• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

CTS-Labs Responds to a TechPowerUp Technical Questionnaire

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
27,700 (3.70/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Yesterday, we had a very productive phone call with CTS-Labs, the firm behind the "AMD Flaws" critical security vulnerabilities exposé of the "Zen" microarchitecture. Our questions focus on the practicality of exploiting these vulnerabilities, and should provide more insight to the skepticism centered on needing admin privileges, flashing BIOS ROMs, and other localized hacks that would render any machine, not just "Zen" powered, vulnerable. Feel free to follow up with questions in the comments section, if we can help explain something.





TechPowerUp (TPU): Regarding Masterkey. Could you elaborate on the attack vector for this? AMD makes the claim that the on-chip ROM in Secure Processor fully validates the firmware read from NAND. You mention metadata parsing, which I assume is stored in the NAND, so when this is modified in a certain way the hash check gets bypassed? With Secure Processor validation broken, the UEFI signature checks for the main BIOS can be bypassed, too? Or is it additionally required to modify the main BIOS, too, for that to work?
CTS-Labs (CTS): First a small clarification: the BIOS and PSP firmwares, as well as certain non-volatile storage data are typically stored on a single SPI flash chip on the motherboard. When you install a BIOS update, both UEFI and PSP firmwares get replaced. MASTERKEY-1 through MASTERKEY-3 allow three distinct ways of installing malware on the PSP in spite of digital signature verification. The way this process works is: The PSP immutable ROM runs first, and then validates the beginning of the mutable PSP firmware inside the SPI flash. The PSP firmware then loads its other built-in modules, such as fTPM or SEV. This is when MASTERKEY kicks in to allow execution of unsigned code on the PSP's ARM processor. This can happen even before the PSP releases the main CPU from its initial halted state. Secure Boot is defeated from that point on (both UEFI Secure Boot and PSP Secure Boot).

Re-flashing the BIOS, a prerequisite for MASTERKEY, often does not require physical access to the device. We've tested this on motherboards by Tyan, ASUS, MSI, Gigabyte, Biostar, and others. It works by running an EXE.

TPU: Did you use an official flashing software, or create your own method that replicates the commands used by this software?
CTS: We used a modified version of the original BIOS update software. That allowed us to bypass some protections that exist in the original version.

TPU: You mention a few motherboard companies above, do you feel this means that all motherboards are affected, or are some more secure than others?
CTS: On motherboards where flashing is not possible because the BIOS image is encapsulated and signed by an additional layer of OEM-specific digital signature, we think it may still be possible to install a malicious BIOS that exploits MASTERKEY by either: (a) Using RYZENFALL or FALLOUT to achieve code execution on SMM, and disable signature verification that is implemented in SMM, or (b) Use RYZENFALL-4 to achieve code execution on the PSP and then use the PSP to write to the SPI flash. Both of these methods are theories we've been running in our lab. They may work, but we haven't tested them. Results may vary from hardware to hardware.

Previous work on this subject: https://www.mitre.org/sites/default/files/publications/defeating-signed-bios-enforcement.pdf, https://embedi.com/blog/bypassing-intel-boot-guard/

TPU: Do you think it's feasible for users to solder a pull-down wire onto the WP# [write-protect] pin of the BIOS chip? To permanently, physically, engage its write protection.
CTS: Off the top of my head (and of course I haven't tested this) - Turning on Write-Protect for the whole chip would not work, because that would break Non-volatile Storage features that are needed by both UEFI and the PSP.

TPU: Can you elaborate on how the Ryzenfall attack works? Is the Secure Processor exposed as device on the PCI bus? and attacked directly? Or does the attack leverage issues in the CPU's memory controller?
CTS: We don't feel comfortable talking about RYZENFALL at this time.

