Arctic Liquid Freezer II 280 liquid cooler review
Promo: Windows 10 Pro licenses for under 10 USD
Team Group MP33 NVMe 512 GB SSD Review
ADATA SE800 1TB Portable SSD review
Promo: Microsoft Office 2016 for $29.82
Corsair H100i RGB Pro XT liquid cooler review
Corsair K95 RGB PLATINUM XT review
AORUS Radeon RX 5700 XT 8G review
Endgame XM1 gaming mouse review
Guru3D Rig of the Month - December 2019
AMD Security Vulnerability – The Day After - Seems Financially Motivated
It has been a day after the news broke on the claimed AMD Security Vulnerabilities. In this news item, I wanted to recap and report on the current status and overview, as well as sharing my view on things.
Yesterday on the 13th, my phone started to make more noises than usual, the news broke that AMD processors based on Zen would potentially have 13 security flaws. After some quick checks, a self-proclaimed company called CTS Labs posted a paper disclosing as what we now know as Masterkey, Ryzenfall, Fallout and Chimera attack vectors and vulnerabilities, potentially in the Zen architecture.
When the news arrived I started an initial news item, and then started further checking up the validity of the information. Press-releases from CTS Labs where posted by a PR agency on the big media PR outlets like Businesswire. The security firm has a professional looking website, and the website AMDFlaws was filled with information. Thus far all seemed legit. After an hour or so more background checks that we performed indicated weird stuff. Everything seems and felt ‘too convenient’, smooth produced videos with what look like actors, Israel based, coincidentally Intel has a big presence and fab there, which instantly will raise suspicion. It all felt like this information was designed in an effort to inflict damage of some kind. A security research firm would want to deal with their finding carefully, protecting the company and its end-users.
The white paper published by the firm reads nicely but lacks factual technical info. At that time I was thinking this might be a hoax, or an information release to inflict damage. In my responses in the forums I called this news-release a payload, a means to an end to inflict some sort of damage by way of a viral.
Further checking raised more red flags, some media had been pre-briefed or informed by the security firm. Some of them confirmed the flaws reported. However, all flaws require elevated privileges, e.g. there are still design flaws but you need to hand out the keys to your PC (admin level) or be compromised in some sort for these flaws to be exploitable. So if the flaws exist, these are a category 2 vulnerability, certainly not the level of Meltdown and Spectre. Somebody needs access to the PC/Server through administrator rights and access. Now if you give somebody admin level account access, you’re exposed anyway and you can probably think of 100 more, if not thousands of things you can exploit.
Further checking on AMDFlaws and the CTS Labs website lead to curiosities.
- The 24-hour disclosure opposed to the industry standard 90/180 day is just wrong, completely unprofessional.
- 13 flaws announced on the 13th of March?
- Domain records for "amdflaws.com" has been created on Feb, 22, 2018.
- Company is listed only since 2017, linked-in shows very poor company info.
- Domain registered not directly but through "domainsbyproxy.com".
- Domain is registered at GoDaddy, privately. No contact information of the domain is public.
- Their official Youtube Channel with that video, was created March this year. That would be the official company YT channel.
- Video looks marketed, too well produced.
- Names like Ryzenfall sounds like somebody from marketing made that up?
- Precisely 13 flaws? An unlucky number?
- Whitepaper shows no specific technical detail.
- Earlier today when the news broke and info was released I did some Google searches on CTS-Labs, it revealed very little, for a proclaimed established security agency.
- Parts of www.cts-labs.com website are copied from public PDF documents
- As a security firm, cts-labs website does not even have an SSL certificate active? Thus no https available as an option?
- cts-labs does not disclose address on website.
Let me ask you, if you would own a security firm with 16 years of expertise, would your website not have SSL (HTTPS) protection? Click here to see what happens? Also, parts of their website on their business offering, have been copied from public accessible PDF documents.
