Report: CTS Labs has proof-of-concept code for AMD vulnerabilities

As you may have heard, a group calling itself CTS Labs yesterday revealed what it claims are no less than 13 security vulnerabilities in AMD hardware. There's a cloud of controversy and confusion surrounding the announcement, the manner in which it was made, and the motivation behind it. Ars Technica and TechPowerUp (TPU) have both done some digging and came up with a little more info.

TechPowerUp reportedly contacted CTS Labs directly. The group told TPU that it had provided "a complete research package" including "functional proof-of-concepte exploit code" to AMD, Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems. Furthermore, CTS Labs admitted to TPU that it did indeed wait just one day after informing AMD before going public with its findings.

Meanwhile, Ars Technica hooked up with a number of security and processor experts. The site has a pretty detailed write-up that's worth reading in its entirety. To sum up, Ars was told that the vulnerabilities are real but of limited concern due to the requirement of administrator-level access to the affected systems. TR friend and occasional podcast guest David Kanter told Ars that "all the exploits require root access […] if someone already has root access to your system, you're already compromised."

That doesn't mean that the exploits are of no consequence. Security expert Dan Guido (founder of Trail of Bits) claims he had access to CTS' code package and told Ars that the exploits "work as described" to "make a bad compromise significantly worse." That is, if an unauthorized user is able to gain the required administrative access, these exploits could allow them to place a backdoor on the system that would be undetectable without extensive analysis and could require hardware replacement as a mitigation.

For its part, AMD says that it's investigating the report. It's barely been two days since the company was informed about these flaws—a fact which has been the source of a lot of argument on the web. Companies are usually given at least 90 days to deal with security flaws before they are made public. The lead time before the Meltdown and Spectre exploits were made public was nearly half a year. Whatever its motivations are, CTS Labs' research does seem to be at least partially accurate.

Comments closed
    • Auril4
    • 2 years ago

    Something is not right here.
    Competency, proper protocol, and possibly ethical misconduct questions should be raised about this reporting.

    • w76
    • 2 years ago

    A lot of conspiracy theory around CTS and Viceroy, but I don’t find any direct connections, and CTS seems to be run by engineering geeks, largely Israeli Defense Force veterans, with little financial market experience other than consulting financial companies (past CEO experience), which doesn’t necessarily mean trading advice.

    I think AMD fanboys are overreacting on that front. CTS handled the public release poorly, and should’ve waited, and whoever the Viceroy people are want to trade it for a profit, but that’s all the connection there seems to be. You could make the claim CTS is “backed” by countless authors on SeekingAlpha.com, or even say I back them myself because long term I think AMD stock goes to zero (but I have no money at stake, long nor short).

    So yeah, CTS appears legit, and made a poor decision releasing the info in to the wild so quickly, but no need to go full Russiagate and blow it out of proportion.

      • cynan
      • 2 years ago

      But you still have the question why are they going out of their way to give AMD negative PR? I mean AMDFLAWS.com is about one of the least subtle ways I can think of to go about disseminating a purported security bug that I can think of. And why cast the Asmedia vulnerabilities as an AMD issue (when it apparently affects all Asmedia USB3 implementations).

      What financial experience? All they need is a little capital. How are at least half-capable computer engineering students not capable of either:

      1. Buying a bunch of put options on AMD
      2. Borrowing AMD shares, sell them, and wait for the price to drop so they can buy back at a lower price and return them (i.e., shorting)

      I believe anyone can do either in the US with an online trading broker (with perhaps a minimum account balance stipulation in the case of the second option) in about 5 minutes, not counting the time it takes to set up an account.

      • fyo
      • 2 years ago

      Viceroy published a long report within hours of CTS-Labs release. There is absolutely no question that Viceroy had access to the CTS-Labs material before hand, so there is at least some connection between the two.

    • ronch
    • 2 years ago

    CTS – Crash The Stock

    No wonder.

