LINUX LEGEND Linus Torvalds has slammed a report from Israeli security firm CTS-Labs over supposed Spectre-like vulnerabilities in AMD's Ryzen and Epyc processors.
Due to the way the flaws were publicly disclosed - immediately, rather than giving AMD some time to fix them - Torvalds sees CTS-Labs' discovery more as stock manipulation than a security advisory.
"When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah," he said on Google+. "I thought the whole industry was corrupt before, but it's getting ridiculous."
Torvalds is not the first person to raise their eyebrows at the report.
Our very own commentators pointed out that the flaws, if legitimate, were blown out of proportion as they mostly needed administrator access to a system's BIOS and core functions, whereby anyone is then in a position to wreak security havoc whether a chip has flaws or not.
Exaggerating, or indeed fabricating a security risk, is one way to manipulate the stock price of a tech giant.
Then there's the question of the legitimacy of CTS-Labs as a company, especially as it admitted that it has a vested interest in the performance of AMD stock.
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS-Labs said.
Such a disclaimer is all very well and good, but Gamers Nexus took a deep dive into CTS-Labs and raised yet more questions over its legitimacy.
It noted that CTS-Labs seems to have sprung up out of nowhere over the past year and that while security experts have acknowledged off-the-record that there may indeed be flaws in AMD's chips, they didn't know about CTS-Labs. Furthermore, the PR contact for CTS-Labs appears to be unreachable.
And going deeper still, Gamers Nexus found that the website used to report the flaws, AMDFlaws.com, was registered mere weeks ago, adding that the backgrounds in CTS-Labs videos explaining the flaws and its research appear to be green screens of offices rather than physical locations. The plot thickens.
The white paper research itself doesn't read like a traditional threat disclosure either, with little technical detail to give credence to the existence of the flaws. However, CTS-Labs noted that technical data was passed on to AMD and Microsoft but kept away from the public to prevent hackers from digging into it.
But if all that's not enough to raise questions, there's Viceroy Research to consider.
The unknown company published a 25-page report on the flaws discovered by CTS-Labs, slamming AMD in no uncertain terms for the flaws, claiming "just one Ryzen chip could danger an entire enterprise network" and that AMD's stock should be worth zero.
Strong stuff, until you notice Viceroy Research admits to having a vested interest in AMD's financial position, potentially a 'short' position whereby Viceroy Research's investment pays-off if AMD's stock price goes down. So, yeah all pretty shady stuff.
All that being said, CTS-Labs did get Dan Guido, founder of security firm Trail of Bits, to independently review its findings.
Guido noted that each flaw does exist and works in the way CTS-Labs claims it does: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works."
The security researcher highlighted that while all the flaws do indeed need admin access, they pose a threat by allowing hackers to spread malware from machine to machine or carry out espionage with the use of undetectable malware installed directly on a chip's firmware.
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.— Dan Guido (@dguido) March 13, 2018
This would suggest that the flaws are indeed real, and CTS-Labs' research is legitimate despite a vested interest in seeing AMD slump.
It also worth noting that Israel is a hotbed of security and tech startups, so such companies do pop-up seemingly out of nowhere, and there are plenty of lone cybersecurity specialists who jump from obscurity into fame after discovering a flaw or indeed a fix for hack attacks.
All in all, the whole thing is a bit of a head-scratcher; if false, CTS-Labs has a lot to answer to, but if true, AMD has to get some patching done.
So far AMD has yet to offer any more information on the existence of the flaws; we expect it's digging into the issues and will have more to say once it works out if its chips do indeed have flaws and how severe they might be.
We'll keep an eye on things and keep you, dear readers, updated as the whole shebang develops.
14/03/18: AMD's top chips look to be in a spot of bother as researchers have found 13 vulnerabilities in its Epyc and Ryzen processors that look to be as critical as Spectre.
The flaws were uncovered by Israeli security firm CTS-Labs, which noted that the vulnerabilities affect the Secure Processor, a co-processor found on AMD's CPUs where sensitive data such as encryption keys and passwords are stored.
The 13 vulnerabilities fall into four threat categories; Master Key, Ryzenfall, Fallout and Chimera.
Master Key allows for malware to bypass the Secure Processor firmware and allow for the processors to be infiltrated.
To get there, an attacker needs administrator access, either directly or remotely, in order to flash a computer's motherboard BIOS. This then allows them to infect the secure boot process; a series of checks the chip carries out to ensure the computer hasn't been tampered with and only allow trusted programs to be launched.
With an infection at the secure boot level, the Master Key threat allows attackers to take control of the programs allowed to run during a computer's startup, as well as to disable other security features on the Secure Processor.
Ryzenfall is a threat that allows for malware to completely hijack a Secure Processor allowing access to secure data that would normally be out of the reach of attackers. This data could then be used to infect other computers on the same network as the vulnerabilities allow for the Windows Credential Guard to be bypassed.
Used in conjunction with Master Key, Ryzenfall could be used to install persistent threat malware on the Secure Processor to carry out long-term espionage.
Fallout also allows attackers to get access to protected data on AMD's CPUs, but it only applies to the Epyc processors.
However, these chips are used in data centres and the vulnerability effectively breaks the virtualised segregation of network credentials from other parts of a server's memory by allowing protected memory areas to be read and written upon.
As such, network credentials can be pilfered and allow for malware to spread to other connected servers; which could potentially wreak havoc with data centres supporting public clouds.
Finally, Chimera relates to backdoor vulnerabilities at a hardware and firmware level, which could allow hackers to inject malicious code into the Secure Processor. At this level, malware would evade pretty much all current endpoint security software and services, according to the researchers.
"The chipset links the CPU to USB, SATA, and PCI-E devices. Network, WiFi and Bluetooth traffic often flows through the chipset as well. An attacker could leverage the chipset's middleman position to launch sophisticated attacks," they said.
"Malware running on the chipset could leverage the latter's Direct Memory Access (DMA) engine to attack the operating system. This kind of attack has been demonstrated."
So in a nutshell, this suite of vulnerabilities looks to be pretty bad news for AMD. And CTS-Labs announced them immediately, rather than giving AMD the normal 90-day window to fix the flaws.
However, CTS-Labs noted no technical detail on the flaws were revealed so they haven't opened a Pandora's box for hackers; only AMD, Microsoft and select companies have the technical details so they can create patches and fixes for the vulnerabilities.
"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise," AMD said in response to the research.
"We are investigating this report, which we just received, to understand the methodology and merit of the findings."
At the time of writing, CTS-Labs claim that if a computer is running a Ryzen, Ryzen Pro, Ryzen Mobile or Epyc chip, then it is at risk, along with machines on the same network, though no attacks have been seen out in the wild yet.
Nevertheless, CTS-Labs researchers don't want the flaws to be brushed off lightly.
"We believe that these vulnerabilities put networks that contain AMD computers at a considerable risk. Several of them open the door to malware that may survive computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions," they said.
"This can allow attackers to bury themselves deep within the computer system and to potentially engage in persistent, virtually undetectable espionage, executed from AMD's Secure Processor and AMD's chipset. It is our view that the existence of these vulnerabilities betrays disregard of fundamental security principles."
While AMD's chips were affected by the Spectre flaws, they weren't affected by the more serious Meltdown bug that affected Intel chips, which AMD was rather smug about.
But with this wave of uncovered bugs in a core part of AMD's CPUs, the chipmaker is not likely to be full of smiles and is likely working at full-pelt to find mitigations before hackers pry the security holes open. µ
Slack, hack and crack
A flaw in the protocol affects iOS, macOS and Windows 10
Wig wearer has issue with non-wig-wearer