TPU: To execute the Chimera attack (and others) you mention "vendor supplied driver". Shouldn't any signed kernel mode driver be sufficient as long as it implements IO space access (for PCI config space on CF8) and some method of writing to physical memory, either directly or through memory mapping a specified range to user space?
CTS: You are exactly right. Any signed driver that provides access to IO spaces is sufficient to interact with the backdoors. There is a vendor-supplied driver that does this.

TPU: Are those vendor supplied drivers publicly available for download?
CTS: Yes.

TPU: As far as we know, the BIOS chip is connected to the CPU socket and not to the chipset. This means that Chimera is not able to write to the flash directly and has to write code to system RAM first, which then gets executed, and performs the write into NAND?
CTS: To the best of my knowledge, all Zen architecture chips have an integrated southbridge, but the Promontory chipset is nonetheless used on most (all?) Ryzen and Ryzen Pro workstations. Promontory provides additional USB, SATA, and PCI-E ports to AMD systems. On one laptop that we've tested (ASUS GL702ZC), the USB ports on one side of the machine are routed to the chipset, while others are routed to the CPU. The USB ports connected to the CPU don't support 10 Gb USB 3.1.

The backdoors in AMD Promontory let attackers inject malware into the chip on runtime. We did not attempt to achieve persistency on Promontory. Promontory's firmware is stored inside the BIOS image, and is written into the chipset's 8051 processor by a UEFI module every time the computer boots. If that UEFI module happens to be missing, Promontory will boot from its built-in ROM firmware. So, to clarify, attackers can freely patch the 8051 code memory on runtime.

TPU: Does that mean that users could protect themselves against Chimera-based keyloggers by not using certain USB ports on their system?
CTS: For keyloggers that record USB traffic from within the chipset, I believe so.

TPU: Your whitepaper describes that the ASMedia chip has backdoors both in software and hardware. Could you elaborate on the hardware part, is it patchable somehow?
CTS: The Ryzen chipset is an ASIC chip. What this means is that after fabrication, the chip's structure of logic gates can no longer be changed [unlike on an FPGA]. We have found what we believe to be manufacturer backdoors implemented on the ASIC level. If our understanding is correct, removing these backdoors is impossible. It may still be possible to find a workaround, for example by blocking access to certain IO regions at the hypervisor level.

Other backdoors with similar functionality exist in the chipset firmware as well. These can be removed by a firmware update.

TPU: Do you have any plans to release more details on these vulnerabilities to the public?
CTS: We have no such plans. We've delivered full details of the vulnerabilities to AMD, Microsoft, US-CERT, Dell, HP, Cisco, Symantec, FireEye, and CrowdStrike. Our package includes full technical write-ups, functional proof-of-concept exploits and procedures on how to run the exploits. We will wait for these companies to come out with patches and mitigations before releasing technical details to the public.

Once MASTERKEY is patched and the patches have had time to disseminate, we are thinking of partnering up with libreboot or coreboot to develop a way to shutdown the PSP. Doing this would completely eradicate the attack surface for vulnerabilities such as FALLOUT and RYZENFALL. AMD has recently offered a BIOS option to disable the PSP, but according to our testing that feature merely disables the fTPM... other functionalities remain open, and the Secure Processor remains vulnerable to RYZENFALL or FALLOUT. If there was a real option to halt the PSP's ARM processor, that would be a great security feature.

TPU: Do you think users of other CPU vendors, like Intel, are affected?
CTS: Only if they have a motherboard carrying an ASMedia USB host controller. These controllers are typically found on PC motherboards made by Taiwanese manufacturers. We've looked into quite a few computers made by HP, Dell, Lenovo, etc. and they were not affected.

TPU: A huge number of Intel motherboards uses ASMedia chips, too, mostly for additional USB 3 ports. Does that mean these are affected by vulnerabilities similar to Chimera? Does it make a difference that the chips on Intel motherboards are connected via PCIe? Which chips are we talking about?
CTS: All ASMedia USB host controllers sit on the PCI-E bus. I am talking about ASM1042, ASM1142 and ASM1143. Motherboards that have these chips have the CHIMERA backdoors as well.