    • PrincipalSkinner
    • 2 years ago

    CTS labs….yeah
    Watch this [url<]https://www.youtube.com/watch?v=ZZ7H1WTqaeo[/url<]

    • fyo
    • 2 years ago

    ZDNet has Linus Torvalds’ take on this whole thing:

    [url<]http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/[/url<] Basically, he seems to be saying this is no different from what would be possible on any other hardware and that the real world effect of it is nada.

    • DancinJack
    • 2 years ago

    Kinda funny to see all the comments from the other article calling this fake or a smear campaign and then the lack of here. Guess it’s a good idea to wait for more info sometimes, on all sides.

      • chuckula
      • 2 years ago

      I’m still calling it fake until I hear confirmation that the proof-of-concept works in the way they said it would.

      And assuming it does work, [b<]after[/b<] that I'm still calling it a smear campaign by an unethical outfit that's also dangerously close to being on the wrong side of the law. Especially since even these over-hyped exploits are not worse than other issues that have cropped up in the past without a disingenuous media campaign behind them.

        • SkyWarrior
        • 2 years ago

        I am with chuckula on this one as well. Bad bad smear campaign. I bet the same vulnerability also works on any intel system when given the chance to install an infected firmware on it. I will call that ‘DrowningPool’.

      • rechicero
      • 2 years ago

      This IS a smear campaign, that’s why they acted that way and they pretty much admit it in the Legal Disclaimjer: they are short sellers trying to make an easy profit.

      Then, when these ppl “attack” a company, they don’t lie (that would probably mean jail time). What they do is what they are doing, making a big thing out of something not so big. And they try to control the narrative.

      I don’t expect this thing stopping here. They should have a few more tricks to try to affect the securities they want to short sell.

      For me the worst of all this is: When short sellers target you, it’s because you are vulnerable. That’s never good.

        • ig0012
        • 2 years ago

        Flaw is flaw and security is security. If someone finds a flaw in device I use, the very last thing I would care of is how that flaw will affect company which sold the device. They tried to earn on AMD problems. That ‘s not fine. But they also could just… let say, find another way to convert the flaws into some money by not making it public. That would be the worst scenario. I’m not completely agree that the flaws are not critical. The undetectable Trojan is a big deal and very scary thing. The fact that it requires elevated permission is not showstopper these days, considering how frequently I hear stories about people become victims of viruses spread through regular fishing even in big companies.

          • BurntMyBacon
          • 2 years ago

          I largely agree with your “worst case scenario”:
          [quote=”ig0012″<]But they also could just... let say, find another way to convert the flaws into some money by not making it public.[/quote<] However, I disagree here: [quote="ig0012"<]If someone finds a flaw in device I use, the very last thing I would care of is how that flaw will affect company which sold the device. [/quote<] I care very much how it affects the company. I'd rather the company spend the time and resources into fixing or mitigating the flaw in the device I use than spend it on damage control and PR. Both money and (down)time constraints prevent me replacing a device at the drop of a hat, so I'd rather any security researchers make a reasonable effort to work with the company in question to see if a fix or mitigation is viable before significantly increasing the likelihood of exploit on my systems.

    • anotherengineer
    • 2 years ago

    What I find odd, is that if there are doing this a a service to the people of the world for the sake of their security, then why not do research on Intel CPU also, since they represent such a huge percentage of the market, relative to AMD?? I mean that would be in the best interest of everyone then, would it not?

    guess i should have used the sarcasm tags

    meh

      • DancinJack
      • 2 years ago

      lol

      • chuckula
      • 2 years ago

      I’ll remember this comment the next time I hear “ONLY INTEL IS AFFECTED BY MELTDOWN/SPECTRE” because multiple ARM parts sure had Meltdown issues, and the same people who got upset about it are the first ones to tell you that Intel really isn’t important since everything is actually ARM anyway.

