumented registers and such that the OEM uses todo various things in the chipsets manufacturing/programing process. hell

some arm chips have a 'magic' set of registers that if you set grants unrestricted access to all of the SOC's memory, or force it to boot in a different mode for service
This is basically exactly what is the case with these back doors. The reason I mentioned Intel's ME is because Intel patched it recently because of this functionality, and AMD patched their PSP recently as well (like in 2018). However, because these are SOFTWARE patches, as you say, and these software patches are supposed to limit the hardware's abilities in order to secure the system, that software can be compromised again. These are hardware features purposely built into these chips that have made our PCs vulnerable. The whole idea that you need to give an OEM 30 or 90 days before public disclosure when finding such a big, to me, is ludicrous. Why, so they can bury the issue? Doesn't matter whether it's Intel, AMD, or whoever in whatever industry...

People's reaction to most of this has been the most amazing thing to me. I'm just gonna take a step back here and turn around, and walk away. Enjoy your conversation, folks. :p
 
Joined
Jul 13, 2016
Messages
3,249 (1.07/day)
Processor Ryzen 7800X3D
Motherboard ASRock X670E Taichi
Cooling Noctua NH-D15 Chromax
Memory 32GB DDR5 6000 CL30
Video Card(s) MSI RTX 4090 Trio
Storage Too much
Display(s) Acer Predator XB3 27" 240 Hz
Case Thermaltake Core X9
Audio Device(s) Topping DX5, DCA Aeon II
Power Supply Seasonic Prime Titanium 850w
Mouse G305
Keyboard Wooting HE60
VR HMD Valve Index
Software Win 10
"CTS: AMD only sent us a confirmation that they received the materials. We are curious what's taking them so long. It only took CrowdStrike one day to have a good understanding of the vulnerabilities. It took two days for Microsoft Security to be completely on top of it, and Trail of Bits validated our research in its entirety within five days. "

Wow, professional.

What a bunch of asshats. Who would want to work with these guys, who you are supposed to hire to discover vulnerabilities, when they spend more time bashing than actually laying technical details. How exactly is it odd given the time that's passed? It hasn't even been a week. Intel had 6 months and that still wasn't enough.

What I am confused about is the response to:

TPU: How do you respond to people saying that once an attacker has administrative access, you are f'd anyway? How are the attacks you uncovered more severe?
CTS: This is misleading and incorrect. Attackers think of machines not as individual nodes but as part of a network. Gaining local administrative access on a compromised computer inside an organization is easy for attackers. The challenge is moving laterally from there to other machines, and maintaining access for the future. That is exactly what these vulnerabilities provide.

How do these vulnerabilities allow 'moving laterally from there to other machines', if the you don't have access Admin access to the other machines on the network? Once you have admin access to a machine you can install a whole host of malware that will maintain access... but wouldn't these specific vulnerabilities still be useless for moving across the network?

I'm a local admin on my machine, it would be very, very difficult for me to install a driver or flash a bios across the network on a machine where my local admin account doesn't exist.... and once you have domain admin you have access to the whole network... so am I missing something?

Technically speaking, once you have admin access you should be able to move latterally in a newtwork depending on the computer's permissions. That really has nothing to do with the vulnerabilities discuessed here specificially, it's not like they have anything to do with accessing other computers on the network.
 
Last edited:

bug

Joined
May 22, 2015
Messages
13,718 (3.97/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
"CTS: AMD only sent us a confirmation that they received the materials. We are curious what's taking them so long. It only took CrowdStrike one day to have a good understanding of the vulnerabilities. It took two days for Microsoft Security to be completely on top of it, and Trail of Bits validated our research in its entirety within five days. "

Wow, professional.

What a bunch of asshats. Who would want to work with these guys, who you are supposed to hire to discover vulnerabilities, when they spend more time bashing than actually laying technical details. How exactly is it odd given the time that's passed? It hasn't even been a week. Intel had 6 months and that still wasn't enough.

They made it pretty clear that because of the short notice, they will not release any technical details to the public. They've released proof of concept attacks to all other parties though.
 
Joined
Jun 23, 2016
Messages
74 (0.02/day)
The part you quoted (and I responded to) referencing the ASIC only pertains to the chipset, so I am unsure why you are bringing the PSP into this at all. The chipset is the only area in which hardcoded backdoors apply. The PSP exploits are different. The PSP can be patched and they admitted that if you read.

People need to stop blindly thanking people who clearly don't even understand what's going on here.
My bad. I must have misread because they called it the Ryzen chipset. There are multiple of those so I may have read it as Ryzen chip instead.

In any case, the ASMedia vulnerability is a desktop wide problem if the backdoors pertain to USB controllers. All Ryzen desktop motherboards are affected and probably somewhere between a quarter and half of Intel-based boards have ASMedia controllers. I know mine has.
Either way it really speaks volumes about the dangers of outsourcing a major component in your ecosystem. It would probably be a good idea to bring it back in-house or find a more reliable vendor.
 
Joined
Sep 28, 2012
Messages
979 (0.22/day)
System Name Poor Man's PC
Processor AMD Ryzen 7 7800X3D
Motherboard MSI B650M Mortar WiFi
Cooling Thermalright Phantom Spirit 120 with Arctic P12 Max fan
Memory 32GB GSkill Flare X5 DDR5 6000Mhz
Video Card(s) XFX Merc 310 Radeon RX 7900 XT
Storage XPG Gammix S70 Blade 2TB + 8 TB WD Ultrastar DC HC320
Display(s) Xiaomi G Pro 27i MiniLED
Case Asus A21 Case
Audio Device(s) MPow Air Wireless + Mi Soundbar
Power Supply Enermax Revolution DF 650W Gold
Mouse Logitech MX Anywhere 3
Keyboard Logitech Pro X + Kailh box heavy pale blue switch + Durock stabilizers
VR HMD Meta Quest 2
Benchmark Scores Who need bench when everything already fast?
Been in a deep slumber,and awaken for this.I ain't no expert,but as VM operator i'm gonna check if this "bug" really a bug.Gonna be a long way trace back this news :D
 
Top