[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[Coaxialgamer]

CTS , a reasearch group has discovered potentially up to 13 flaws affecting Zen-based cpus ( this includes ryzen , ryzen pro , threadripper and epyc ) which could allow a malicious attacker to take control of a computer and/or access secure data that would usually stay our of reach .

CTS has contacted AMD , but only allowed them 24 hours instead of the customary 90 days , which is kind of a duck move in my opinion

Quote

 

Researchers have discovered critical security flaws with AMD's chips, allowing attackers to access sensitive data from highly guarded processors across millions of devices.

Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer.

Quote

Researchers from CTS-Labs, a security company based in Israel, announced on Tuesday that they found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on it. AMD's Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. 

 

 

 

Quote

The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days notice, so companies have time to address flaws properly.

"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said.

Quote

Master Key:

 

When a device starts up, it

typically goes through a "Secure Boot." It uses your processor to check that nothing on your computer has been tampered with, and only launches trusted programs. 

The Master Key vulnerability gets around this start-up check by installing malware on the computer's BIOS, part of the computer's system that controls how it starts up. Once it's infected, Master Key allows an attacker to install malware on the Secure Processor itself, meaning they would have complete control of what programs are allowed to run during the start-up process.

 

Ryzenfall

This vulnerability specifically affects AMD's Ryzen chips, and would allow malware to completely take over the secure processor. 

That would mean being able to access protected data, including encryption keys and passwords. These are regions on the processor that a normal attacker would not be able to access, according to the researchers.

If an attacker can bypass the Windows Defender Credential Guard, it would mean they could use the stolen data to spread across to other computers within that network. 

Fallout

Like Ryzenfall, Fallout also allows attackers to access protected data sections, including Credential Guard. But this vulnerability only affects devices using AMD's EPYC secure processor. In December, Microsoft announced a partnership with for its Azure Cloud servers using AMD's EPYC processor.

Chimera

Chimera comes from two different vulnerabilities, one in its firmware and one in its hardware.

The Ryzen chipset itself allow for malware to run on it. Because WiFi, network and Bluetooth traffic flows through the chipset, an attacker could use that to infect your device, the researchers said. In a proof-of-concept demonstration, the researchers said it was possible to install a keylogger through the chipset. Keyloggers would allow an attacker to see everything typed on an infected computer.

Source (cnet) 

https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/

 

 I honestly don't know what to say, but this is bad. Lets hope a patch comes in quick that doesn't cripple performance. 

 

Update : AMD has released a brief statement regarding the issue :

http://quarterlyearnings.amd.com/news-releases/news-release-details/view-our-corner-street-0

Quote

We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops.

 

[Mira Yurizaki]

It's likely not going to affect performance because this affects a part of the processor that isn't part of the front end or back end. It sounds like a similar vulnerability with the whole Intel IME thing.

[Jurrunio]

So just 24Hrs further notice to AMD? Bad action from whoever found these bugs.

[FishTea]

As scary as it sounds. THis sounds like Intel IME kind of exploit.

[rcmaehl]

This all screams smear campaign
 

1. 24 hour disclosure instead of industry standard 90/180 day


2. Amdflaws links to a YT video, with comments disabled

3. YT Channel with video was just just March of this year



4. Domain (website records) for this "16 years in operation" company don't exist any earlier than February of this year

 

5. This sketchy quote from their disclaimer

 

6. This OTHER sketchy quote from their disclaimer



7. Exploits are common sense when it comes to security

MASTERKEY: "Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update. "

REBUTTAL: By the time you let attacker install BIOS you are already PWND
 

RYZENFALL: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

REBUTTAL: By the time you let attacker to have admin rights, they can do anything they want anyway!
 

FALLOUT: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

REBUTTAL: Same as above. Not a major concern
 

CHIMERA: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

REBUTTAL: Same as above. Not a major concern.

[porina]

DON'T PANIC!

 

It happens. It'll get fixed. It'll be forgotten soon enough. How many are still worried about Meltdown/Spectre? It isn't over, but the scaremongering news is over and is pretty much business as normal for most.

[Mira Yurizaki]

4 minutes ago, VegetableStu said:

I just read the source whitepaper from the researchers themselves. are they strictly hacks that can only be initiated with in-person access?

(also any idea if updating BIOSes in an active Windows environment is a thing?)

Regarding Masterkey:

Quote

Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.

That's like saying "you can exploit Windows by installing a botnet on the target machine" and claiming Windows has flaws.

[asus killer]

this isn't aimed at average joe that was an R5, it's most for companies, it can affect us all (not me exactly i have Intel) but they have much more to lose.

[Trixanity]

While I'm sure there's some validity to this, it is highly suspicious. It's a company formed in 2017 with 3 employees. They are a consultancy firm. It seems their entire existence has been based on being paid to find exploits on AMD products. I wonder if Intel is funding this. The whole 24 hour notice and creating an entire website around it is classic con artist strategy. I also noticed the white paper emphasized "Taiwanese" a lot. Seems targeted at US institutions. 

