AMD Confirms CTS-Labs Exploits: All To Be Patched In Weeks
by Ian Cutress on March 20, 2018 4:15 PM ESTIf you have been following our coverage regarding the recent security issues found in AMD’s processors and chipsets by security research firm CTS-Labs, it has been a bit of a doozy. Today AMD is posting on their website, in the form of a blog post, the results from their initial analysis, despite CTS-Labs only giving them 1-day notice, rather than the industry standard 60/90-days, as they felt that these were too important and expected AMD to fix them in a much longer timescale. Despite this attitude, AMD’s blog post dictates that all the issues found can be patched and mitigated in the next few weeks without any performance degradation.
The salient high-level takeaway from AMD is this:
- All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
- All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
- No performance impact expected
- None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
- These are not related to the GPZ exploits earlier this year.
AMD’s official statement is as follows:
Initial AMD Technical Assessment of CTS Labs Research
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
This is followed by a table describing the issues, stating that each issue can be solved by BIOS/firmware updates in the coming weeks. AMD is also set to provide additional updates on the analysis of the issues and mitigation plans over that time. AMD is also prominent about addressing the security issues only, over any others that might have been discussed.
Source: AMD
101 Comments
View All Comments
Dug - Wednesday, March 21, 2018 - link
I love it. An exploit that requires you to have full admin access. Guess what else you can do with full admin access? Just about anything you want.But they claimed it was much worse than this? mmm... unsubstantiated claims.
If it sounds like a duck and walks like it duck, it's a troll.
SkyBill40 - Wednesday, March 21, 2018 - link
Not a ducktroll? I am disappoint. :/0ldman79 - Wednesday, March 21, 2018 - link
I think you guys are misunderstanding him.Admittedly, he wasn't terribly clear.
johnnycanadian - Wednesday, March 21, 2018 - link
MSI hasn't released an update to address Spectre for the X99 Carbon AC. Somehow I doubt I'll be seeing fixes for these vulnerabilities in 2018.MSWordPro - Wednesday, March 21, 2018 - link
I used to get most of my tech news from Extremetech but the journalism was sub par and the comments full of hate and fighting like preschoolers. I'm really glad I moved to Anandtech, no idea why I didn't do this sooner.Thanks to everyone at Anandtech and the community for being civilized and professional. Keep it up guys and gals!
Makaveli - Wednesday, March 21, 2018 - link
Welcome to the site hope you enjoy your stay!Brodz - Thursday, March 22, 2018 - link
They didn't believe AMD could patch these that fast. Now AMD has controlled the situation, hasn't been affected at all, and now has an even more secure product. Thanks CTS Labs.Carmen00 - Thursday, March 22, 2018 - link
I'm very glad to heard this news because it ensures that CTS Labs will not even have a shred of reputation left after this fiasco. So much for their "months" of time that it would take to fix! The sooner that clowns like them are put out of business, the better for everyone else in the legitimate security community.Thermalzeal - Friday, March 23, 2018 - link
Round of applause for the AnandTech team, it's how you get a bunch of electrons to add up!If there was an AnandTech movie it would be more Christopher Nolan and Aaron Sorkin instead of JJ Abrams and a script that begins with IBM trying to explain Quantum to What'son!
Sausagemeat - Saturday, March 31, 2018 - link
I must say I’m genuinely surprised that the exploits turned out to be rea! I thought this was an obvious troll. Still, I’ve learnt my lesson, don’t jump to conclusions and don’t listen to the comments. When this dropped there were so many users asserting everyone that this was fake. Actually, it was quite different to spectre and meltdown where the same comment sections were ripping Intel to shreds. I guess users don’t like intel and have a soft spot for AMD. I don’t think either sets of vulnerability affects home users much and I really don’t think anyone is going to sell their current chip and buy a different one because of it.I do think though that we need to now focus on AMD and getting these fixed rather than hanging CTS labs out to dry. I don’t actually think they were unprofessional, I mean all they did was expose a vulnerability and chose not to hide it from the public. AMD shareholders might be upset but no one else should be.