TPU: Have you tested whether the Secure Processor in Vega GPUs is vulnerable?
CTS: We haven't looked into that.

TPU: How do you respond to people saying that once an attacker has administrative access, you are f'd anyway? How are the attacks you uncovered more severe?
CTS: This is misleading and incorrect. Attackers think of machines not as individual nodes but as part of a network. Gaining local administrative access on a compromised computer inside an organization is easy for attackers. The challenge is moving laterally from there to other machines, and maintaining access for the future. That is exactly what these vulnerabilities provide.

TPU: Are you in two-way communication with AMD? How are things moving forward, if you can reveal that?
CTS: AMD only sent us a confirmation that they received the materials. We are curious what's taking them so long. It only took CrowdStrike one day to have a good understanding of the vulnerabilities. It took two days for Microsoft Security to be completely on top of it, and Trail of Bits validated our research in its entirety within five days.

TPU: What's your recommendation to users and companies at this time? Should people be scared and disconnect their systems from the Internet?
CTS: I think that high-security organizations, such as banks, that happen to have deployments of vulnerable AMD equipment should certainly be concerned - because of the possibility of APT actors using the vulnerabilities to conduct lateral movement, and malware setting up camp inside the Secure Processor. It is up to each company to conduct its own risk analysis.

TPU: How do you respond to the chaos and cynicism that has erupted because of the manner in which you made your public disclosures?
CTS: We are a small group of security researchers. We have no past experience with making publications, and there is no question we messed this one up. We certainly learned some hard lessons here.

TPU: Thank you for responding to our questions, we'll stay in touch.
CTS: Absolutely. Thank you.

If you have any additional technical questions, or haven't understood something, let us know in the comments section, we will answer what we can by ourselves and forward select questions to CTS for better explanation.

View at TechPowerUp Main Site
 
Joined
Nov 30, 2015
Messages
712 (0.22/day)
Location
Croatia
Processor Ryzen 5 3600 PRO
Motherboard AsRock B450 Pro4
Cooling Thermalright Peerless Assassin 120
Memory Silicon Power XPower Zenith 2x8GB @3200 MHz
Video Card(s) Gigabyte RTX 2070 Super Gaming OC 8GB
Storage Crucial P5 Plus 1TB / Crucial MX 500 1TB
Display(s) Dell P2419H
Case Fractal Design Pop Air /w 3x Thermalright TL-C12C
Audio Device(s) Creative Sound Blaster Z + Edifier R1000T4
Power Supply Super Flower Leadex III 650W
Mouse Microsoft Intelimouse Pro
Keyboard IBM KB-8926
Software Windows 10 Pro 64-bit
Benchmark Scores Turns on on the first try! Usually.
This was nicely detailed and technical enough, for me at least, to understand. What I'm also surprised by is the Asmedia chip situation. So basically some of these vulnerabilities could possibly spill over to Intel (correct me if I'm wrong).

Thhe biggest question for me is will it be possible to effectively patch these vulnerabilities (not the ones connected to the Asmedia chip MBOs), and if there will be a trade off to the performance/usability?
 
Joined
Mar 18, 2008
Messages
5,717 (0.94/day)
System Name Virtual Reality / Bioinformatics
Processor Undead CPU
Motherboard Undead TUF X99
Cooling Noctua NH-D15
Memory GSkill 128GB DDR4-3000
Video Card(s) EVGA RTX 3090 FTW3 Ultra
Storage Samsung 960 Pro 1TB + 860 EVO 2TB + WD Black 5TB
Display(s) 32'' 4K Dell
Case Fractal Design R5
Audio Device(s) BOSE 2.0
Power Supply Seasonic 850watt
Mouse Logitech Master MX
Keyboard Corsair K70 Cherry MX Blue
VR HMD HTC Vive + Oculus Quest 2
Software Windows 10 P
Acknowledged all AsMedia based USB chipsets are vulnerable, yet still targeting just one specific company. If there is any concern it should be Intel MoBo which has way higher market share and they got 0 mention. Fishy AF.