There’s more though, within two hours of the news release, a short seller by the name of Viceroy Research published a claim that the 'revelations' would be the death blow for AMD. The timing of this is weird, hours after the info got out they already have a 32-page document ready on this. Can you fabricate such a paper in an hour or two? From the looks of this was produced beforehand. Could this be a purpose-built stock shorting scheme trying to devaluate AMD?
In the end, most of the news-release nearly looks to be a hoax or plot to damage AMD or for self-benefit (manipulating stock exchange), and as more time passes it seems to be the case that all this is just that. All this raises suspicion of the highest grounds, that by itself, however, doesn’t mean the vulnerabilities aren’t there, some parties have confirmed some of the flaws. If so, how did a non-security agency get access to that info and was able to produce it as such? Yeah, everything about this information release seems, feels and looks wrong. It seems to have been designed as a viral payload to inflict damage, and I feel the statements greatly exaggerate the impact of the vulnerabilities, perhaps even up-to-the level where I'd need to call it BS, the findings, however, are for AMD to answer.
We expect more info from AMD soon enough as they are the ones to either confirm and/or deny things, we’ll see what they have to say.
AsiJu
Senior Member
Posts: 5866
Joined: 2010-10-16
Senior Member
Posts: 5866
Joined: 2010-10-16
#5528040 Posted on: 03/14/2018 08:26 AM
Excellent investigative journalism Hilbert! Goes to show how a little checking-up can make all the difference...
Excellent investigative journalism Hilbert! Goes to show how a little checking-up can make all the difference...
fantaskarsef
Senior Member
Posts: 11136
Joined: 2014-07-21
Senior Member
Posts: 11136
Joined: 2014-07-21
#5528041 Posted on: 03/14/2018 08:27 AM
THIS is what it's really up to, what AMD has to say to this after they investigated.
We expect more info from AMD soon enough as they are the ones to either confirm and/or deny things, we’ll see what they have to say.
THIS is what it's really up to, what AMD has to say to this after they investigated.
AsiJu
Senior Member
Posts: 5866
Joined: 2010-10-16
Senior Member
Posts: 5866
Joined: 2010-10-16
#5528043 Posted on: 03/14/2018 08:33 AM
Yeh interesting to see how they respond.
Regardless, and I've said this before, seems every week some, or maybe thirteen, critical exploits are found. Now. All of a sudden.
To the point I don't even read about them anymore. I keep my PC as safe as possible and use it as smartly as possible. Has been enough for 20+ years to avoid exploits.
At least that I know of....
Yeh interesting to see how they respond.
Regardless, and I've said this before, seems every week some, or maybe thirteen, critical exploits are found. Now. All of a sudden.
To the point I don't even read about them anymore. I keep my PC as safe as possible and use it as smartly as possible. Has been enough for 20+ years to avoid exploits.
At least that I know of....
Spider4423
Member
Posts: 66
Joined: 2008-01-30
Member
Posts: 66
Joined: 2008-01-30
#5528045 Posted on: 03/14/2018 08:55 AM
This is jut a ruse to put AMD in a bad spot.
Its all too convenient specially with the release of Zen+.
There are market players that do not want Intel and AMD to get competitive again. Might drive the prices down and God forbid innovation.
This is jut a ruse to put AMD in a bad spot.
Its all too convenient specially with the release of Zen+.
There are market players that do not want Intel and AMD to get competitive again. Might drive the prices down and God forbid innovation.
coth
Senior Member
Posts: 412
Joined: 2005-02-23
Senior Member
Posts: 412
Joined: 2005-02-23
#5528054 Posted on: 03/14/2018 09:34 AM
It doesn't matter if vulnerabilities are real.
It doesn't matter if vulnerabilities are real.
fantaskarsef
Senior Member
Posts: 11136
Joined: 2014-07-21
Senior Member
Posts: 11136
Joined: 2014-07-21
#5528055 Posted on: 03/14/2018 09:36 AM
Why not? Please elaborate.
It doesn't matter if vulnerabilities are real.
