CTS-Labs Releases Masterkey Exploit Proof-of-Concept Video

[phanbuey]

So, Windows Server on baremetal with admin access and s*itty security and intimate knowledge of hardware to be targeted.

Yes, this will affect almost a marginal percent of Epyc installations.

Right?
Isn't it much easier and more reliable to install a rootkit to the MBR?

I'm still not convinced any hacker would consider this worth the effort...

 

[Deleted member 67555]

I think CTS labs and it's employees should be black listed from any future endeavours.

 

[xorbe]

ny privileged program (even from within Windows), can flash your system BIOS

On topic, I've long wondered why motherboards don't have a jumper to enable/disable firmware write. [Other than $$$ for a single jumper.]

 

[Chaitanya]

I cannot paraphrase the excellent Anandtech article but I would recommend you read it.

It involves a detailed phone conversation transcript and Anandtech's critique of the knowledge gleamed. It does not deny the exploit but it clearly finds CTS to be 'financially motivated'.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

Its not just Anandtech, yesterday Gamersnexus also posted video about CTS avoiding/diverting answering questions(video was deleted from my comment by moderator). This whole ordeal is becoming more and more fishy as time is passing by.

 

[efikkan]

Requiring local access to run the BIOS exploit makes it a local exploit. Most operating systems can control everything remotely.
If I log in to a server with pre-known credentials and shred its files, the shredding itself is not a remote exploit.
However, if I am able to do remote unauthenticated actions on a system, that's a remote exploit.

Being able to bypass BIOS signatures by itself is a local exploit which many would categorize as a secondary exploit. If confirmed, it's certainly serious, but nowhere near damning for AMD. But combine this with one or two other exploits, and you can execute an attack on a system.

Judging by the video, either the verification of BIOS signatures have to be defective, or the attacker is in possession of the signing key. (assuming the video is genuine)
Proper BIOS verification would require a correctly implemented public/private cryptography.

 

[Imsochobo]

So riddle me this:
This exploit can override Administrator/Supervisor passwords in the UEFI if set beforehand?
Usually, even from Windows, you need that in order to flash it. This seems that from the get-go, there will be no password, however I'm not finding this hurdle being mentioned as a portential mitigation for the MASTERKEY exploit too.

We've implemented a password on our computers because our INTEL computers are also viable to this hack.
that prevention again is easy to get around if you have the hardware in front of you, but each security step is just making it less attractive but it never prevents as there will always be a security hole.

 

[Pure Wop]

...and more importantly, survive reinstalls undetected.

That's the crux of it.

Yes, this is more an enterprise targeted scenario than an enduser one, but don't deny it is a problem. That makes you part of what? Certainly not the solution.

And? Can't Intel ME malware survive reinstalls? This should be as easily (or difficultly) fixed as Intel ME, and much harder to exploit. Yet this shady research seems to get more coverage that Intel ME.

 

[bug]

I cannot paraphrase the excellent Anandtech article but I would recommend you read it.

It involves a detailed phone conversation transcript and Anandtech's critique of the knowledge gleamed. It does not deny the exploit but it clearly finds CTS to be 'financially motivated'.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

Not that argument again. Google pays hackers to find exploits in their browser. Does that make exploits less risky?

 

[tvamos]

It doesn't appear anyone has profited from any short selling of any meaningful volume. AMD stock has been relatively unchanged over the last week at a lower than normal volume. It is definitely possible it was long term financially motivated. It reminds people AMD put recent products together on a shoe string budget and leaves people wondering if these vulnerabilities are real and how many vulnerabilities lay in waiting. Also, "financially motivated" sometimes signals discrediting or minimizing and it shouldn't. Every step a company makes is financially motivated. If you held to that theory AMD marketing would be minimized since it is "financially motivated". I remind everyone 7 days later AMD has only acknowledged these vulnerabilities and hasn't discredited or explained how low risk they are. That is way too long for a professional company to manage PR.

Remind us how many months Intel had before spectre and meltdown became public? And even then they had no response for how many days? Plus they even released whole new gen of CPUs knowing they were vulnerable to spectre and meltdown.

 

[R-T-B]

And? Can't Intel ME malware survive reinstalls? This should be as easily (or difficultly) fixed as Intel ME, and much harder to exploit. Yet this shady research seems to get more coverage that Intel ME.

Personally, I think the reason it's getting more coverage is the user response. Love it or hate it users have been enthusiastically replying. There is no technical reason either one is worse... yet anyways.

 

[W1zzard]

On topic, I've long wondered why motherboards don't have a jumper to enable/disable firmware write. [Other than $$$ for a single jumper.]

This is no longer viable since modern BIOSes, in particular UEFI use the BIOS flash to store some data.

 

[TheGuruStud]

...and more importantly, survive reinstalls undetected.

That's the crux of it.

