AMD says CTS Labs vulnerabilities can be patched with new firmware

Amid the tumult that CTS Labs stirred up with its questionably-conducted disclosure of a range of potential vulnerabilities in AMD hardware last week, it's important to remember that those vulnerabilities are, by the accounts of all who have seen proof-of-concept code, legitimate. While the vulnerabilities generally require administrative rights to exploit, they reward that privilege escalation with the potential to compromise a system's hardware root of trust or install persistent malware. Today, AMD announced plans to begin mitigating the four categories of exploits that CTS Labs revealed through its disclosure. Happily, the company believes it can safeguard its processors and chipsets against all of these vulnerabilities through firmware updates.

As a brief refresher, the so-called "Masterkey" vulnerability allows an attacker to compromise the AMD Secure Processor, an integrated ARM core that handles some platform security functions for some Ryzen and Epyc systems, by installing a corrupted firmware that the Secure Processor does not detect during its own self-checks. Once the Secure Processor is compromised in this way, an attacker could persistently bypass the protections of AMD's Secure Encrypted Virtualization and Firmware Trusted Platform Module features. CTS Labs also warns that Masterkey exploits could bypass Windows' Credential Guard features and physically damage or "brick" affected hardware. AMD says a firmware patch for this issue will arrive "in the coming weeks."

The Ryzenfall and Fallout vulnerabilities, according to AMD, allow an attacker to write to some of the Secure Processor's own registers. That access could allow an attacker to read or write to protected memory regions for x86 System Management RAM and Windows Credential Guard. In conjunction with the Masterkey vulnerability, CTS Labs says Ryzenfall could be used to install persistent malware on a system. As with Masterkey, AMD believes it can mitigate the issue through a firmware update, and it plans to release those mitigations soon.

Finally, AMD says the Chimera vulnerability in its Promontory chipset silicon can be exploited by an attacker who can install a malicious driver on a system. Once that's done, the company says "certain Promontory functions" can be exposed. AMD says Chimera can be used to access physical memory through the chipset or to install malware on the chipset that does not persist across reboots. AMD says it is working with the "third-party provider"—ASMedia, by CTS Labs' account—that designed and produced the Promontory chipset to mitigate the problem. Like the other two vulnerabilities, AMD expects that Chimera can be mitigated through a firmware update that will arrive soon.

If AMD can, in fact, mitigate these issues through firmware updates alone, owners of its processors and platforms will likely be able to breathe a little easier. Presumably, CTS Labs will test those mitigations independently and determine whether those customers are, in fact, safe. We'll continue to keep an eye on this story as it develops.

Comments closed
    • cynan
    • 2 years ago

    I think it only fair that if AMD does in fact come through with these patches within a reasonable time period, that CTS Labs pays for the domain name [url=https://community.amd.com/community/amd-corporate/blog<]AMDFIXED.com[/url<] to host the update of this announcement.

    • kuttan
    • 2 years ago

    That CTS Labs multi billion dollar client never thought of such cheap business trick gonna fail to contain AMD 😀

      • ig0012
      • 2 years ago

      Actually, I find it amusing that an attempt to manipulate the AMD stock by an unknown company caused a much more stormy reaction than an attempt to manipulate AMD stock by AMD itself.

      [url<]https://techreport.com/news/28056/amd-securities-fraud-lawsuit-will-go-forward[/url<]

        • NovusBogus
        • 2 years ago

        That kind of lawsuit is exceedingly common so it’s only really newsworthy if by some strange twist of fate AMD gets found culpable of something. They’ll just argue–correctly, in my eyes–that AMD once again misjudged the market and the case will evaporate.

    • stdRaichu
    • 2 years ago

    What’s to guarantee that these so-called firmware updates weren’t built on an ancient Indian burial ground and, when installed, will result in evil spirits disturbed from their eternal slumber Ryzen from the ground and laying waste to all in their path? What’s to stop the evil spirits building an interstellar beacon to lure in the Star Locusts and destroy our planet utterly? Complete and utter negligence on AMD’s side that they’ve done NOTHING to prevent this from happening.

    AMD, if you can’t prove that’s not going to happen then you may as well just fold the company now.

    Sell your AMD stock NOW!

    • Unknown-Error
    • 2 years ago

    CTS claimed months if not a year+ to fix and recommended that you not buy AMD stuff. AMD says fix within weeks, claims it requires admin access at the metal and patches have no performance impact? Clearlly AMD is lying. CTS and especially the great Juanrga never lie or make things up.

      • venfare
      • 2 years ago

      nice sarcasm.

      • ig0012
      • 2 years ago

      To be fair, last time a PSP bug was discovered in AMD processor, it took them more than 90 days to release a fix (actually I don’t know if the patch has been released)

      [url<]https://www.theregister.co.uk/AMP/2018/01/06/amd_cpu_psp_flaw/[/url<]

        • stefem
        • 2 years ago

        Yep, and for some of the vulnerabilities AMD talks about mitigation and not solution, there’s a fundamental difference between those word

    • ronch
    • 2 years ago

    And AMD went on its merry way and CTS was never heard from again.

    The End.

      • enixenigma
      • 2 years ago

      One can only hope…

      • Klimax
      • 2 years ago

      Considering their background, not likely.

      • stefem
      • 2 years ago

      The flaw they found proved to be real in the end, you may dislike their “PR stunt” but they helped AMD identify holes that could have damaged AMD customers and think about the consequence if they where discovered after an actual attack

    • Welch
    • 2 years ago

    But…. AMD clearly couldn’t have fixed it, so we had to announce it publicly! I hope AMD or some third party sues CTS for being so careless.

