CTS-Labs Responds to a TechPowerUp Technical Questionnaire

[cadaveca]

A firmware flag that disables the hardware at boot. which is the only hope that we would have with AMD's PSP. You see, that HAP bit wasn't even discovered until recently... nearly a decade later. So it is more than possible that similar exists for AMD, but hasn't been found yet.

 

[OneMoar]

A firmware flag that disables the hardware at boot. which is the only hope that we would have with AMD's PSP. You see, that HAP bit wasn't even discovered until recently... nearly a decade later. So it is more than possible that similar exists for AMD, but hasn't been found yet.

except just removing the me modules from the bios is suffient the flag is just anouther way todo that
the HAP firmware flag turns it off removing the modules from the image kills it dead ...

can you really call that a 'hardware' bug
cts is claiming this is some hardwired thing in the asic which is complete malarky

even if it was it doesn't matter if it is because whatever software you need to run to take advantage of said thing can be soft patched

 

[R-T-B]

The unpatchable ASIC-level backdoors are in the chipset gents, not the PSP.

 

[phanbuey]

Yes, there are ways to crack a network once you're inside and have admin authoritatives to even one machine on that network. Such access can be structured to grant admin access to many other machines on the same network, regardless of domains.

Right but my question is - how do any of these exploits, which can only be run after you already have local admin access locally, help you do that?

 

[W1zzard]

cts is claiming this is some hardwired fpga thing which is complete malarky

asic != fpga

 

[Vya Domus]

We don't feel comfortable talking about RYZENFALL at this time.

I bet , that's why they made a fancy website packed full of FUD.

so am I missing something?

Yeah , the green screen

 

[Aquinus]

I bet , that's why they made a fancy website packed full of FUD.

...and with a name like "Ryzenfall," I would expect them to start talking considering even the name seems deliberately chosen to spread FUD.

 

[eidairaman1]

Well time to move along. Until AMD responds to any of this I'm nit holding my breath

 

[DeathtoGnomes]

https://motherboard.vice.com/en_us/article/bj5wy4/amd-flaws-viceroy-short-selling-stock-market


interesting.

Viceroy’s take that AMD is doomed is just “propaganda manufactured to hurt confidence in AMD,” Sanabria told me.

this whole CTS thing is a lot of work just to manipulate AMD's stock.

 

[OneMoar]

asic != fpga

fixed
sorry I was laughing so hard I got there fud mixed up
my point stands if its a hardwired backdoor then what exactly is it and how do you access it
because as far as I know its not possible to implement a backdoor in hardware without some software component to expose it so You can access it

you can create some functionality and some registers that say if you write X to Y address or set Z register then allow XY action

you still can patch that at the bios level or even at the os level via blocking those addresses /register access

and even if you could I can't see you doing anything with that that you couldn't already do with administrative access and other exploits

unless you are probing the chip with a paperclip and sewing needle ....

since its seemly the theme of the week I am gonna take a complete flying guess here and say whatever this supposed 'hardware exploit' is its probably some kind of service or programing flag/interface for the oem modern chipsets have TONS of undocumented registers and such that the OEM uses todo various things in the chipsets manufacturing/programing process. hell

some arm chips have a 'magic' set of registers that if you set grants unrestricted access to all of the SOC's memory, or force it to boot in a different mode for service

 

[cadaveca]

The unpatchable ASIC-level backdoors are in the chipset gents, not the PSP.

I know. However, there is a flaw in the Intel ME, and all they can really do is disable it... but just how secure is that disabling, and can you re-enable it? This is part of the problem with "bugs" such as this. An attacker with local access to the machine can do a tonne of damage, of course, and if you want true security, that should not be possible. You know this particular ME issue revolves around using default passwords such as just "admin" for this access? Not many people even know about Intel's AMT.

since its seemly the theme of the week I am gonna take a complete flying guess here and say whatever this supposed 'hardware exploit' is its probably some kind of service or programing flag/interface for the oem modern chipsets have TONS of undocumented registers and such that the OEM uses todo various things in the chipsets manufacturing/programing process. hell

some arm chips have a 'magic' set of registers that if you set grants unrestricted access to all of the SOC's memory, or force it to boot in a different mode for service

This is basically exactly what is the case with these back doors. The reason I mentioned Intel's ME is because Intel patched it recently because of this functionality, and AMD patched their PSP recently as well (like in 2018). However, because these are SOFTWARE patches, as you say, and these software patches are supposed to limit the hardware's abilities in order to secure the system, that software can be compromised again. These are hardware features purposely built into these chips that have made our PCs vulnerable. The whole idea that you need to give an OEM 30 or 90 days before public disclosure when finding such a big, to me, is ludicrous. Why, so they can bury the issue? Doesn't matter whether it's Intel, AMD, or whoever in whatever industry...

