AMD Confirms CTS-Labs Exploits: All To Be Patched In Weeks
by Ian Cutress on March 20, 2018 4:15 PM ESTIf you have been following our coverage regarding the recent security issues found in AMD’s processors and chipsets by security research firm CTS-Labs, it has been a bit of a doozy. Today AMD is posting on their website, in the form of a blog post, the results from their initial analysis, despite CTS-Labs only giving them 1-day notice, rather than the industry standard 60/90-days, as they felt that these were too important and expected AMD to fix them in a much longer timescale. Despite this attitude, AMD’s blog post dictates that all the issues found can be patched and mitigated in the next few weeks without any performance degradation.
The salient high-level takeaway from AMD is this:
- All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
- All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
- No performance impact expected
- None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
- These are not related to the GPZ exploits earlier this year.
AMD’s official statement is as follows:
Initial AMD Technical Assessment of CTS Labs Research
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
This is followed by a table describing the issues, stating that each issue can be solved by BIOS/firmware updates in the coming weeks. AMD is also set to provide additional updates on the analysis of the issues and mitigation plans over that time. AMD is also prominent about addressing the security issues only, over any others that might have been discussed.
Source: AMD
101 Comments
View All Comments
Manch - Wednesday, March 21, 2018 - link
I watched part of the video. Nice lab LOL. So lemme get this straight. In order for this exploit to work someone needs to get past the security gates, infiltrate the bldg, access the secure server room with their gear and get admin access to the machine?Are any of the CTS team members named Ethan hunt or Benji Dunn?
Ian Cutress - Wednesday, March 21, 2018 - link
Physical access isn't needed. I'm blown away and surprised at how many people seem to think this.Manch - Wednesday, March 21, 2018 - link
Oh OK. So in order to do this they need to get past the firewalls/DMZs, gain access, elevate their permissions until they get root, THEN do this, that's easierHere's the thing though. In order to get to what these guys are talking about and in the scenarios they've presented wouldnt you'd need to get onto the management network that controls the backend/physical portions of these server arrays? Most places Ive seen/worked these are air gapped and only the running network(all virtualized) is what touches the outside world. It was my understanding that these cant break out of a hypervisor so wouldn't physical access be required?
WoenK - Wednesday, March 21, 2018 - link
Could you please explain how someone without physical access can flash a BIOS ? In their video they were using a Windows server installed directly (havent seen something like this in a long time, almost everybody uses VMs), were using the builtin Administrator and not even the BIOS Setup was secured with any password. And then run psexec on a server ? Since when is that installed on default ? VMware also affected by this ? ssh enabled adn root login allowed?So yeah, one could flash the BIOS even via a RAC if you had the credentials and if the RAC was reachable from the outside, but that is something you could do with any server, no matter if Intel or AMD. And signing the BIOS file, if you have the mastekeys it does not matter who made it. It has been like that forever.
There is a reason why you create VMs and make different accounts for different uses.
Not following even the lowest standards of best practices allways meant and allways will mean, you are screwed.
I am actually blown away that there are people out there thinking that all admins are dumb and do not care a bit about security...if one compromised account gives you the right to flash a BIOS, then there is surely one person that should be fired
Stuka87 - Tuesday, March 20, 2018 - link
Thanks for all your guys' coverage on this Ian!SteelRing - Tuesday, March 20, 2018 - link
on the other news, CTS Lab has closed shop, all the people have vanished and no evidence of it ever existed physically could be found. and if they dont do all these, good luck trying to bring up another exploit as credible at all.not shady at all.......
ikeke1 - Tuesday, March 20, 2018 - link
Source?tamalero - Tuesday, March 20, 2018 - link
"None of these issues are Zen Specific".No shit sherlock.
bairlangga - Wednesday, March 21, 2018 - link
Hello Anandtech.Just by looking around for comparison's sake. I noticed that your article title is quite "distinct". LoL
Lolimaster - Wednesday, March 21, 2018 - link
AMD owned cts-intel-labs