[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[NinjaQuick]

6 minutes ago, done12many2 said:

 

It's good to see that other people see it.

I think people understand the bugs are real, but it's more a matter of execution. The research publication is very obviously sensational and unprofessional in nature, and lots of users may be seeing the exploits of these bugs as being way worse than they really are. To respond ,users are polarizing their responses, making it sound like they are way less bad than they are.

 

However ,this IS LTT forums. Lots of armchair experts that learned security from youtube and 5 minutes of research.

[mynameisjuan]

18 minutes ago, NinjaQuick said:

Then you'd have a stagnant and uncomfortable Rd staff with really slow deployment and lots of unnecessary frustration. It is very common, even in top development houses, to have fully unconstrained users on workstations. Imagine automation runs requiring manual uac consent every run on every new build. Seems like a total nightmare.

Dont know about you but our dev staff is completely fine with no admin rights. You see its companies like you and the other guys that allow admin access and some how get infected and make it to databases and accounts and then are leaked online. There should always be admins only and there is group policy that can wave admin rights to specific programs, which again, if you IT dept had a brain could do. 

[Blademaster91]

1 hour ago, yian88 said:

CTS= intel damage control proxy unit?

AMD is fine intel is not.

No, they're some organization trying to short stock AMD to make a quick profit. According to Gamers Nexus, Intel had no part in this.

AMD is fine, as so far only a few of these vulnerabilities are remotely feasible to actually do in an actual IT environment.

Though i'm not surprised when it's AMD people assume "oh it's fine it won't affect us" yet if Intel had the same issue everyone would be kicking and screaming over it and saying they're switching to AMD lol.

 

[XenosTech]

6 minutes ago, mynameisjuan said:

Dont know about you but our dev staff is completely fine with no admin rights. You see its companies like you and the other guys that allow admin access and some how get infected and make it to databases and accounts and then are leaked online. There should always be admins only and there is group policy that can wave admin rights to specific programs, which again, if you IT dept had a brain could do. 

You know 90% of the time a company is breached it's usually from the users who have the least rights. Seen many a time whole companies ravaged by viruses and malware all because the secretary clicked on a link in her email in the spam folder.

[Razor01]

5 minutes ago, XenosTech said:

Sounds like me at work but only difference is I am part of the IT department lol

Its interesting to see how different companies operate and how similar in reality they operate, small to large.  There are always hoops to jump, red tape to side step, but the at the end what I have found was that if the IT department was slow to change, everything is slow for the entire corporation. 

[Tzomb1e]

1 minute ago, Razor01 said:

Its interesting to see how different companies operate and how similar in reality they operate, small to large.  There are always hoops to jump, red tape to side step, but the at the end what I have found was that if the IT department was slow to change, everything is slow for the entire corporation. 

Sometimes it is not the IT department that is slow to change.  I have been apart of a few different companies that the IT department has been chomping at the bit to upgrade or alter security practices, but they are not allowed to do so because of administrative choices or limitations from upper management outside of the IT department.  Not saying I agree with it, just that it happens both ways unfortunately.

[XenosTech]

2 minutes ago, Razor01 said:

Its interesting to see how different companies operate and how similar in reality they operate, small to large.  There are always hoops to jump, red tape to side step, but the at the end what I have found was that if the IT department was slow to change, everything is slow for the entire corporation. 

Well every other week we reconfigure the network because our gear is dying so stuff needs to be rerouted or stuff needs to be tested (backup images and what not)

[mynameisjuan]

2 minutes ago, XenosTech said:

You know 90% of the time a company is breaches it's usually from the users who have the least rights. Seem many a time whole companies ravaged by viruses and malware all because the secretary clicked on a link in her email in the spam folder.

Yeah no thats not true at all. First company I worked for had around a 1000 users....all fucking admin...was reimaging 4-5pcs a day due to malware. Next company I worked for I became director, removed all admin rights for all 1500 users and maybe scanned 1 a month if we were lucky. 

 

Most breaches are due to admin access and careless clicking, you obviously have never been in IT.

[XenosTech]

2 minutes ago, mynameisjuan said:

you obviously have never been in IT.