      • ig0012
      • 2 years ago

      Let me remind you.
      [url<]https://techreport.com/news/32867/intel-patches-new-vulnerabilities-in-its-management-engine[/url<] Some company tried to hack IME for something like a year... And they finally successeded... kind of... considering that the hack requires not just elevated permission and bios update, but physical access to USB port. Doesn't seems like they gave Intel even 24 hours before making it public. Comments to that article are also interesting read.

    • moose17145
    • 2 years ago

    Couple of assumptions here for sake of argument.
    1. The flaws are legit (which based upon this little article appears to be the case)
    2. This CTS Labs group is also legit and on the level (again, we are just going to assume this for sake of argument)

    This news is honestly just hurting the reputation of CTS more than it is AMD in my opinion just because of the absolutely horrid way they are going about releasing this information. Release it to AMD first before all else. At least TRY to work with them on resolving the issue before throwing a can of worms out into the wild like this. I hate to say it, as I work in security… but honestly, sometimes the best security really IS security through obscurity (especially in cases like these where something new has been found).

    If you have an unlocked door that is out of the way and hidden… people won’t know they can go through it because they don’t know it exists. That doesn’t mean there is not that one guy who doesn’t know about it… but it keeps your attack surface smaller when fewer people are aware of it vs. posting a giant billboard saying “Secret hidden unlocked door here!”, let alone giving out a map with turn by turn directions about how to get to it.

    Since this requires admin permissions to execute, I think deFunk hit the nail on the head with his “god forbid this makes it into some generally universally trusted application that compromises the system” comment. Or, more likely, an application which masquerades as a universally trusted application… (sometimes old tricks are the best tricks)

      • fyo
      • 2 years ago

      The flaws are (probably) legit, but CTS most certainly isn’t. The company has 4 employees, none of whom appear to have the technical expertise required to do any kind of serious security research. The company was created too recently to actually have done the research (even had their four employees had the technical acumen needed).

      The apparent close (and undisclosed) connection to “Viceroy Research” (a documented short-seller, whose MO is pretty much exactly what CTS-Labs did), suggests that CTS-Labs might just be a front for Viceroy, although no definitive proof of this has come to light at this time.

      The disclosure process has (rightfully) received a ton of flack from pretty much everyone, but if you read the latest comments from CTS-Labs trying to defend their actions, it becomes very obvious that they are full of shit (Tom’s Hardware has an article called CTS Speaks). Not only do they claim that they started the company from scratch with no prior knowledge of flaws in January this year, they also claim that the ONLY reason they didn’t give AMD the customary 90 days is that “after discussing it with manufacturers and other security experts”, they didn’t believe AMD would be capable of coming up with a fix in 90 days. However, not contacting AMD at any point prior 24 hours pre-release makes that claim impossible to reconcile.

      Coupled with the connection to Viceroy Research, the only logical conclusion is that CTS-Labs did this in order to cause problems for AMD / AMD’s stock price.

      Again, let me stress that I think it’s likely the flaws found are real. What I am talking about here is solely CTS-Labs the company and it is crystal clear that they are deceitful. Looking at the evidence objectively, it’s very hard to reconcile their story with how these things normally work. It is almost certain that they knew of these bugs before founding CTS-Labs (other evidence pointing towards this is that the amdflaws .com domain was created in Feb, leaving the newly founded company very little time to actually have found anything). Considering the lack of technical expertise and actual employees in the company, I wouldn’t be surprised if knowledge of these flaws originated elsewhere.

      It would be interesting to go through the metadata on their documentation, particularly the docs provided to the (paid) “independent” security researchers and “hardware manufacturers” in the weeks leading up to the disclosure, provided the latter group exists at all).

        • moose17145
        • 2 years ago

        Not disagreeing with you. I also believe this CTS labs is being deceitful, has connections to Viceroy, and is likely little more than a front company for them. As I stated, it was all for sake of argument.

