AMD Confirms CTS-Labs Exploits: All To Be Patched In Weeks
by Ian Cutress on March 20, 2018 4:15 PM EST
If you have been following our coverage regarding the recent security issues found in AMD’s processors and chipsets by security research firm CTS-Labs, it has been a bit of a doozy. Today AMD is posting on their website, in the form of a blog post, the results from their initial analysis, despite CTS-Labs only giving them 1-day notice, rather than the industry standard 60/90-days, as they felt that these were too important and expected AMD to fix them in a much longer timescale. Despite this attitude, AMD’s blog post dictates that all the issues found can be patched and mitigated in the next few weeks without any performance degradation.
The salient high-level takeaway from AMD is this:
- All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
- All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
- No performance impact expected
- None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
- These are not related to the GPZ exploits earlier this year.
AMD’s official statement is as follows:
Initial AMD Technical Assessment of CTS Labs Research
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
This is followed by a table describing the issues, stating that each issue can be solved by BIOS/firmware updates in the coming weeks. AMD is also set to provide additional updates on the analysis of the issues and mitigation plans over that time. AMD is also prominent about addressing the security issues only, over any others that might have been discussed.
Source: AMD
Facebook
Twitter
RSS
101 Comments
View All Comments
teraflop1 - Wednesday, March 21, 2018 - link
What do you mean 'it doesn't matter if you need ADMIN access'? And these bugs are not as severe as the Intel issues. If you actually read how the exploits work you would see this too.Many people on Anandtech are very well trained technical specialists that can see through the CTS garbage in seconds.
dotpex - Wednesday, March 21, 2018 - link
"it doesn't matter If you need ADMIN access"Ok, give me key to your house an car, and then blame house and car manufacturer
mkozakewich - Wednesday, March 21, 2018 - link
The gist of the whole thing is this: "If an intruder gains access to your house, they could unlock the windows so that they could easily regain entry later!"No, we're not giving anyone our keys. The thing is, I don't care that my window latches are technically vulnerabilities if I make sure I'm not inviting malicious actors into my house. It's still a risk, but it's manageable.
zepi - Wednesday, March 21, 2018 - link
I rent a physical epyc server from a datacenter for one month (costs few hundred bucks). I exploit the PSP vulnerability that overwrites AGESA firmware with version that includes a backdoor for me and a fix that prevents future firmware upgrades and fixes to Ryzenfall and Fallout.Then I return the machine to cloud operator after one month of ferocious ”insert cryptocoin name of your choise” mining and wait until someone else rents the same machine.
Whoever rents it next can’t choose brand new machine vs. One that comes pre-used -> I’ve just pwned them for couple of hundreds.
tamalero - Friday, March 23, 2018 - link
When you "Rent" a cloud operator's server, I dont think you get full root access in the way you think you get.You're talking about actually renting a dedicated server, not cloud.
erple2 - Saturday, March 24, 2018 - link
Service providers like AWS are now reselling bare-metal CPU time, too. Granted AWS is intel-exclusive (for now).See: https://aws.amazon.com/blogs/aws/new-amazon-ec2-ba...
peevee - Wednesday, March 21, 2018 - link
"it doesn't matter If you need ADMIN access, "Oh YES I DOES.
If you have admin access at the metal (as far as I understand as opposed to VM), the game is over already.
Samus - Thursday, March 22, 2018 - link
iwod, you are either failing to see the fundamental difference between AMD and Intel exploits, or trying really hard to ignore them.The difference here is AMD's problem are not silicon level. They are firmware level. ie entirely fixable.
Yet CTS seemed to imply they were not easily fixable and in a way much worse than Intel's problem because there were four categories of exploitation instead of two.
The whole thing was blown out of proportion, and considerin the simplicity of the fixes, it boggles the well-balanced mind why these were released zero-day instead of giving AMD a few weeks to simply push a firmware update to fix all of these problems.
This is what we would consider a smear campaign in politics. And CTS is obviously playing the role of political watchdog here. Which begs the question...why? Why were they so gray about what they found, how they went about announcing it, and how they conducted interviews?
iwod - Thursday, March 22, 2018 - link
Right, I wish there is an edit button.What is trillion times worst, are those moron ( I am not even sure if they are really moron any more, or they are actually paid to troll ) crying foul saying ( shouting ):
"This thing is real! AMD has a serious problem, just as much as Intel Spectre, CTS did it right in zero day. And we are focusing too much on CTS and not AMD's problem, it doesn't matter If you need ADMIN access, these are real Bug. AMD Only ( No mention of ASMedia )...."
And Then they insults Ian for all his hard work, calling him bias, AMD Fanboy......
Does that clear things up?
Brodz - Thursday, March 22, 2018 - link
"But Ian being well educated and British, remains calm and gentleman"I don't think Ian will date you... settle down