[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[Taf the Ghost]

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

 

Quote

As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.

 

AMD is working with ASMedia to fix their issues. BIOS & firmware updates will be coming out soon to address the issues. So, from AMD, we have confirmation this wasn't much of anything interesting. There's a problem here to be fixed, but it's nothing serious. This was, as I had honed in on a few days ago, very much more valuable in an Air Gap attack, but it was probably too hard to pull off to be worth anything to an Intelligence Service.

[ravenshrike]

Lo and behold, it looks like I was correct.

 

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

 

 

On 3/15/2018 at 6:38 PM, ravenshrike said:

That being said, the 24 hour notice could easily very well be that CTS knows that patches to make the exploits in question exponentially more difficult or even impossible are relatively easy to create. After all, their disclaimer was explicitly that the entire hatchet job was their opinion which means they could be lying through their teeth about the difficulty of any fixes in order to maximize their short term financial position.

 

 

[laminutederire]

11 minutes ago, ravenshrike said:

 

Speaking if call, I received a call from CTS lab, it appears they may all be unemployed soon...

But fear not. They'll come back on TV starring in "The housewives of computer security", your new and exclusive soap opera of genius!

"We posted that thing and out of blue when adnantech was calling us, we received a double call from Hollywood to begin our career because they loved our drama potential. You understand we had to finish the call with them, it was too important. It will be an no not to work for Viceroy studios!" Said the random dude from CTS.

(Oh btw, good job on calling that!)

[Suika]

And the moral of today's story is that, no matter how hilariously unprofessional, sketchy, and seemingly unqualified a security research firm may be, we should definitely wait for their work to be reviewed before making the rash decision of ceaselessly defending your manufacturer of choice.

[Notional]

Great job from AMD putting out a bios update to completely remove all of these "bugs", that require a fully compromised system with full administrator rights. CTS is a joke seemingly involved in a blatant stock manipulation conspiracy. What an absolutely retarded ordeal.

[ItsMitch]

Just now, Notional said:

Great job from AMD putting out a bios update to completely remove all of these "bugs", that require a fully compromised system with full administrator rights. CTS is a joke seemingly involved in a blatant stock manipulation conspiracy. What an absolutely retarded ordeal.

I do wonder who their "Customer" was who asked for this paper I bet that customer paid quite a lot for a piece like that.

[Taf the Ghost]

1 minute ago, SC2Mitch said:

I do wonder who their "Customer" was who asked for this paper I bet that customer paid quite a lot for a piece like that.

They paid too much, however it was.

[WMGroomAK]

1 minute ago, Taf the Ghost said:

They paid too much, however it was.

If it was a 'customer' who requested this for shorting stock, then that depends on how much they were betting on the short of stock and how much they made off of that short.  Of course, I think I read an article on this somewhere that AMD has requested the SEC to look into unusual activities related to stock trading shortly before the security issues went public.

[LAwLz]

On 3/18/2018 at 12:09 PM, Space Reptile said:

why are people still replying in this thread? 

 

oh i see , LAwLz is replying to every post trying to tell everyone its real ..... 

yay

Oh boy, I bet you're embarrassed now that AMD has verified that the security holes are real.

 

12 minutes ago, Notional said:

Great job from AMD putting out a bios update to completely remove all of these "bugs", that require a fully compromised system with full administrator rights. CTS is a joke seemingly involved in a blatant stock manipulation conspiracy. What an absolutely retarded ordeal.

Admin privilege is not the same as "fully compromised" because admin is not the highest privilege you can get.

Also, these are vulnerabilities. No need to put "bugs" in quotes.

I agree that it's good that AMD are planning on releasing updates for it though, and they were quick with the status update.

[Space Reptile]

1 minute ago, LAwLz said:

Oh boy, I bet you're embarrassed now that AMD has verified that the security holes are real.

dont just claim something , post proof 

[Notional]

2 minutes ago, LAwLz said:

Admin privilege is not the same as "fully compromised" because admin is not the highest privilege you can get.

Also, these are vulnerabilities. No need to put "bugs" in quotes.

I agree that it's good that AMD are planning on releasing updates for it though, and they were quick with the status update.

2

Injecting a malware ridden signed driver will compromise any piece of hardware ever. It's like saying there is a security hole in your home because the thief had a full set of keys to your front door and your security code for the alarm. Not really a security bug as such. I'm all for better security mind you, and I, of course, want any issue dealt with, but this issue is pretty much just theoretical in the real world.

[ARikozuM]

Why are you all focused on "home users" when there's another a whole other sector this affects on a larger scale? 