        • BurntMyBacon
        • 2 years ago

        Just one problem.
        [quote=”fyo”<]The flaws are (probably) legit, but CTS most certainly isn't. The company has 4 employees, none of whom appear to have the technical expertise required to do any kind of serious security research. The company was created too recently to actually have done the research (even had their four employees had the technical acumen needed).[/quote<] Gadi Evron, CEO of Cymmetria is quote as tweeting: [quote="Anandtech.com"<]He knows CTS-Labs and vouches for their technical capabilities, but has no knowledge of their business model"[/quote<] Having another company vouch for you certainly gives the appearance of being capable. That said, I see that Cymmetria hasn't been around very long themselves. Legitimate or not, I wouldn't want to be a company associated with CTS-Labs right now. I am also curious as to the reason these specific companies were selected for disclosure. [quote="Zak Killian"<]The group told TPU that it had provided "a complete research package" including "functional proof-of-concepte exploit code" to AMD, Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems. [/quote<] I would have expected to see AMD, ARM (oddly absent), and ASUS (oddly absent) in the list as they are directly responsible for flaws in the CPUs and chipsets in question. If they were planning to let cloud providers know, they missed quite a few. They only hit two of several major OEMs and only two of the many endpoint security companies. I suppose Cisco Systems is the only network product provider that is relevant as well. Seems to me like they took a shotgun approach and hit a bunch of well known names at random.

        • psuedonymous
        • 2 years ago

        With this being such a blatantly and hilariously obvious smear campaign, could the purpose have been to [i<]raise[/i<] AMD's stock price (via many sites leaping on the "random company creates terrible obvious smear campaign against AMD" story) rather than lower it? Or to go full wacko-nutjob-conspiracist, the opposite of the ridiculous "Intel paid them to do it!", "AMD paid them to do it!": unveil discovered exploits tainted with a laughable straw-man smear, such that news coverage focuses on the awful smear attempt and the actual exploits are sidelined or even "fake news"ed. It's a dumb conspiracy, because it would incur the wrath of the SEC due to disclosure requirements if it were ever traced back to AMD. More risk than reward there.

    • freebird
    • 2 years ago

    and all of this pales in comparison to all the AMT vulnerabilities… in the past year.

    [url<]https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/[/url<] system can be compromised remotely with /NULL AMT admin password. [url<]https://thehackernews.com/2018/01/intel-amt-vulnerability.html[/url<]

      • chuckula
      • 2 years ago

      It’s pretty unrelated and bringing up stuff like that tends to make you look like somebody who basically has zero problems with anything that CTS did except they chose a target you like (AMD) instead of one you hate (Intel).

      Not a good look.

        • Kretschmer
        • 2 years ago

        You made me upvote chuckula, freebird. Why would you do that?!

          • freebird
          • 2 years ago

          Because I love getting Chuckula upvoted. 😉

        • freebird
        • 2 years ago

        Yeah, my edit prior to leaving work didn’t take… but,

        Actually, it is EXTREMELY related, both these issues have to due with Security/Management and the ability to COMPROMISE systems and hide the fact from the OS. Hiding in the AMT or AMD’s Security Processor/zone.

        The FACT is these issues have being going on for too long and the only redeeming value for AMD is that their issues require Admin Privileges to compromise the systems.

        Hopefully, these will be fixed immediately.

        I do take exception for you implying that I would condone CTS actions if done to Intel. One day notice seems like they are trying to benefit from the news in some way or that I hate (Intel). I prefer competition and lower cost tech, that means I usually support underdogs… open source, gpl, etc.

        This isn’t the 1st time you’ve decide it put statements into my posts, so I’m not surprised, but I don’t think that changes the fact that AMT has serious issues that I linked, which means both AMD & Intel have lots of work to do if they really want to “claim” secure management.

      • Welch
      • 2 years ago

      Yeah, they all have vulnerabilities, it’s the level of seriousness of these claims and possibly actual concerns now that make these too different worlds.

      It’s about as dumb as people claiming that Apple doesn’t need anti-virus software because it’s impossible to infect. It’s just a matter of time before someone discovers and unfortunately publishes it.

