jaymc :
AMD And CTS Labs: A Story Of Failed Stock Manipulation:
https://seekingalpha.com/article/4157242-amd-cts-labs-story-failed-stock-manipulation?page=4
Kinda ironic that a guy that owns AMD stock writes a biased article about stock manipulation.
To back up this claim, it has had its findings reviewed by not less than ONE, yes, just one, company, Trail of Bits.
The findings have been reviewed and confirmed by more than one.
To further bolster its claim, it has produced one, yes, just one, screenshot of one affected machine where the boot code in the bottom left coroner was replaced with the number "1337."
That is in the public material. The material sent to security experts and to AMD contains working PoCs for all the vulnerabilities on all the hardware.
These findings caused Viceroy Research, another firm with a questionable reputation, to proclaim in a 25-page report on the matter that: "AMD must cease the sale of Ryzen and EPYC chips in the interest of public safety."
I am not defending Viceroy tactics/wording, but the above quote form the Viceroy report is related to this:
AMD’s flawed chips are components in government and defense products –AMD is pushing Embedded Ryzen and EPYC chips into government and defense industries– from aerospace through to enterprise servers and laptops –through promotion of “advanced security” of its Secure Processor– the very Secure Processor which CTS has found to be fundamentally flawed and open to hacking
It is totally legit to criticize Viceroy by their tactics/wording, but full quotes and context would be given as part of genuine criticism.
By contrast CTS's white paper, which can be found on amdflaws.com, and yet inexplicably hosted by a blank website safefirmware.com, discusses no methodology at all, and for proof of concepts discussed therein offers just one screenshot of a server with a boot screen with "1337" (hacker slang for LEET which is phonetic shortening of ELITE) added to the bottom right hand corner, purportedly by CTS. Due to the lack of any discussion of methodology or technical details in the white paper, it is impossible to verify the veracity of CTS's claims. That said, let's discuss them at face value anyway and see what the worst-case scenario could be.
CTS-labs explained why the paper is hosted on safefirmware. The public whitepaper lacks technical details. The private whitepaper contains the full details. CTS-labs explained that they eliminated the relevant details from the pubic material: "We did not publish technical details about the flaws, to avoid putting users at risk. Right now the public is aware of the vulnerabilities, AMD has been provided full details and are now working on patches, and security vendors have also been given full details and are now developing mitigations."
The SA author also forget to mention that the CTS claims have been verified by security experts outside CTS-labs.
However, in order to deploy this vulnerability [MASTERKEY], the attacker would have to first get access to the computer, then gain root or administrator privileges, and then finally have the ability to flash (update) the BIOS on the computer.
"RYZENFALL, FALLOUT and CHIMERA do not require physical access to exploit. MASTERKEY requires BIOS re-flashing, but that is often possible by just having local admin on the machine and running an EXE. We've confirmed this works on motherboards by Tyan, ASUS, ASRock, Gigabyte, Biostar, and others."
Further, since the ONLY shred of proof was provided in the Masterkey section, it's not entirely clear if it's even real. To avoid repeating myself, the same goes for Fallout and Chimera.
Working PoCs for all the attacks have been provided in the non-public material and that they work on AMD hardware confirmed by people outside CTS-labs.
https://twitter.com/dguido/status/973628933034991616
Fallout uses the same attack vector of a signed driver as Ryzenfall, but on an EPYC processor by targeting the boot loader, with identical results, and identical dubiousness of the proof of concept.
Idem above. So since they have working code for this vulnerability, one would ask how CTS-labs got a working driver for the attack. They also answer this: "Any signed driver that provides access to IO spaces is sufficient to interact with the backdoors. There is a vendor-supplied driver that does this". CTS-labs also confirmed the needed driver is "publicly available for download?".
Chimera is the most serious sounding "vulnerability." [...] CTS bases this bold supposition NOT on actual testing, or proof of concept, but on the fact that it claimed to have reviewed the code from AMD's subcontractor, ASMedia, and AMD's chipset code and found similarities between the two code bases. ASMedia reused some of its own code while fulfilling a contract for AMD. What a shock?
Another false. Once again. Working PoCs there exist for all the flaws.
Even Dan Guido, the CEO of Trail of Bits, the one and only company hired by CTS to double check its findings, disputes the validity of Chimera in a tweet to reporters.
False again. He has confirmed at least three times that Chimera is real, including this "The CHIMERA vulnerability abuses exposed interfaces of the AMD Promontory chipset to gain code execution in the chipset processor."
Further, ExtremeTech published an article where it shows that the same ASMedia chips accused of housing backdoors by CTS also are widely used on any ASUS motherboards with Intel chips. So, why is this categorized as an AMD flaw when it widely affects, if real, both AMD and Intel?
Joel's article was refuted in the comments section of ExtremeTech. CTS-labs categorized CHIMERA as AMD flaw because the failure is in the promontory chipset from AMD. Intel doesn't have a similar chipset, so there is no Intelflaw. Said this, some mobos for Intel systems use the affected ASMedia chips as USB controller. Those mobos could be vulnerable to chimera-like attacks, but the failure here is on ASMedia or in the motherboard company. It could be named Asusflaw if some Asus mobos are affected but not Intelflaw, because it is not flaw from Intel.
Moreover, CTS-labs checked this on Intel hardware: "We've looked into quite a few computers made by HP, Dell, Lenovo, etc. and they were not affected."
If Fallout and Ryzenfall are indeed real, hopefully AMD will patch them quickly, as those threaten AMD's Secure Encrypted Virtualization system. Chimera just looks like nonsense, unless further proof is provided, and Masterkey requires a BIOS flash. If you can flash the BIOS all bets are off, on ALL systems, from ALL CPU vendors.
All the flaws are real. CTS-labs and consulted external experts shared doubts about the flaws can be patched quickly by AMD. And BIOS re-flashing is possible by simply running an EXE: "We've confirmed this works on motherboards by Tyan, ASUS, ASRock, Gigabyte, Biostar, and others."
Potential technical impact of AMDFlaws
* Code execution in the PSP and SMM (no visibility to typical security products)
* Persistence across OS reinstallation and BIOS updates
* Block or infect further BIOS updates, or brick the device
* Bypass Windows Credential Guard
* Bypass Secure Encrypted Virtualization (SEV)
* Bypass Secure Boot
* Bypass or attack security features implemented on top of the PSP (e.g., fTPM)
Rather than giving AMD a standard 90-day advance notice adopted by Google, Cisco (NASDAQ:CSCO) and others, or the 200-day-plus notice Google gave Intel, AMD, and others before disclosing Meltdown and Spectre, CTS gave AMD less than a day advance notice.
CTS-labs explained why they don't like the standard disclosure method and advocate for their method.
All the subsequent discussion in the article about green screens, domain creations, or Viceroy tactics/wording ... is simply smoke to divert the attention apart from the security flaws
https://twitter.com/aionescu/status/974028647307849730
Finally, It is interesting that the author of the SA article "discuss the credibility, or rather the lack thereof, of CTS Labs", when his own credibility as financial consultant doesn't look very good with a ranking of only
1/2 over 5
Facebook
Twitter
Instagram