AMD Confirms CTS-Labs Exploits: All To Be Patched In Weeks
by Ian Cutress on March 20, 2018 4:15 PM EST
If you have been following our coverage regarding the recent security issues found in AMD’s processors and chipsets by security research firm CTS-Labs, it has been a bit of a doozy. Today AMD is posting on their website, in the form of a blog post, the results from their initial analysis, despite CTS-Labs only giving them 1-day notice, rather than the industry standard 60/90-days, as they felt that these were too important and expected AMD to fix them in a much longer timescale. Despite this attitude, AMD’s blog post dictates that all the issues found can be patched and mitigated in the next few weeks without any performance degradation.
The salient high-level takeaway from AMD is this:
- All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
- All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
- No performance impact expected
- None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
- These are not related to the GPZ exploits earlier this year.
AMD’s official statement is as follows:
Initial AMD Technical Assessment of CTS Labs Research
On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
This is followed by a table describing the issues, stating that each issue can be solved by BIOS/firmware updates in the coming weeks. AMD is also set to provide additional updates on the analysis of the issues and mitigation plans over that time. AMD is also prominent about addressing the security issues only, over any others that might have been discussed.
Source: AMD
Facebook
Twitter
RSS
101 Comments
View All Comments
jdlee - Wednesday, March 21, 2018 - link
After reading your comment multiple times, I finally figured out where you're using sarcasm :) It took a bit, though.JKay6969AT - Thursday, March 22, 2018 - link
To be fair, when I read, then re-read your comment I found it to be anti-AMD and incorrect."What is trillion times worst, are those moron ( I am not even sure if they are really moron any more, or they are actually paid to troll ) crying foul saying ( shouting ) this thing is real. AMD has a serious problem, just as much as Intel Spectre, CTS did it right in zero day. And we are focusing too much on CTS and not AMD's problem, it doesn't matter If you need ADMIN access, these are real Bug. AMD Only ( No mention of ASMedia )...."
These bugs are AMD and INTEL problems as both use ASMedia chipsets on their motherboards.
The bugs are not too serious due to the fact that you need full Admin privileges to enact them and with this status you could wreak havoc on ANY system with full Admin privileges.
CTS Labs were set to profit from releasing these exploit warnings, they must have been otherwise they would have released them as Intel and AMD warnings at the very least. The ONLY reason to blame only AMD would be if they were paid to or they were trying to short AMD stocks or both. That is my opinion anyways :-)
The first thing I thought when I first heard these exploits was...Why is this just about AMD? and Why is this being so blown out of proportion? Admin rights grants a lot of power on ANY system regardless of these bugs so it's bad that it can happen but with that kind of access these bugs are the LEAST of your worries, who needs such a complicated and relatively hard to design and pull off exploit? There are far easier ways to compromise a system when you have such powerful access.
I feel bad for AMD as this wasn't fair and it isn't right that all the blame lies on their doorstep. ASUS have far more blame on their part and intel are about as much at fault as AMD.
johnnyan - Wednesday, March 21, 2018 - link
I love it when people like you call others morons...These vulnerabilities are not even close to Spectre and Meltdown. The one specific to Intel is Meltdown btw...
Samus - Thursday, March 22, 2018 - link
Exactly. There is a staggering difference in severity between silicon level exploitation (ie, architecture flaws) and firmware exploits.jordanclock - Wednesday, March 21, 2018 - link
We should focus on CTS because they failed at key practices of responsible disclosure. Their timelines for disclosure, their lack of CVEs and their inability to be transparent with funding. It was a grossly negligent announcement. As AMD pointed out, these vulnerabilities are not Zen specific. Chimera could potentially impact just about every motherboard in the last ten years because ASMedia tech is so prevalent.But yeah, let's pretend like AMD messed up because they have a secondary vulnerability.
jordanclock - Wednesday, March 21, 2018 - link
Also Meltdown is considerably more dangerous because a program with essentially no permissions, other than execution, can view memory it should never have access to. Spectre is even worse because it could theoretically occur in web browsers until mitigations were put in place.jospoortvliet - Wednesday, March 21, 2018 - link
Exactly. Spectre can hit you when running in a sandboxed browser! Meltdown can break out of a virtual machine... while these 'exploits' *require* root access - typically the very thing an exploit is supposed to attain.t.s - Wednesday, March 21, 2018 - link
Not only 'root' access, but 'bare metal' access."All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal"
SetiroN - Wednesday, March 21, 2018 - link
Yeah you're just utterly clueless. Those vulnerabilities are pretty minor and administrative access makes all the difference in the world in security.Ian being British and politically correct completely smashed their credibility between the lines, with the phone interview and in every article including this article.
But you're clueless and everything just flew over your head.
Samus - Thursday, March 22, 2018 - link
True. I mean. If someone malicious has Admin access the entire system is already compromised. And if someone has Admin access that is dumb enough to execute code taking advantage of these exploits, then the system is already compromised.