      No one benefits from this information being published before it can reasonably be patched (if it can be). Still waiting to see all of the details.

    • flptrnkng
    • 2 years ago

    “That doesn’t mean that the exploits are of no consequence. Security expert Dan Guido (founder of [url<]https://www.trailofbits.com/...[/url<]" ...and reportedly compensated $16K for a week's worth of work on the issue....

      • thedosbox
      • 2 years ago

      Do you work for free too?

        • flptrnkng
        • 2 years ago

        When I’m helping to manipulate the stock price of a publicly traded company? No, I probably want to get paid too.

        I also think a website/publication should make note of all the facts behind this news item…not just the juicy ‘AMD has a Chimera Problem, Oh Boy!’.

          • thedosbox
          • 2 years ago

          [quote<] I also think a website/publication should make note of all the facts behind this news item... [/quote<] Then you won't have a problem with him disclosing that *he* was the one who asked for payment *after* doing the work: [url<]https://twitter.com/dguido/status/973629551606681600[/url<]

    • DragonDaddyBear
    • 2 years ago

    What makes these exploits so scary is the fact the hardware can be infected and it could be very difficult to find infected machines. You have to scrap an entire, very expensive, server if some of this were to be exploited. I highly respect David but in my opinion his full analogy as found on Ars downplays the significance of this. [quote<]This is like if someone broke into your home and they got to install video cameras to spy on you.[/quote<] If you're on a multi-tenant system, then it's more like installing a camera in everyone's room in the entire complex. What isn't being stated is just why CTS Labs is so in the wrong here. This is bad, but potentially fixable. A skilled person could now find one of these and actively exploit it. This puts everyone at risk and is largely considered wreckers in the information security community.

      • K-L-Waster
      • 2 years ago

      As far as I can tell these things require the attacker to install an infected BIOS on the system. That would normally require either physical access or the cooperation of someone on the inside.

      So while yes, it would be very bad if it happened to a multi-tenant server, it could only happen *after* multiple other security breaches were successfully executed.

        • DragonDaddyBear
        • 2 years ago

        The BIOS is just one of the attack targets. The real problem is the bypassing of what should be a secure sub processor. These trusted extensions are supposed to be highly guarded so that even on an untrusted system you can have some level of assurance that the code is securely executed.

        One example of this is the seemingly crazy requirements around playing 4K content through a disk on Intel systems. [Insert evil media company] doesn’t trust any computer because one of them could be a person who wishes to allegedly illegally share the contents of the disk. The content companies are reasonably sure that the key is resonably protected by the code in this portion of the processor by guarding the entire execution chain. In this case, one of the exploitable portions of that chain could by bypassed (if they hypothetically allowed AMD processors) and allow access to the key that would be in the “trusted”portion of the processor.

          • Redocbew
          • 2 years ago

          The secure processor is a sitting duck, no? If the threat is real, then it sucks for AMD to have to patch things so soon, but it was always just a matter of time. It’s no different that way than algorithms like MD5 or SHA1 which used to be “good enough” and now are not.

          If the threat is real, then it’s a rootkit that knows how to survive a disk wipe. We’re either seeing shenanigans from CTS Labs or just gross incompetence, but either way I don’t see any reason why this should be treated any differently than any other exploit.

        • Klimax
        • 2 years ago

        You don’t need physical access to update UEFI. You need only Admin/Root on OS or credentials for own UEFI updater. (And maybe valid cert)

    • Srsly_Bro
    • 2 years ago

    I wonder what group is behind this front company.

      • chuckula
      • 2 years ago

      Since they tried to punk AMD I’m going to go with The Clash.

        • derFunkenstein
        • 2 years ago

        Then you better start calling Intel “Robert Smith” because they’re leading The Cure!

        /silent cry

        • K-L-Waster
        • 2 years ago

        More likely “The Damned” — as in “those Damned CTS guys!”

      • Mat3
      • 2 years ago

      I’m thinking Intel or maybe even Nvidia.. not that it’ll ever be proven.