      • thedosbox
      • 2 years ago

      Strictly speaking, AMD haven’t fixed them – yet. But it does sound as if they will, and presumably within the common 90-day window that responsible disclosure would have allowed.

        • Welch
        • 2 years ago

        For sure, unless AMD is bluffing, they claim to have a fix for all of the exploits within the coming weeks, so well under the 60/90 days.

        I’m no lawyer, but I’m curious about what suit could be brought against a company if there were damages for this news not being handled properly. Especially the portion about them not believing AMD had the ability to patch any of them (suggesting hardware). Considering the speed at which AMD is saying they debunked those claims and say they have a fix for all of them… CTS would have to be able to show, within reason, what lead them to thinking AMD couldn’t have patch any of them.

          • Klimax
          • 2 years ago

          Actually CTS claimed that only Chimera cannot be patched. (at least in Anandtech interview)

          As for lawsuits, I don’t think there were any for any of public disclosures.

            • derFunkenstein
            • 2 years ago

            I think that “can’t be patched” means once you’re infected, it can’t be reversed. Preventative patches certainly must be possible.

            • stefem
            • 2 years ago

            Well, for Chimera AMD is talking of mitigation, not of a fix if Jeff didn’t decide to use this ambiguous word by its own.

        • spiketheaardvark
        • 2 years ago

        I bet AMD will approve overtime for every engineer in the company if needed to get this fix out in 90 days as a metaphorical extended mid digit to CTS.

      • ig0012
      • 2 years ago

      What this suit will be based on? The 90 day public disclosure is common practice not a law.

        • BurntMyBacon
        • 2 years ago

        They could try to sue them for libel. Of course, they would have to prove that the statements were both unjustly representing AMD unfavorably and that they were made with malicious intent. Damages awarded would be based on the actual damages done to the company.

        There are a great many statements CTS made representing AMD unfavorably. It is reasonable to assume at this point that some of those statements can be proven unjust. However, proving that the statements were made with malicious intent is very difficult. Given that AMD’s stock prices didn’t drop by all that much in the wake of this news and the fact that the CTS would not likely be able to pay any large award anyways, it doesn’t look like the reward would be worth the effort. I don’t see AMD pursuing a lawsuit unless they can either implicate other parties or have enough spare money to waste making an example out of them.

          • DrCR
          • 2 years ago

          With libel, general damages are presumed as a matter of law.

          With slander, except slander per se situations, the plaintiff prove special damages. The actual malice requirement is with regard to defamation of public figures.

        • gerryg
        • 2 years ago

        I’m sure AMD complained to the SEC, so rather than a lawsuit based on security practices or libel or something like that, it would be potential punishment on the securities side of their business for attempting to maliciously manipulate the market. But even then, I have no idea if there’s a case for it. I’m sure the lawyers will think of something, they always do. Meantime, AMD can try to convince other businesses to remove CTS from eligibility for vulnerability and bug bounties.

      • NovusBogus
      • 2 years ago

      Unless CTS has a legally binding contract with AMD they’re under no obligation to protect AMD’s financial or PR interests beyond the usual requirement that they not intentionally make factually incorrect statements with malicious intent. Even a third rate defense lawyer would have no problem explaining that the “AMD totally can’t fix this one, evar” stuff was marketing BS and marketing BS has a lot of legal protections. That leaves the exploit itself, which AMD itself has tacitly confirmed is an actual thing.

      They could have posted it on Wikileaks if they’d wanted to. Or sold it to North Korea and waited for the inevitable lulstorm, unless they’re also on Israel’s official do-not-sell list like they are ours.

        • stefem
        • 2 years ago

        I don’t understand who talk about lawsuit by AMD against CTS too, AMD itself is the only responsible for the security of their product (and yet would be hard to sue them if one get compromised unless evidence of negligence), you can’t blame CTS for informing customer about security risk (even if you didn’t like the fancy way they handled its disclosure) you should actually thank them, a real bad guy would have put AMD in real troubles.

    • anotherengineer
    • 2 years ago

    So are other asmedia products affected on other platforms also?

      • psuedonymous
      • 2 years ago

      ASMedia don’t make chipsets for any platform other than RyZen. They make popular USB host controllers, but those just hang off the PCIe bus like any other PCIe device.

        • just brew it!
        • 2 years ago

        [quote<]They make [s<]popular[/s<] ubiquitous USB host controllers, but those just hang off the PCIe bus like any other PCIe device.[/quote<] FTFY. I'll grant that they're widely deployed, but I'm not a fan. They seem to be a lot more prone to flakiness (not sure if it is hardware/firmware/drivers) than the alternatives from other vendors.

          • psuedonymous
          • 2 years ago

          Could be worse, could be Renesas.

        • freebird
        • 2 years ago

        CTS claimed they started out researching ASMedia USB controllers and only decided to look into AMD after AMD announced they would be using ASMedia as their AM4 chipset source… (which I find hard to believe, since according to other articles/reports this company only was created in early 2017 and news was already out by then that AMD would be using ASMedia for their chipset, but that is besides the point)

        CTS claimed they found vulnerabilities in the ASMedia chips (ASM1042, ASM1142, ASM1143) which they then ran against an AMD Ryzen PC and the PoC worked against the Ryzen PC…

        So apparently a vulnerability exists in at least one of the ASMedia chips (ASM1042, ASM1142, ASM1143) that is used in numerous other motherboards, if the CTO of CTS is to be believed.

        [url<]https://www.extremetech.com/computing/265695-cts-labs-responds-allegations-bad-faith-amd-security-disclosures-digs-deeper-hole[/url<] While any of the Security processor issues may be AMD only; there is at least one USB problem according to CTS which affects ANY motherboard with some of the chips listed above.

Pin It on Pinterest

Share This