CTS can spin this whatever they want. At least this end user is not buying into their BS.

Security experts, including Linus, weighs in on the situation after thr anandtech phone call.

https://www.realworldtech.com/forum/?threadid=175139&curpostid=175169


Lets see what they say after TPU phone call
 
Last edited:
Joined
Dec 6, 2016
Messages
748 (0.26/day)
We have no past experience with making publications, and there is no question we messed this one up. We certainly learned some hard lessons here.

LOL, unbelievable. Meltdown and Spectre were an great example how to properly disclose a HW vulnerability, but I guess they somehow missed it. I guess the news didn't give those vulnerabilities enough coverage ... Oh, wait ... :banghead:
 
Low quality post by Aldain
Low quality post by Kaotik
Joined
Dec 22, 2011
Messages
287 (0.06/day)
Processor Ryzen 7 5800X3D
Motherboard Asus Prime X570 Pro
Cooling Deepcool LS-720
Memory 32 GB (4x 8GB) DDR4-3600 CL16
Video Card(s) PowerColor Radeon RX 7900 XTX Red Devil
Storage Samsung PM9A1 (980 Pro OEM) + 960 Evo NVMe SSD + 830 SATA SSD + Toshiba & WD HDD's
Display(s) Samsung C32HG70
Case Lian Li O11D Evo
Audio Device(s) Sound Blaster Zx
Power Supply Seasonic 750W Focus+ Platinum
Mouse Logitech G703 Lightspeed
Keyboard SteelSeries Apex Pro
Software Windows 11 Pro
"We're 16 year veterans in information security but we don't have experience on stuff like this" - yeah, that sounds about right :rolleyes:
 
Joined
Dec 31, 2009
Messages
19,371 (3.57/day)
Benchmark Scores Faster than yours... I'd bet on it. :)
Acknowledged all AsMedia based USB chipsets are vulnerable, yet still targeting just one specific company. If there is any concern it should be Intel MoBo which has way higher market share and they got 0 mention. Fishy AF.
Is it "all" though???
I am talking about ASM1042, ASM1142 and ASM1143. Motherboards that have these chips have the CHIMERA backdoors as well.
There are many ASMedia USB controllers out there. Without looking at reviews, I know most USB 3.1 G2 are ASM3142 or 2142 chips. Those listed at 3.1 G1 and I believe two generations old?
 
Joined
Jun 23, 2016
Messages
74 (0.02/day)
CTS: The Ryzen chipset is an ASIC chip. What this means is that after fabrication, the chip's structure of logic gates can no longer be changed [unlike on an FPGA]. We have found what we believe to be manufacturer backdoors implemented on the ASIC level. If our understanding is correct, removing these backdoors is impossible

So they don't know how processors have been patched previously? The recent industry-wide Spectre patches escaped their notice?
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,865 (2.89/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Ok, I haven't had a chance to properly read this yet, but the takeaway seems to be that regular users like us don't need to be concerned and that AMD is taking an unusually long time to get on top of this. I can only imagine that they're looking at the problem from a deeper perspective than the likes of Microsoft, since they designed the CPU.
 
Joined
Aug 20, 2007
Messages
21,407 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
So they don't know how processors have been patched previously? The recent industry-wide Spectre patches escaped their notice?

Processors have microcode. Chipsets don't. And hardcoded backdoors are very different from spectre.
 