[ARikozuM]

17 minutes ago, Space Reptile said:

dont just claim something , post proof 

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

[Taf the Ghost]

13 minutes ago, Notional said:

Injecting a malware ridden signed driver will compromise any piece of hardware ever. It's like saying there is a security hole in your home because the thief had a full set of keys to your front door and your security code for the alarm. Not really a security bug as such. I'm all for better security mind you, and I, of course, want any issue dealt with, but this issue is pretty much just theoretical in the real world.

"Vulnerability" might be better.

 

Also, we're still skipping over CTS claiming ASMedia built back doors into their USB controller.

[Space Reptile]

1 minute ago, ARikozuM said:

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

Quote

As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.

ah so as previously said , its a NO SHIT SHERLOCK vulnerability , "at that point you might aswell take the computer and leave" -Steve , GN 

[ARikozuM]

1 minute ago, Space Reptile said:

ah so as previously said , its a NO SHIT SHERLOCK vulnerability , "at that point you might aswell take the computer and leave" -Steve , GN 

Why take an IBM computer's current data (example) when you can harvest all future data? 

[done12many2]

3 minutes ago, Space Reptile said:

ah so as previously said , its a NO SHIT SHERLOCK vulnerability , "at that point you might aswell take the computer and leave" -Steve , GN 

 

It wasn't so "no shit sherlock" for you when you were trying to convince everyone that @LAwLz was just making shit up and this wasn't even real.  lol.   You're funny.

 

On 3/18/2018 at 7:09 AM, Space Reptile said:

why are people still replying in this thread? 

 

oh i see , LAwLz is replying to every post trying to tell everyone its real ..... 



yay

[ARikozuM]

@LAwLz and @leadeater, do they mean administrative privilege as in "right-click, run as..." or just part of the IT team? It's been bugging me as UAC doesn't really defeat any of these unless computers were put on restricted access beforehand. 

[Mira Yurizaki]

I can't be half arsed to look for examples and maybe @LAwLz can verify, but I'm pretty certain "requires admin access" doesn't simply mean you need the username and password of an admin account. You can find a program running with elevated privileges that has a flaw in it. You can hook into the program through legitimate means, but with a specific payload that allows you to execute arbitrary code at that level.

[Shakaza]

Well, I think we all learned a few things from this thread and the whole situation at large. First, don't prematurely judge the severity of a security flaw based on information that is unrelated to the bug itself (in this case, the fact that CTS is shady as heck). Wait for more information. Second, this is a good example of how NOT to handle the reporting of exploits and other security-related issues. There's a reason why there's a generally accepted rule of 90 day notice before it goes public. It gives the company time to address it without everyone going crazy from all the bad news about their oh-so-loved company!

 

Oh, and fuck CTS. That's the most important bit.

[leadeater]

13 minutes ago, ARikozuM said:

@LAwLz and @leadeater, do they mean administrative privilege as in "right-click, run as..." or just part of the IT team? It's been bugging me as UAC doesn't really defeat any of these unless computers were put on restricted access beforehand. 

Any account that has admin privileges and you either: Run the program as admin (UAC on), allow elevation of rights from UAC prompt or disable UAC meaning everything you run has elevated permissions.

[Mira Yurizaki]

Okay, here's an example but not really of not needing to know an admin account's credentials to attack a system. UPlay several years ago had a security bug, which according to Ubisoft's words:

Quote

The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they're being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.

 

Now if UPlay ran solely as a standard user, that wouldn't really present a problem. Except UPlay, to this day, continues to want elevated permissions to run for no reason other than it wants to access portions of the file system. Had this bug still existed in UPlay today, an attacker doesn't have to ask for my username and password, they just have to know I'm running UPlay and exploit this flaw.

Edited March 21, 2018 by M.Yurizaki

[mr moose]

I wonder if AMD would be kind enough to release a bios update that stopped fanboys putting their head in the sand?

[Jito463]

2 hours ago, leadeater said:

or disable UAC meaning everything you run has elevated permissions.

Sadly, in Windows 10 that's not necessarily the case (and yes, I run with UAC "disabled").  Even with UAC turned down to the lowest setting, you still have to right-click and run certain things as admin, unless they're set to explicitly request it from the system.

[pas008]

11 minutes ago, Jito463 said:

Sadly, in Windows 10 that's not necessarily the case (and yes, I run with UAC "disabled").  Even with UAC turned down to the lowest setting, you still have to right-click and run certain things as admin, unless they're set to explicitly request it from the system.

Not sure if has been patched or blocked on windows 10 haven't used in awhile

Boot to recovery use cmd Force accessibility to cmd prompt then

Forced guest or whatever to admin without ever logging in?