AMD Confirms CTS-Labs Exploits: All To Be Patched In Weeks
by Ian Cutress on March 20, 2018 4:15 PM ESTIf you have been following our coverage regarding the recent security issues found in AMD’s processors and chipsets by security research firm CTS-Labs, it has been a bit of a doozy. Today AMD is posting on their website, in the form of a blog post, the results from their initial analysis, despite CTS-Labs only giving them 1-day notice, rather than the industry standard 60/90-days, as they felt that these were too important and expected AMD to fix them in a much longer timescale. Despite this attitude, AMD’s blog post dictates that all the issues found can be patched and mitigated in the next few weeks without any performance degradation.
The salient high-level takeaway from AMD is this:
- All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
- All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
- No performance impact expected
- None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
- These are not related to the GPZ exploits earlier this year.
AMD’s official statement is as follows:
Initial AMD Technical Assessment of CTS Labs Research
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
This is followed by a table describing the issues, stating that each issue can be solved by BIOS/firmware updates in the coming weeks. AMD is also set to provide additional updates on the analysis of the issues and mitigation plans over that time. AMD is also prominent about addressing the security issues only, over any others that might have been discussed.
Source: AMD
101 Comments
View All Comments
Alexvrb - Saturday, March 24, 2018 - link
It's nowhere near as severe as Meltdown/Spectre. It requires your system to already be compromised. It can't help you escape a VM. There's no performance impact for plugging these secondary vulnerabilities. Overblown zero-day release by a highly shady "firm" with suspect motives.AeroWB - Wednesday, March 28, 2018 - link
I agree that CTS labs is not garbage, they did find some real vulnerabilities and shared them with AMD so they can be fixed. Unfortunately that is about the only thing they right.Lets analyse:
+ Finding vulnerabilities in AMD CPU/Chipsets and sahring the information with AMD
+ Not giving technical details on how to exploit these to the public
- Giving AMD only 24 hours to respond
- Defending the 24 hour period with an excuse that is utter BS. Especially now AMD says they will be able to fix all with 90 days
- Explicitly trying to make the vulnerabilities look as bad as Meltdown/Spectre while these are not even close (need admin access, so almost no real thread, and AMD claims these can be fixed with no perforamnce impact)
- Publicly flaming AMD by using a website AMDflaws.com and names as Ryzenfalls (really CTS, this is low and unprofessional, you are asking not to be taken seriously) This is in stark contrast to the normal practice in the business.
- Giving the malicious and notorious Viceroy Research group upfront notice so they could release a paper on these vulnerabilities with an even bigger amount of BS. (Viceroy Research is known for manipulating stocks)
+/- Releasing 13 vulnerabilities on the 13th. Maybe they wanted to give us a chance of discovering the BS on their findings by using this faked coincidence, or they really hoped many readers were very superstitious. I am not sure so therefore the +/-
So adding this all up they CTS labs rating on these findings is ---
Or in normal words CTS labs is bad, because of bad ethics, name calling, trying to manipulate stocks, trying to make name by lifting on the news of real vulnerabilities (Spectre/Meltdown) even when their findings were real.
palindrome - Tuesday, March 20, 2018 - link
Moneywillis936 - Tuesday, March 20, 2018 - link
Because that is what they were paid to do.eva02langley - Tuesday, March 20, 2018 - link
They found benign issues and created a story around it to short the stock.poohbear - Wednesday, March 21, 2018 - link
It has been a great buying opportunity though! Hacent seen AMD hit $11 a share in a while! It'll be back to $12/$13 in no time! Nice 10% gain.Tewt - Tuesday, March 20, 2018 - link
Yep, they spun it as a Ryzen architecture problem. That part really bothers me with the outright lying. Kudos to AMD handling this graciously.dotpex - Wednesday, March 21, 2018 - link
Just search linkedin for CTS labs, you will find cts labs (from isreael) and cts labs inc (from us) with same peoplehttps://www.linkedin.com/company/cts-labs-inc/?lip...
Site: http://www.ctslabsinc.com/
dotpex - Wednesday, March 21, 2018 - link
Two accounts same guyhttps://www.linkedin.com/in/ilial/
https://www.linkedin.com/in/yaron-luk-zilberman-09...
http://www.cts-labs.com/management-team
halcyon - Friday, March 23, 2018 - link
Money.It makes the world go around.