Joined
Nov 13, 2007
Messages
10,679 (1.72/day)
Location
Austin Texas
System Name Planet Espresso
Processor 13700KF @ 5.5GHZ 1.285v - 235W cap
Motherboard MSI 690-I PRO
Cooling Thermalright Phantom Spirit EVO
Memory 48 GB DDR5 7600 MHZ CL36
Video Card(s) RTX 4090 FE
Storage 2TB WD SN850, 4TB WD SN850X
Display(s) Alienware 32" 4k 240hz OLED
Case Jonsbo Z20
Audio Device(s) Yes
Power Supply Corsair SF750
Mouse Xlite V2
Keyboard 65% HE Keyboard
Software Windows 11
Benchmark Scores They're pretty good, nothing crazy.
What I am confused about is the response to:

TPU: How do you respond to people saying that once an attacker has administrative access, you are f'd anyway? How are the attacks you uncovered more severe?
CTS: This is misleading and incorrect. Attackers think of machines not as individual nodes but as part of a network. Gaining local administrative access on a compromised computer inside an organization is easy for attackers. The challenge is moving laterally from there to other machines, and maintaining access for the future. That is exactly what these vulnerabilities provide.

How do these vulnerabilities allow 'moving laterally from there to other machines', if the you don't have access Admin access to the other machines on the network? Once you have admin access to a machine you can install a whole host of malware that will maintain access... but wouldn't these specific vulnerabilities still be useless for moving across the network?

I'm a local admin on my machine, it would be very, very difficult for me to install a driver or flash a bios across the network on a machine where my local admin account doesn't exist.... and once you have domain admin you have access to the whole network... so am I missing something?
 
Last edited:
Joined
Oct 28, 2012
Messages
1,185 (0.27/day)
Processor AMD Ryzen 3700x
Motherboard asus ROG Strix B-350I Gaming
Cooling Deepcool LS520 SE
Memory crucial ballistix 32Gb DDR4
Video Card(s) RTX 3070 FE
Storage WD sn550 1To/WD ssd sata 1To /WD black sn750 1To/Seagate 2To/WD book 4 To back-up
Display(s) LG GL850
Case Dan A4 H2O
Audio Device(s) sennheiser HD58X
Power Supply Corsair SF600
Mouse MX master 3
Keyboard Master Key Mx
Software win 11 pro
https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/
There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers (see https://www.usenix.org/system/files/1401_08-12_mickens.pdf, Figure 1)

These types of vulnerabilities should not surprise any security researchers; similar flaws have been found in other embedded systems that have attempted to implement security features. They are the result of simple programming flaws, unclear security boundaries, and insufficient security testing. In contrast, the recent Meltdown and Spectre flaws required previously unknown techniques and novel research advances to discover and exploit.

If those guys would have just done like any other cybersecurity company and try to work closely with AMD, the situation would have been better.
But no, they had to play "herald of justice" and bring chaos all over the place.
Those guys apparently worked in the equivalent of the NSA in Israel, but they really didn't see just how many things were wrong with the way they did it ?
 
Low quality post by R0H1T
Joined
Apr 12, 2013
Messages
7,477 (1.77/day)
We are a small group of security researchers. We have no past experience with making publications, and there is no question we messed this one up. We certainly learned some hard lessons here.
This doesn't sound genuine at all, they just wanted their 2 minutes of fame &/or a shorting opportunity :rolleyes:
 
Joined
Jun 14, 2010
Messages
632 (0.12/day)
Location
City 217
Processor AMD Phenom II X4 925
Motherboard Asus M4A78LT-M
Cooling Ice Hammer IH-4***
Memory 2x4GB DDR3 Corsair
Video Card(s) Asus HD7870 2GB
Storage 500GB SATAII Samsung | 500GB SATAII Seagate
Display(s) 23" LG 23EA63V-P
Case Thermaltake V3 Black Edition
Audio Device(s) VIA VT1708S
Power Supply Corsair TX650W
Software Windows 10 x64
regular users like us don't need to be concerned and that AMD is taking an unusually long time to get on top of this
Regular users should pay attention so that the next "CTS-Labs" wouldn't be able to bait people into end of the world stock sale. And why the cheap stab at AMD? Intel had 9 months to fix their shit and did nothing until it became public knowledge, as is indicated by the poor initial implementation of patches, yet you and "16 years of experience" with no experience expect the fixes yesterday?
 