 

The vulnerabilities are many and look bad but it does seem like a lot of it is based around physical access or user error - rather than remote exploit. I hope AMD has a reasonable response.

 

I do think it's a smear campaign though. Regardless of the validity.

[ItsMitch]

24 hours to investigate the problems? Are they fucking high?

Yeah, this just screams a smear campaign. 

[Dark Force]

31 minutes ago, Coaxialgamer said:

I honestly don't know what to say, but this is bad.

Honestly this is bad, but mostly from the perspective that this is clearly a hit piece and will likely have legal ramifications for CTS labs and their benefactor. @rcmaehl does a great job breaking down why this is the text book definition of yellow journalism.

 

Adding to that, since the domains for both sites were registered around the time Intel was notified of Spectre and Meltdown, this is more than likely a smear campaign put together by Intel to take some of the air out of the Ryzen 2 release next month.

[Syntaxvgm]

Just now, snortingfrogs said:

This is pretty darn big.

 

 

 

Shame your post isn't. 

[Mira Yurizaki]

Someone already pointed out that this isn't so much an exploit as downloading and installing a virus.

[Guest]

3 minutes ago, M.Yurizaki said:

Someone already pointed out that this isn't so much an exploit as downloading and installing a virus.

Well Intel payed for the "independent research" so they need to use all the scary sounding words.

[Methos]

Lol does not smell of fish at all.100% legit and totally not funded by Intel.

[Energycore]

4 minutes ago, snortingfrogs said:

The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing this report.

Isn't this against the law in some way? Every other vulnerability has been given months in advance before being announced. What gives?

[Mira Yurizaki]

Just now, Energycore said:

Isn't this against the law in some way? Every other vulnerability has been given months in advance before being announced. What gives?

It's not a law, it's just a gentlemen's agreement between giving the developer time to fix it and letting everyone else know there's a problem. And the only way to know your system is fixed is to know how to exploit it and see the exploit fail.

[rcmaehl]

1 minute ago, Energycore said:

Isn't this against the law in some way? Every other vulnerability has been given months in advance before being announced. What gives?

 

[Murasaki]

Posted on March the 13th, coincidence?

[GoldenLag]

Just now, M.Yurizaki said:

It's not a law, it's just a gentlemen's agreement between giving the developer time to fix it and letting everyone else know there's a problem.

I think this should have been handled in a similar manner to Spectre and Meltdown. At least patches would have been in place for some of them. 

[imreloadin]

1 minute ago, Energycore said:

Isn't this against the law in some way? Every other vulnerability has been given months in advance before being announced. What gives?

Well that was when Intel was involved also, this only affects AMD as far as I can tell so I consider them lucky they even gave them 24 hours...

[LAwLz]

7 minutes ago, Some Random Member said:

Well Intel payed for the "independent research" so they need to use all the scary sounding words.

Source?

It's not mentioned in the article linked.

 

 

6 minutes ago, Energycore said:

Isn't this against the law in some way? Every other vulnerability has been given months in advance before being announced. What gives?

Nope. The reason why other vulnerabilities such as those discovered by Google are given months of time before public disclosure is because they are being nice and acting responsibly. They have no obligation to do so however.

It's actually not that uncommon that people and companies publicly announces vulnerabilities as soon as they are discovered, or like in this case where they were given 24 hours.

[ProximaOfZeal]

50 minutes ago, rcmaehl said:

This all screams smear campaign

How can one, at this point, believe it not to be such? All you really need for this conclusion is the name of that website. They even say shit like

Quote

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports

in their disclaimer on that site...

 

Not to mention that all of those "flaws" seem to require admin privileges on the computer, direct access on said computer or even tampering with the hardware, like the bios thing. Seriously how can you even call it a flaw when you must hack the motherboard's bios for it to exist in the first place?

[Energycore]

Just now, imreloadin said:

Well that was when Intel was involved also, this only affects AMD as far as I can tell so I consider them lucky they even gave them 24 hours...

I don't care what bias researchers have, standard procedure calls for 90-180 day wait times and this should be called out. We should call it out if it's Samsung, AMD, Nvidia, Qualcomm or any other company.

Just now, rcmaehl said:

 

Thanks for the info, good catch.

[Energycore]

Just now, LAwLz said:

Nope. The reason why other vulnerabilities such as those discovered by Google are given months of time before public disclosure is because they are being nice and acting responsibly. They have no obligation to do so however

They're not obligated by law, but this should be treated just like a breach of journalism code (you know which incident I'm referring to, let's not discuss whether or not that was a breach). If a journalist shows blatant disregard for such code, it's on us to call them out and ultimately stop consuming their media.

 

Now we as consumers can't do anything about these researchers, but at the very least we should call the wankers out as wankers.

 

Either way this doesn't seem legit, looking at @rcmaehl's info.