Yes, this is more an enterprise targeted scenario than an enduser one, but don't deny it is a problem. That makes you part of what? Certainly not the solution.

You can definitely do this on Intel, too....it's a hit piece they won't give up.

Anyone defending this crap makes them a shill, whether they have the brains to know it or not.

 

[_JP_]

On topic, I've long wondered why motherboards don't have a jumper to enable/disable firmware write. [Other than $$$ for a single jumper.]

Well, UEFI needs to have a write state for Secure Boot stuff (and some other stuff). You do have software "locks" in the form of options to prevent flashing.

We've implemented a password on our computers because our INTEL computers are also viable to this hack.
that prevention again is easy to get around if you have the hardware in front of you, but each security step is just making it less attractive but it never prevents as there will always be a security hole.

Right, but considering this one, the hole seems to be only there if the hardware isn't secured with a password to begin with.

 

[ikeke]

https://community.amd.com/community...amd-technical-assessment-of-cts-labs-research

https://www.anandtech.com/show/12556/amd-confirms-exploits-patched-in-weeks
The salient high-level takeaway from AMD is this:

1. All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
2. All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
3. No performance impact expected
4. None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
5. These are not related to the GPZ exploits earlier this year.

Can we now, please, have big banners with FUD written on them ?

 

[geon2k2]

SO what did they prove, that you can load a bios from remote with Admin?

You can do this on any PC and consequences can be just as bad as updating a firmware for the security processor.

https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Quote from the above:
"There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers (see https://www.usenix.org/system/files/1401_08-12_mickens.pdf, Figure 1) "

 

[R-T-B]

Can we now, please, have big banners with FUD written on them ?

Did we do that with the Intel ME issues?

No? Then no, sorry.

SO what did they prove, that you can load a bios from remote with Admin?

You can do this on any PC.

You aren't supposed to be able to replace ME and PSP bios areas. They are signed.

Seriously, quit fanboying out of the woodwork to defend AMD and call anything against it "FUD." This is rather sickening and I LIKE AMD.

 

[ikeke]

I meant that figuratively.

An update to article.

The FUD was FUD all along.

 

[bug]

You can definitely do this on Intel, too....it's a hit piece they won't give up.

Anyone defending this crap makes them a shill, whether they have the brains to know it or not.

Fair enough.
What do we call those that dismiss this before other experts weigh in*? Clairvoyants maybe?

*A handful of them have and declared the vulerabilities real.

 

[ikeke]

Fair enough.
What do we call those that dismiss this before other experts weigh in*? Clairvoyants maybe?

*A handful of them have and declared the vulerabilities real.

https://www.techpowerup.com/forums/...it-proof-of-concept-video.242521/post-3816163

 

[TheGuruStud]

Fair enough.
What do we call those that dismiss this before other experts weigh in*? Clairvoyants maybe?

*A handful of them have and declared the vulerabilities real.

It can be dismissed, b/c it's NOT s serious threat. This should have been reported to AMD and ASmedia as per normal procedure and let them fix it. Instead, it was made into an opinion piece attacking AMD for market manipulation by idiots funded by an unknown source.

 

[bug]

It can be dismissed, b/c it's NOT s serious threat. This should have been reported to AMD and ASmedia as per normal procedure and let them fix it. Instead, it was made into an opinion piece attacking AMD for market manipulation by idiots funded by an unknown source.

But what do you know? It's real: https://community.amd.com/community...amd-technical-assessment-of-cts-labs-research

It's true that they require admin access first (we already knew that), but the problem is they're a vector to installing further backdoors.
Problem reported, problem (soon to be) solved. I hope we can all move along now.

 

[ikeke]

It's a threat, but the impact was incorrect and possible usage very limited. Assessment that fixing is impossible or will take very long time didnt hold aswell.

As such it's nothing but FUD based on how it was represented.

Vector for installing backdoors on systems where you have unsupervised access and OS is on baremetal and where you have admin and where BIOS flash is allowed. I can install a lot of backdoors on such system. No exploits needed, actually.

 

[bug]

It's a threat, but the impact was incorrect and possible usage very limited. Assessment that fixing is impossible or will take very long time didnt hold aswell.

As such it's nothing but FUD based on how it was represented.

Vector for installing backdoors on systems where you have unsupervised access and OS is on baremetal and where you have admin and where BIOS flash is allowed. I can install a lot of backdoors on such system. No exploits needed, actually.

At this point I'm not sure if you can't or won't understand why these issues are real. Not sev 1 real, but not something that could live on your system unpatched either.

 

[ikeke]

Which part of "it's a threat" specifically did you found difficult to understand?

 

[bug]

Which part of "it's a threat" specifically did you found difficult to understand?

The part where you put "it's a threat" and "it's nothing but FUD" in the same post.

Edit: also, no BIOS flash needed, read the latest update on the original article.