Joined
Apr 12, 2013
Messages
7,477 (1.77/day)
What I am confused about is the response to:

TPU: How do you respond to people saying that once an attacker has administrative access, you are f'd anyway? How are the attacks you uncovered more severe?
CTS: This is misleading and incorrect. Attackers think of machines not as individual nodes but as part of a network. Gaining local administrative access on a compromised computer inside an organization is easy for attackers. The challenge is moving laterally from there to other machines, and maintaining access for the future. That is exactly what these vulnerabilities provide.

How do these vulnerabilities allow 'moving laterally from there to other machines', if the you don't have access Admin access to the other machines on the network? Once you have admin access to a machine you can install a whole host of malware that will maintain access... but wouldn't these specific vulnerabilities still be useless for moving across the network?

I'm a local admin on my machine, it would be very, very difficult for me to install a driver or flash a bios across the network on a machine where my local admin account doesn't exist.... and once you have domain admin you have access to the whole network... so am I missing something? How would these help in breaking into a network
Yes, somehow they're making it sound like compromising a workstation (desktop) is the same as getting unrestricted access to one's (main) servers. Unless of course the local network allows root access from any & every system on it, in which case you're o_O
 
Low quality post by thesmokingman
Joined
Dec 29, 2010
Messages
3,790 (0.75/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1000 P2
Mouse Logitech G600
Keyboard Corsair K95
Why you no ask them how much they are getting paid and whom do they work for? Why you no ask them how they get password to run their special bios flasher? W/o admin how do they run their exploits?
 
Joined
Nov 13, 2007
Messages
10,679 (1.72/day)
Location
Austin Texas
System Name Planet Espresso
Processor 13700KF @ 5.5GHZ 1.285v - 235W cap
Motherboard MSI 690-I PRO
Cooling Thermalright Phantom Spirit EVO
Memory 48 GB DDR5 7600 MHZ CL36
Video Card(s) RTX 4090 FE
Storage 2TB WD SN850, 4TB WD SN850X
Display(s) Alienware 32" 4k 240hz OLED
Case Jonsbo Z20
Audio Device(s) Yes
Power Supply Corsair SF750
Mouse Xlite V2
Keyboard 65% HE Keyboard
Software Windows 11
Benchmark Scores They're pretty good, nothing crazy.
Yes, somehow they're making it sound like compromising a workstation (desktop) is the same as getting unrestricted access to one's servers. Unless of course the local network allows root access from any & every system on it, in which case you're o_O

They worded it carefully, but what they're essentially saying is "it will help an attacker maintain access" the part before it about the network looks like fluff.

The most dangerous exploits are the ones that GIVE privileges (a la spectre/meltdown) , once you have privileges I can download a few dozen tools just by googling to maintain access and try to move.
 
Low quality post by oxidized
Joined
Feb 17, 2017
Messages
854 (0.30/day)
Location
Italy
Processor i7 2600K
Motherboard Asus P8Z68-V PRO/Gen 3
Cooling ZeroTherm FZ120
Memory G.Skill Ripjaws 4x4GB DDR3
Video Card(s) MSI GTX 1060 6G Gaming X
Storage Samsung 830 Pro 256GB + WD Caviar Blue 1TB
Display(s) Samsung PX2370 + Acer AL1717
Case Antec 1200 v1
Audio Device(s) aune x1s
Power Supply Enermax Modu87+ 800W
Mouse Logitech G403
Keyboard Qpad MK80
Why you no ask them how much they are getting paid and whom do they work for? Why you no ask them how they get password to run their special bios flasher? W/o admin how do they run their exploits?