Why not? Please elaborate.
coth
Senior Member
Posts: 412
Joined: 2005-02-23
Senior Member
Posts: 412
Joined: 2005-02-23
#5528056 Posted on: 03/14/2018 09:43 AM
So it's ok? If someone finds critical holes in software and hardware - they are safe not to get fixed in case they found by someone who has a tooth?
So it's ok? If someone finds critical holes in software and hardware - they are safe not to get fixed in case they found by someone who has a tooth?
fantaskarsef
Senior Member
Posts: 11136
Joined: 2014-07-21
Senior Member
Posts: 11136
Joined: 2014-07-21
#5528059 Posted on: 03/14/2018 09:47 AM
I'm sorry but I'm not sure I understand your post correctly.
In my opinion I'd like to know if those exploits are real, it might very well make a change in my decision to upgrade, or to what product. Hence I'd personally want to know.
So it's ok? If someone finds critical holes in software and hardware - they are safe not to get fixed in case they found by someone who has a tooth?
I'm sorry but I'm not sure I understand your post correctly.
In my opinion I'd like to know if those exploits are real, it might very well make a change in my decision to upgrade, or to what product. Hence I'd personally want to know.
xIcarus
Senior Member
Posts: 941
Joined: 2010-08-24
Senior Member
Posts: 941
Joined: 2010-08-24
#5528060 Posted on: 03/14/2018 09:48 AM
Had the exact same feeling when I saw the initial news - starting from name alone. This may sound picky, but 'amdflaws' as a name clearly tries to instigate a negative feeling towards AMD. Professional security firms always stay neutral with regards to the affected companies, like what happened not long ago with Spectre and Meltdown.
The lack of technical data in the whitepaper made me doubt further - but what topped it off for me was that these flaws looked like software vulnerabilities, but at the same time they were compared to Meltdown? Doesn't make any sense.
And now I see that for the vulnerabilities to actually be exploited you need admin permission on the machine? That's not even remotely comparable to Meltdown.
Great article Hilbert, I love the way you pieced the information together.
Had the exact same feeling when I saw the initial news - starting from name alone. This may sound picky, but 'amdflaws' as a name clearly tries to instigate a negative feeling towards AMD. Professional security firms always stay neutral with regards to the affected companies, like what happened not long ago with Spectre and Meltdown.
The lack of technical data in the whitepaper made me doubt further - but what topped it off for me was that these flaws looked like software vulnerabilities, but at the same time they were compared to Meltdown? Doesn't make any sense.
And now I see that for the vulnerabilities to actually be exploited you need admin permission on the machine? That's not even remotely comparable to Meltdown.
Great article Hilbert, I love the way you pieced the information together.
David3k
Member
Posts: 83
Joined: 2003-07-29
Member
Posts: 83
Joined: 2003-07-29
#5528066 Posted on: 03/14/2018 10:06 AM
Not speaking for him, but for one thing the damage has already been done; this will gain momentum regardless of lack of factual basis and it will be an out of control FUDball. We've seen this kind of thing happen many, many times before. Slowing the spread of misinformation is possible, but the fact that it's in the wild means it will be repeated, so it's alive now.
And the difficult thing about this type of "crying wolf" is that it's very hard to deny to an absolute. You know that the sun rises in the east, but you can't say it will "forever" rise in the east. There may be vulnerabilities in the architecture that nobody today can ever find, let alone exploit, but the same might not be true five years from now.
For all intents and purposes, all these "vulnerabilities" are easily detectable and blockable by security software and are so reliant on too many levels of access being granted to them that it is basically a non-issue; if you leave your car door open on the street, you have worse things to worry about than someone stealing your rearview mirror. (And lets be honest, if you did that, you were kind of asking for it, anyway)
The thing about all this I hate the most is there is no real concern here, and it belittles the efforts of security researchers who actually work hard to do their jobs and do it right.
Why not? Please elaborate.
Not speaking for him, but for one thing the damage has already been done; this will gain momentum regardless of lack of factual basis and it will be an out of control FUDball. We've seen this kind of thing happen many, many times before. Slowing the spread of misinformation is possible, but the fact that it's in the wild means it will be repeated, so it's alive now.