Nope, I just sit in this big office all day just breathing and talking to @leadeater in pms.

[mynameisjuan]

1 minute ago, XenosTech said:

Nope, I just sit in this big office all day just breathing and talking to @leadeater in pms.

Look, if you have experience with large companies then you will actually see how much admin access matters in terms of security and even IT management. Reimaging and transferring data is a waste of time for IT and actual downtime for user affected. From experience, its night and day. I dont know how large the company you work for is but you need more data to see it. While I dont do security, my last job as a director I got to work a lot with security admins that were required to pen test frequently, I learned a lot from them and could see hands on how much admin rights can mitigate. 

[sambarr]

17 minutes ago, mynameisjuan said:

Yeah no thats not true at all. First company I worked for had around a 1000 users....all fucking admin...was reimaging 4-5pcs a day due to malware. Next company I worked for I became director, removed all admin rights for all 1500 users and maybe scanned 1 a month if we were lucky. 

 

Most breaches are due to admin access and careless clicking, you obviously have never been in IT.

Yessss indeed.

[LAwLz]

1 hour ago, Gullerback said:

Seeing as other sec experts pretty much say, if you need root access your already vulnerable.  This seems more like market assassination especially with gamernexus' investigation into the companies all made within the last year/this year

See:

 

8 hours ago, LAwLz said:

1)

A lot of people think that admin in Windows is the highest form of privilege you can get on a computer. This used to be more or less true but that is no longer the case.

PSP (Platform Security Processor from AMD), ME (Management Engine from Intel), TrustZone (from ARM), Secure Enclave Processor (SEP from Apple) and the other variants of these functions outside of the OS and handles very low level security functions. It's very complex stuff and I won't even pretend to understand 1/100 of the things I've read. It doesn't help that companies are very hush hush about how they work, and won't release the source code for them either (although I do believe ARM has released an open source reference implementation).

 

In any case, the basis of the different implementations are all more or less the same. There is a chip inside the processor which is called the trusted execution environment (TEE). This is a separate, completely functional computer, inside your computer. You can basically imagine it as a VM. It has its own processor and RAM.

 

The TEE acts as a hardware based root of trust. It is supposed to be the one thing inside the entire computer which can 100% be trusted, and because of this it has privileges to do essentially anything. Or to put it in other terms, it is a "super admin" which your regular computer sometimes contacts to verify things for it.

 

In the iPhone the SEP is what handles all the fingerprint analysis and verification. Neither iOS nor the regular processor knows how to process the fingerprint data to validate that it is correct. That is completely left up to the SEP to handle. iOS basically just sticks the fingerprint into a black box which then spits out an answer to whether or not the fingerprint was correct. Even if you compromise iOS in its entirety, with root access and everything, you still can't for example decrypt encrypted files because neither the OS nor the processor knows how to do that. That's why the FBI struggled to unlock that iPhone.

 

The same thing is happening on laptops and desktops these days. Some functions are deemed as needing extra security and are therefore handed to the TEE to handle. Things like Device guard, credential guard, some types of DRM, system management mode, IOMMU and many more.

and:

2 hours ago, LAwLz said:

Getting access to the PSP is much worse than just having admin privilege.

Yes it is already a bad situation if someone with malicious intentions has admin privileges, but these exploits makes the situation worse.

 

If you want an analogy, think of this like the tsunami that hit Japan in 2011.

If getting admin privilege is the tsunami wave, then these exploits are the nuclear meltdowns that were caused as a result. They turn a bad situation into an even worse situation.

You don't ignore the nuclear meltdowns just because you think the wave was bad enough, right? You need to fix both.

 

 

Getting pretty tired of people trying to downplay this by saying "if you have admin access you're already screwed, so this doesn't matter".

 

Also, the age of the company doesn't matter. I mean, why would it? Does being a young company somehow make your statements less true?

Does being an older company make your claims more true?

Someone should tell blockbuster that their claims apparently have more credibility than Netflix since you know, Blockbuster is older.

[Razor01]

Just now, LAwLz said:

See:

 

and:

 

 

Getting pretty tired of people trying to downplay this by saying "if you have admin access you're already screwed, so this doesn't matter".