I can answer that! Intel and nvidia are paying them a sh*tload of money.
/s
 
Joined
Apr 12, 2013
Messages
7,477 (1.77/day)
They worded it carefully, but what they're essentially saying is "it will help an attacker maintain access" the part before it about the network looks like fluff.

The most dangerous exploits are the ones that GIVE privileges (a la spectre/meltdown) , once you have privileges I can download a few dozen tools just by googling to maintain access and try to move.
I'd agree with the sentiment but spectre & meltdown don't need privileged access AFAIK, that's why they're the worst thing to happen to the computing landscape in over 2 decades.
 

the54thvoid

Super Intoxicated Moderator
Staff member
Joined
Dec 14, 2009
Messages
12,992 (2.39/day)
Location
Glasgow - home of formal profanity
Processor Ryzen 7800X3D
Motherboard MSI MAG Mortar B650 (wifi)
Cooling be quiet! Dark Rock Pro 4
Memory 32GB Kingston Fury
Video Card(s) Gainward RTX4070ti
Storage Seagate FireCuda 530 M.2 1TB / Samsumg 960 Pro M.2 512Gb
Display(s) LG 32" 165Hz 1440p GSYNC
Case Asus Prime AP201
Audio Device(s) On Board
Power Supply be quiet! Pure POwer M12 850w Gold (ATX3.0)
Software W10
Can you ask about the clearly stated 'interest' in the financial side of things and the almost instant review of their work by Vicereroy (and it's scathing financial review of AMD)? The piece by Gamers Nexus clearly established a link to investment funds and it is this which woried people the most about the vericity of the CTS-Labs report. Can you ask if they can explain how Viceroy created such a rapid response (https://viceroyresearch.files.wordpress.com/2018/03/amd-the-obituary-13-mar-2018.pdf) to the piece and why the piece they wrote was so heavily invested in non-technical 'fear mongering' language.

The concern to me and many like me is the association this report has with possible stock manipulation. For Viceroy Research to produce a near instant 25 page PDF report on the CTS-Lab report is worrying when Viceroy remain an anonymous group and specialise in short selling.

As potentially harmful (with a heck of a lot of work) these exploits are (that require pre-installation of malware to work), it is the work behind the scenes that worries me and others regarding how the private investment world is seemingly seeking to manipulate stock value.
 
Joined
Dec 31, 2009
Messages
19,371 (3.57/day)
Benchmark Scores Faster than yours... I'd bet on it. :)
Ok, I haven't had a chance to properly read this yet, but the takeaway seems to be that regular users like us don't need to be concerned and that AMD is taking an unusually long time to get on top of this. I can only imagine that they're looking at the problem from a deeper perspective than the likes of Microsoft, since they designed the CPU.
Or, as was already mentioned in some articles (TPU included - I believe I posted it here as well in one of the threads), that 3rd party verification took ToB 4-5 days. If AMD was notified on Tuesday, this would be the 4th day. I wouldn't expect anything until Monday.


I gotta say though the delivery was quite possibly the worst ever, my focus is on the vulnerabilities...regardless if they are fairly innocuous to us as end users (cloud providers on the other hand...).
 

the54thvoid

Super Intoxicated Moderator
Staff member
Joined
Dec 14, 2009
Messages
12,992 (2.39/day)
Location
Glasgow - home of formal profanity
Processor Ryzen 7800X3D
Motherboard MSI MAG Mortar B650 (wifi)
Cooling be quiet! Dark Rock Pro 4
Memory 32GB Kingston Fury
Video Card(s) Gainward RTX4070ti
Storage Seagate FireCuda 530 M.2 1TB / Samsumg 960 Pro M.2 512Gb
Display(s) LG 32" 165Hz 1440p GSYNC
Case Asus Prime AP201
Audio Device(s) On Board
Power Supply be quiet! Pure POwer M12 850w Gold (ATX3.0)
Software W10
As a pretty damning follow up to this story concerning the ASMedia issues:

https://www.extremetech.com/computi...ith-amd-security-disclosures-digs-deeper-hole