And the difficult thing about this type of "crying wolf" is that it's very hard to deny to an absolute. You know that the sun rises in the east, but you can't say it will "forever" rise in the east. There may be vulnerabilities in the architecture that nobody today can ever find, let alone exploit, but the same might not be true five years from now.
For all intents and purposes, all these "vulnerabilities" are easily detectable and blockable by security software and are so reliant on too many levels of access being granted to them that it is basically a non-issue; if you leave your car door open on the street, you have worse things to worry about than someone stealing your rearview mirror. (And lets be honest, if you did that, you were kind of asking for it, anyway)
The thing about all this I hate the most is there is no real concern here, and it belittles the efforts of security researchers who actually work hard to do their jobs and do it right.
Romulus_ut3
Senior Member
Posts: 670
Joined: 2013-09-18
Senior Member
Posts: 670
Joined: 2013-09-18
#5528074 Posted on: 03/14/2018 10:37 AM
You mean vulnerabilities that allows to have your systems compromised to the point wrong doers have elevated administrator privileges with what sounds like literally having physical access to them? If a hacker has gained administrative access to your system or your system is physically exposed to such a person, you have other security concerns to be worried about than the vulnerabilities that may or may not be present within AMD's CPUs.
If that is the case, each and every intel system are susceptible to the same issues. In fact, it gets much worse.. people these days can alter intel BIOSes to the point they can manipulate the ME Firmware to support and successfully run hardware which intel themselves have deemed incompatible (Cofee Lake CPUs on Z100/Z200 motherboards, cough) and these tools are found on the internet, freely.
What's stopping a master cyber criminal to dupe the average user into flashing UEFI images for their motherboards which promises support for Coffee Lake CPUs while having malware planted in them? Imagine how catastrophic that would be. People are going to download these, flash their systems with them, and will even leave feedback to the OP of the thread, thanking him for his work, while unknowingly leaving their systems compromised.
The problem with the PC Community is, we can not act as a unit, and are dysfunctional. We don't look at the bigger picture, all we do is cherish our preferred manufacturers blindly. Like how intel and some nvidia fanboys are rejoicing at this news and making themselves even more stupid by saying things like there's merit to CTS' claims, while in reality all this is an underhanded attack on AMD, and similar things can happen to the brands they cherish in the future.
Any piece of electronic is susceptible to vulnerabilities, and nothing is ever full proof. But trust me on this that the findings by CTS are a malicious attempt to sabotage AMD by fear mongering, with even deeper ulterior motives, and nothing else.
It doesn't matter if vulnerabilities are real.
You mean vulnerabilities that allows to have your systems compromised to the point wrong doers have elevated administrator privileges with what sounds like literally having physical access to them? If a hacker has gained administrative access to your system or your system is physically exposed to such a person, you have other security concerns to be worried about than the vulnerabilities that may or may not be present within AMD's CPUs.
If that is the case, each and every intel system are susceptible to the same issues. In fact, it gets much worse.. people these days can alter intel BIOSes to the point they can manipulate the ME Firmware to support and successfully run hardware which intel themselves have deemed incompatible (Cofee Lake CPUs on Z100/Z200 motherboards, cough) and these tools are found on the internet, freely.
What's stopping a master cyber criminal to dupe the average user into flashing UEFI images for their motherboards which promises support for Coffee Lake CPUs while having malware planted in them? Imagine how catastrophic that would be. People are going to download these, flash their systems with them, and will even leave feedback to the OP of the thread, thanking him for his work, while unknowingly leaving their systems compromised.
The problem with the PC Community is, we can not act as a unit, and are dysfunctional. We don't look at the bigger picture, all we do is cherish our preferred manufacturers blindly. Like how intel and some nvidia fanboys are rejoicing at this news and making themselves even more stupid by saying things like there's merit to CTS' claims, while in reality all this is an underhanded attack on AMD, and similar things can happen to the brands they cherish in the future.
