Tuesday, March 13, 2018

CTS Labs AMD Flaws Announcement and amdflaws.com

So like everyone else in the InfoSec world at the moment, I am not amused with the recent whitepaper released by CTS Labs and its accompanying website: https://amdflaws.com/

In my opinion, this will go down as a huge blunder on CTS Labs part. After reading the terribly written whitepaper, I am thoroughly convinced that this is nothing more than an attempt at gaining notoriety via fear mongering and over-hype. They only gave AMD a 24-hour notice before releasing this by the way. Also, nobody seems to know who CTS Labs is.

https://safefirmware.com/amdflaws_whitepaper.pdf

The are four flaws being marketed are:

  • RYZENFALL
  • MASTERKEY
  • FALLOUT
  • CHIMERA 

First of all, I would like to point out that I'm sick of these stupid vulnerability names with matching logos. Marketing like this has no place in InfoSec as far as I'm concerned. My problem with this whole situation isn't with the vulnerabilities themselves, but with how this new information is being handled by CTS Labs. 

Anyways, on to the vulnerabilities. 

Here's a clip of the whitepaper regarding RYZENFALL:


Ok, so here's the thing. Yes, this vulnerability exists. Is it plausible that the average person will be at risk to this happening on their system? Not in the least. Not only will the computer have to be fully compromised, the attacker will also have to use a vendor supplied driver to execute this, specifically on a Ryzen chip (FALLOUT, CHIMERA have the same requirements for exploitation, but on different chipsets). Its all about threat modelling. This doesn't deserve the hype they are trying to push.

Here's my favorite clip from the whitepaper regarding MASTERKEY:


Really? If someone is flashing my BIOS with a custom ROM, there is a bigger problem at hand. Again, this does not deserve the hype they want.  

The main problem with all this is the manner in which this is being handled by CTS Labs. They are attempting make it seem worse than it is by trying to create enough noise and scare people who don't understand. Which is a reprehensible act on their part. The fact that these vulns require elevated admin access before exploitation can even be attempted, immediately reduces their severity. Yes they do exist, but they are not an impending immediate threat. Some people are even calling them pseudo-vulnerabilities. However I will not. 

In the end, I think it is our responsibility as community to handle these situations with professionalism and rationality, and this is a prime example of the opposite. One thing I am happy about is the amount of people calling out CTS. They deserve it and I hope it deters other "Labs" from doing this.