The Low-down On Bizarre AMD Security Exploit Saga – You Will Want To Read This
This is a developing story and could be updated without notice. The primary purpose of this article is to provide material contextual information regarding the recent Masterkey, Chimera, Ryzenfall and Fallout exploits as published by CTSLabs.
Something incredibly peculiar has happened in the past few hours: we saw a report published, that on first glance claimed to reveal 13 spectre-level flaws and would have struck a massive blow to AMD; but as more information started surfacing it quickly became apparent that nothing is as it seems. Before we go any further, you might want to read up what CTS-Labs, an apparent security firm stemming from Israel, has alleged. Painting a very spectre-like scenario, the company has gone ahead and disclosed their findings on a dedicated website: amdflaws.com.
An AMD short play: Ties to a known short group, hyped-up report, hollywood VFX, malicious disclosure with probable economic intent set the stage
Unlike Google Project Zero, which gave months to the companies to get their act together, had no economic stake in the company securities following public release of exploits and definitely had real offices - none of this seems to be true for CTS Labs. In fact, the company's digital presence seems to be fairly recent. The domain CTS-Labs.com was registered on 2017-6-25 while AMDFlaws.com was registered on 2018-2-22. The first video posted on the company's Youtube channel was created a few days ago.
The company appears to have a total of 3 employees/executives, all of whom are featured in the youtube interview. There appears to be no history or records associated with the company's activity before this disclosure. The logo CTSLabs appears to be inconsistently used. In the video its CTSlabs, on the AMDflaws site, it is CTS-Labs while in the legal disclaimer it is referred to only as CTS. The company's "AMDFlaws interview" features environments that were clearly VFX-ed in with greenscreens (thanks reddit):
That's not in itself something to get the pitchforks out for, but this is where it turns malicious. CTSLab's reports were cited by a research firm called "Viceroy Research" in a 33-page document published just 2 hours 50 minutes ago (according to PDF metadata as inspected by Ian) after the former went live and with the headline of "AMD: The Obituary". You can read the full report by Viceroy Research over here.
A quick lookup reveals Viceroy Research (VR) is a short group that gained notoriety (fame?) during the Capitec Bank saga in which they caused a massive downward correction in the banks stock and successfully executed a short play (thanks Wesley).
While it is not impossible to write a 25 page document in 2 hours 55 minutes, it would admittedly be highly improbable - especially considering the level of detail the report goes into. The more logical explanation is of course that VR already knew about the upcoming report. In fact, it would not surprise me to learn that CTS Labs is simply a front for this latest venture of Viceroy Research.
So now that we have a culprit, we also have an obvious motive: shorting the AMD stock to make a quick buck. In fact, both CTS-Labs and Viceroy Research, very 'ethically', disclose that they could be doing just that. Viceroy Research, in their report even goes on to claim that "AMD is worth $0.00".
The nature of the disclosure quickly becomes even more evident with the fact that AMD was informed just 24 hours before the official public disclosure and some of the press was informed before even that. To put this into perspective, standard security researchers usually follow a 90-day disclosure procedure during which the company has a chance to quietly patch things up before things get out of hand. CTS-Labs did not release any technical data or PoC to the public, so while they avoided the exploit getting out in the wild, they did release information that could materially move the stock price (since it had not been patched yet).
Finally, its also worth mentioning that CTS-Labs and Viceroy Research both state in their disclaimers that everything stated here in is an opinion and not a statement of fact - shrugging off any liability for their actions. So in the same spirit, I would like to do that right now as well: everything you read here in this article is my opinion and not a statement of fact but it is to the best of my ability accurate and reliable. Does that really stave off liability? I wonder.
So are those flaws real? Yes probably, but not as severe as CTSLabs/Viceroy Research would have you believe and certainly not on the same level as Spectre/Meltdown
Here's the thing though, despite everything I have written above - a security flaw needs to be judged on its own merits. If these flaws actually exist then regardless of how shady the company is or whether or not it is a short play (or how much indication there is of this being a hit job) - the issue must be addressed. Funnily enough, even if the flaws are real, they appear to have been exaggerated quite a bit. Before I go on any further, here is a tweet from Dan Guido, CEO of TrailOfBits and the only security researcher who vetted and verified the exploits (as featured on the AMDFlaws website):
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
— Dan Guido (@dguido) March 13, 2018
So it looks bad right? Well, while the bugs are definitely real, the question we need to ask ourselves in the light of the financial context is - are they material? And the answer to that question is: probably not. There are multiple reasons for this but before I go any further, you might want to hear this from the same guy that vetted the bugs in the first place:
Meltdown and Spectre required novel research advances. In contrast, all of these latest flaws have been well understood since the 90s. They are not new foundational issues, they are well understood programming flaws.
— Dan Guido (@dguido) March 13, 2018
An additional data point which is material but was umm, skimmed over by the CTS-Labs team is that according to their own report - all exploits require admin rights to work. Which makes them a lot more tame then if it was something that could be done without. If a malicious agent had admin rights to your server, a backdoor would probably be the least of your concerns - everything on that server is already compromised. In other words, these exploits can only work on an already-compromised server.
That isn't the same as saying that the exploit is useless or not-important; it could have very meaningful implications on the security of virtualized environments - something not even admin access can grant and will need to be remedied by AGESA/BIOS updates and/or through OS patches. All of this however, is something companies like AMD and Intel deal with on a daily basis. The 90-day disclosure period is what allows them to get ahead of the curve by quietly patching the flaw before public disclosure and security researchers taking their due credit. But then again, an already patched, non-novel security exploit hardly gets a lot of headlines that can make a stock move now can it?
I will say this however, the Chimera exploit seems like a very interesting attack vector and could potentially cause some issues for AMD, if that bit hasn't been exaggerated as well.
So is all of this legal? While I have no legal background, I will have to side with a yes on this one. The clear disclosures and the fact that the flaws are actually real (regardless of how exaggerated) means that all of this is happening well under the ambit of the law. Remember, while the 90-day disclosure policy is the standard practice, they have no legal obligation to actually follow it.
Update: One thing worth mentioning is that Intel motherboards are almost certainly similarly affected by some of these flaws (particularly the ones that rely on the AsMedia controllers). The reason for this is because just like AMD, Intel utilizes AsMedia components in its boards as well.