By its own statements, CTS Labs tested and developed a proof of concept exploit for Asmedia controllers before it was aware these controllers were incorporated into Ryzen chipsets. Where, then, is the website AsmediaFlaws.com? Where’s the notification to tell Intel motherboard customers that the chips on their motherboards can be similarly backdoored and abused? This isn’t a theoretical; I’m writing this article from an Ivy Bridge-E system powered by an Asus X79-Deluxe motherboard with an Asmedia 1042 controller. In its white paper, CTS Labs describes the offending Asmedia controllers as follows:

In our assessment, these controllers, which are commonly found on motherboards made by Taiwanese OEMs, have sub-standard security and no mitigations against exploitation. They are plagued with security vulnerabilities in both firmware and hardware, allowing attackers to run arbitrary code inside the chip, or to reflash the chip with persistent malware.

This flaw absolutely affects Intel as well as AMD. It actually (as Extremetech points out) should have had its own website, ASMediaflaws.com
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,865 (2.89/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Or, as was already mentioned in some articles (TPU included - I believe I posted it here as well in one of the threads), that 3rd party verification took ToB 4-5 days. If AMD was notified on Tuesday, this would be the 4th day. I wouldn't expect anything until Monday.


I gotta say though the delivery was quite possibly the worst ever, my focus is on the vulnerabilities...regardless if they are fairly innocuous to us as end users (cloud providers on the other hand...).
Yeah, I'd give it at least a week for AMD to give a proper response. Seems reasonable to me.
 
Joined
Oct 28, 2012
Messages
1,185 (0.27/day)
Processor AMD Ryzen 3700x
Motherboard asus ROG Strix B-350I Gaming
Cooling Deepcool LS520 SE
Memory crucial ballistix 32Gb DDR4
Video Card(s) RTX 3070 FE
Storage WD sn550 1To/WD ssd sata 1To /WD black sn750 1To/Seagate 2To/WD book 4 To back-up
Display(s) LG GL850
Case Dan A4 H2O
Audio Device(s) sennheiser HD58X
Power Supply Corsair SF600
Mouse MX master 3
Keyboard Master Key Mx
Software win 11 pro
Can you ask about the clearly stated 'interest' in the financial side of things and the almost instant review of their work by Vicereroy (and it's scathing financial review of AMD)? The piece by Gamers Nexus clearly established a link to investment funds and it is this which woried people the most about the vericity of the CTS-Labs report. Can you ask if they can explain how Viceroy created such a rapid response (https://viceroyresearch.files.wordpress.com/2018/03/amd-the-obituary-13-mar-2018.pdf) to the piece and why the piece they wrote was so heavily invested in non-technical 'fear mongering' language.

The concern to me and many like me is the association this report has with possible stock manipulation. For Viceroy Research to produce a near instant 25 page PDF report on the CTS-Lab report is worrying when Viceroy remain an anonymous group and specialise in short selling.

As potentially harmful (with a heck of a lot of work) these exploits are (that require pre-installation of malware to work), it is the work behind the scenes that worries me and others regarding how the private investment world is seemingly seeking to manipulate stock value.
Anandtech tried to question them about that, they didn't really got an answer :
"
IC: Did you pre-brief the press before you spoke to AMD?


ILO: What do you mean by pre-brief the press?


IC: We noticed that when the information went live, some press were ready to go with relevant stories and must have had the information in advance.


ILO: Before our announcement you mean?


IC: Correct.


ILO: I would have to check the timing on that and get back to you, I do not know off the top of my head.

"
 
Joined
Oct 2, 2004
Messages
13,791 (1.88/day)
The "we had no past experience" is such BS when it comes to questioning how they released the info and gave vendor next to no time. You don't just drop into the security scene without knowing at least basics how it works. I'm no vulnerability specialist and even I bloody know how it works. Saying they didn't know is just distilled horsepiss.
 
Top