        • chuckula
        • 2 years ago

        Lol…. no.

        If it was either of those two, then this wouldn’t have been done amateur-hour style.

        And if it was Intel, you can be darned sure that ripped-off SVG graphics of Skylake parts wouldn’t have been mislabeled to purportedly be AMD chipsets as [url=https://twitter.com/jkampman_tr/status/973594724182495232<]Kampman pointed out on Twitter[/url<].

        • K-L-Waster
        • 2 years ago

        Potentially risking bad PR or charges of securities fraud or industrial sabotage to temporarily hurt AMD would be monumentally stupid for either Intel or NVidia. (Realistically this will blow over in a week or 2 with no lasting harm on AMD is my take on it.)

        If either of them were going to go to the trouble, it would be something more permanent and more damaging.

      • Dresdenboy
      • 2 years ago

      Viceroy Research

    • K-L-Waster
    • 2 years ago

    I liked David Kanter’s analogy in the Ars article of thieves breaking into your house and this exploit enabling them to install hidden cameras.

    Yes, it makes a bad situation worse, but realistically if they’re in a position to exploit the vulnerability they’ve already got you.

      • CScottG
      • 2 years ago

      Large Government Organizations have been doing this for a long time now.

      Baked-in back-door access.

      • Welch
      • 2 years ago

      Agree, David Kanter is always spot on when it comes to putting things into perspective. When is he on the podcast again!? Also, how does anyone get the podcasts reliably without downloading the file? I’ve been using SoundCloud as much as I hate how buggy it is. I want something similar.

      • Mr Bill
      • 2 years ago

      Considering they need physical access and/or admin privileges; its more like they walked up to your house while the door was open and and/or you gave them a key so they could come back later when you were’nt there and install hidden cameras.

        • K-L-Waster
        • 2 years ago

        [quote<]...its more like they walked up to your house while the door was open and and/or you gave them a key so they could come back later when you were'nt there and install hidden cameras.[/quote<] That's my thinking too. The most successful vector for these attacks would likely involve social engineering.

          • Ryu Connor
          • 2 years ago

          Social engineering is a very dangerous one, given that everyone that frequents this site has probably had to clean out malware that was given or obtained admin rights many times before.

          Don’t underestimate the power of privilege escalation flaws or rogue agents either. Do not think of rogue agent as exclusively governmental. This type of low level access would be useful to spiteful IT employees, fired IT employees, IT employees compromised by organized or petty crime. It would also be useful for personal spyware leveraged by abusers, jealous lovers, ex lovers, or even during divorce proceedings.

          For example see this tale of how the magic words of ‘I want a divorce’ make people lose their minds.

          [url<]https://arstechnica.com/tech-policy/2014/01/the-county-sheriff-who-keylogged-his-wife/[/url<] These AMD vulnerabilities should not be dismissed given their persistence.

            • K-L-Waster
            • 2 years ago

            It’s no more likely to catch fire than anything else — but if perchance it does, it can burn faster and hotter.

            • Ryu Connor
            • 2 years ago

            I have no idea what you’re trying to say.

      • Klimax
      • 2 years ago

      I am afraid he missed main reason why it is bad: It persist inside CPU in very hard to check location. To fix that you have to replace CPU and likely MB itself. (Aka replacing entire house!)

    • derFunkenstein
    • 2 years ago

    Great, let’s turn this shit loose into the wild. I give it another 15-20 minutes before the first leak of this garbage winds up on a tor site.

      • derFunkenstein
      • 2 years ago

      Heaven forbid this junk make its way into some universally-trusted application. Could you imagine if something based on this made its way into a 7-zip installer?

        • chuckula
        • 2 years ago

        It could even make it so bots can take over your browser and make you reply to yourself.

        OH CRAP! TOO LATE!

          • derFunkenstein
          • 2 years ago

          I’m screwed.

            • derFunkenstein
            • 2 years ago

            Yeah you are.

Pin It on Pinterest

Share This