Any piece of electronic is susceptible to vulnerabilities, and nothing is ever full proof. But trust me on this that the findings by CTS are a malicious attempt to sabotage AMD by fear mongering, with even deeper ulterior motives, and nothing else.
386SX
Senior Member
Posts: 654
Joined: 2017-06-26
Senior Member
Posts: 654
Joined: 2017-06-26
#5528076 Posted on: 03/14/2018 10:46 AM
First of all: Thank you Hilbert for putting those strange observations together. I already noticed some of them, but not all.
But does anyone really give a f*ck about this? Really? I mean you get no "elevation of privileges" out of those. Most (or all?) of them require you to be admin. Did nobody tell anyone it is always bad to have complete admin rights (and probably UAC turned off all together?)? Do you trust and therefore run any program without thinking about it first?
To be clear: You have to run the hack as admin. If malware runs as admin without any elevation of privileges before, you are / were already owned / pwned.
And think of Intel ME. It is the very same thing as they describe AMD now. You are able to hack Intel ME, therefore there are guides on the net to flash the Intel ME firmware with some dummy one to minimize the risks.
And their (amdflaws.com) disclaimer lets the sh!t hit the fan:
The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions.
Opinions? Really? "are no statements of facts"???!!! REALLY???!!! Public sources??? Publicly available facts and evidence collected and analyzed??? Do they mean analyzed as in anal? 'Cause this is complete BS they may shovel up their .... you know what I want to say.
EDIT: @Romulus_ut3 : If I could I would like your post a thousand times in a row!!
First of all: Thank you Hilbert for putting those strange observations together. I already noticed some of them, but not all.
But does anyone really give a f*ck about this? Really? I mean you get no "elevation of privileges" out of those. Most (or all?) of them require you to be admin. Did nobody tell anyone it is always bad to have complete admin rights (and probably UAC turned off all together?)? Do you trust and therefore run any program without thinking about it first?
To be clear: You have to run the hack as admin. If malware runs as admin without any elevation of privileges before, you are / were already owned / pwned.
And think of Intel ME. It is the very same thing as they describe AMD now. You are able to hack Intel ME, therefore there are guides on the net to flash the Intel ME firmware with some dummy one to minimize the risks.
And their (amdflaws.com) disclaimer lets the sh!t hit the fan:
The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions.
Opinions? Really? "are no statements of facts"???!!! REALLY???!!! Public sources??? Publicly available facts and evidence collected and analyzed??? Do they mean analyzed as in anal? 'Cause this is complete BS they may shovel up their .... you know what I want to say.
EDIT: @Romulus_ut3 : If I could I would like your post a thousand times in a row!!
nevcairiel
Senior Member
Posts: 649
Joined: 2015-05-19
Senior Member
Posts: 649
Joined: 2015-05-19
#5528081 Posted on: 03/14/2018 11:17 AM
Independent security researchers have in the meantime confirmed that the exploits are real.
And while it does require admin, its not the only exploit that requires a certain degree of access. Being able to easily infest the firmware of the chipset/cpu once you combine it with a privilege escalation attack, you could plant hidden malware which remains unseen for ever.
Combining attacks with other attacks is pretty common mode of operation, get entry to the system with exploit A, take it over with exploit B, etc. This is not something you can just ignore.
Independent security researchers have in the meantime confirmed that the exploits are real.
And while it does require admin, its not the only exploit that requires a certain degree of access. Being able to easily infest the firmware of the chipset/cpu once you combine it with a privilege escalation attack, you could plant hidden malware which remains unseen for ever.
Combining attacks with other attacks is pretty common mode of operation, get entry to the system with exploit A, take it over with exploit B, etc. This is not something you can just ignore.
scatman839
Senior Member
Posts: 13994
Joined: 2004-11-19
Senior Member
Posts: 13994
Joined: 2004-11-19
#5528091 Posted on: 03/14/2018 12:10 PM
This is pretty mad. Some insider trading for sure
This is pretty mad. Some insider trading for sure
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 2398
Joined: 2004-02-02
inside intel?