People's reaction to most of this has been the most amazing thing to me. I'm just gonna take a step back here and turn around, and walk away. Enjoy your conversation, folks.

 

[evernessince]

"CTS: AMD only sent us a confirmation that they received the materials. We are curious what's taking them so long. It only took CrowdStrike one day to have a good understanding of the vulnerabilities. It took two days for Microsoft Security to be completely on top of it, and Trail of Bits validated our research in its entirety within five days. "

Wow, professional.

What a bunch of asshats. Who would want to work with these guys, who you are supposed to hire to discover vulnerabilities, when they spend more time bashing than actually laying technical details. How exactly is it odd given the time that's passed? It hasn't even been a week. Intel had 6 months and that still wasn't enough.

What I am confused about is the response to:

TPU: How do you respond to people saying that once an attacker has administrative access, you are f'd anyway? How are the attacks you uncovered more severe?
CTS: This is misleading and incorrect. Attackers think of machines not as individual nodes but as part of a network. Gaining local administrative access on a compromised computer inside an organization is easy for attackers. The challenge is moving laterally from there to other machines, and maintaining access for the future. That is exactly what these vulnerabilities provide.

How do these vulnerabilities allow 'moving laterally from there to other machines', if the you don't have access Admin access to the other machines on the network? Once you have admin access to a machine you can install a whole host of malware that will maintain access... but wouldn't these specific vulnerabilities still be useless for moving across the network?

I'm a local admin on my machine, it would be very, very difficult for me to install a driver or flash a bios across the network on a machine where my local admin account doesn't exist.... and once you have domain admin you have access to the whole network... so am I missing something?

Technically speaking, once you have admin access you should be able to move latterally in a newtwork depending on the computer's permissions. That really has nothing to do with the vulnerabilities discuessed here specificially, it's not like they have anything to do with accessing other computers on the network.

 

[bug]

"CTS: AMD only sent us a confirmation that they received the materials. We are curious what's taking them so long. It only took CrowdStrike one day to have a good understanding of the vulnerabilities. It took two days for Microsoft Security to be completely on top of it, and Trail of Bits validated our research in its entirety within five days. "

Wow, professional.

What a bunch of asshats. Who would want to work with these guys, who you are supposed to hire to discover vulnerabilities, when they spend more time bashing than actually laying technical details. How exactly is it odd given the time that's passed? It hasn't even been a week. Intel had 6 months and that still wasn't enough.

They made it pretty clear that because of the short notice, they will not release any technical details to the public. They've released proof of concept attacks to all other parties though.

 

[Shamalamadingdong]

The part you quoted (and I responded to) referencing the ASIC only pertains to the chipset, so I am unsure why you are bringing the PSP into this at all. The chipset is the only area in which hardcoded backdoors apply. The PSP exploits are different. The PSP can be patched and they admitted that if you read.

People need to stop blindly thanking people who clearly don't even understand what's going on here.

My bad. I must have misread because they called it the Ryzen chipset. There are multiple of those so I may have read it as Ryzen chip instead.

In any case, the ASMedia vulnerability is a desktop wide problem if the backdoors pertain to USB controllers. All Ryzen desktop motherboards are affected and probably somewhere between a quarter and half of Intel-based boards have ASMedia controllers. I know mine has.
Either way it really speaks volumes about the dangers of outsourcing a major component in your ecosystem. It would probably be a good idea to bring it back in-house or find a more reliable vendor.

 

[1d10t]

Been in a deep slumber,and awaken for this.I ain't no expert,but as VM operator i'm gonna check if this "bug" really a bug.Gonna be a long way trace back this news