 

Also, the age of the company doesn't matter. Not one bit at all.

There are viruses and malware that don't need admin rights to do their thing too.

[mynameisjuan]

15 minutes ago, Razor01 said:

There are viruses and malware that don't need admin rights to do their thing too.

1. Viruses are not really a thing anymore

2. On a fully update OS, malware being able to cause a problem would be very rare. Zero days are really the only ones that stand out. 

[Razor01]

18 minutes ago, mynameisjuan said:

1. Viruses are not really a thing anymore

2. On a fully update OS, malware being able to cause a problem would be very rare. Zero days are really the only ones that stand out. 

 

 

Zero day attacks are enough for this type of approach for taking over PSP.  Bugs are always found and fixed, can't stop that.  OS's are so complex these days, its bound to happen.

[Taf the Ghost]

1 hour ago, LAwLz said:

It seems that way, but I don't think it's correct saying this is a Windows 10 issue. It's a hardware issue but the attack vector seems to be a Windows driver (not necessarily Windows 10 specific, most likely Windows in general). Also, the driver is the attack vector for some of the attacks, but not all of them.

Once the system is infected though, it should be operating system independent.

 

It could also be that they just haven't looked into the GNU/Linux drivers. Absence of evidence is not evidence of absence.

 

 

Edit: After thinking about it a bit more I am 100% sure that saying "it's a Windows exploit" is wrong.

Here is my rational for it. The PSP runs its own system which should not let the OS running along-side it modify it. It should just serve as a root of trust which the client OS contact to make decisions for it.

If we assume that the findings are true however (which I don't see any reason to doubt), then the way the PSP was designed makes it vulnerable to attacks from the OS running alongside it. Even if the attack is limited to just Windows as the "slave" OS, it's still a design flaw in the PSP. You wouldn't say the "attacker" is the one who has a vulnerability, right? It's the target that is vulnerable, and the target is the PSP.

 

Windows is just a proxy used to carry out the attack against the PSP. If I run aircrack-ng on GNU/Linux to attack a WEP network then it's not GNU/Linux that is vulnerable, it's the WEP network.

 

If I run these exploits on Windows to attack the PSP then it's not Windows that's vulnerable, it's the PSP.

Ryzen is only officially supported on Windows 10, which is why I said it is possibly a Windows 10 exploit, and given how much they talk about Microsoft's security tools, that seems to be where the testing was. However, getting malware on the SP opens up practically everything anyway.

 

Looking at the paper, "Two sets of manufacturer backdoors: One implemented in firmware, the other in hardware (ASIC)". Have we somehow missed they specifically said that ASMedia built backdoors into these chipsets?

 

Having a chance to read the paper closer, the attack on Ryzen can be patched, at worst. It piggybacks on a signed vendor driver that interacts with the SP. Where does one find said driver? "Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed." 

 

https://www.bleepingcomputer.com/news/security/security-flaw-in-amds-secure-chip-on-chip-processor-disclosed-online/

 

That's from back in January. So, yes, AMD can almost assuredly patch whatever issue they found, though I still think it's likely on MS's side.

 

Ah, and it finally clicked. I thought these looked like Nation State attack vectors. They are. It's just they're not useful enough to buy, which is why we got what we got. There's an attack vector against the SP that's probably patchable, and custom BIOS malware can be setup to work. There's a potential Air Gap attack with the chipset and bluetooth. These are specific, not general, attack vectors. This company probably tried to sell these at Zero Days but no one was buying, so they went about finding other means to gain value from the "finds".

[mynameisjuan]

1 minute ago, Razor01 said:

OS's are so complex these days, its bound to happen.

I will never argue against that. In my other comments I get mad when people get mad at companies for bugs. Programs can have over a million lines of code and finding those bugs are even harder. 

[Deus Voltage]

Perhaps a silly question; is there currently any AI-integrated security software in development that is specifically tailored for CPU/GPU? 

[Razor01]

1 minute ago, Deus Voltage said:

Perhaps a silly question; is there currently any AI-integrated security software in development that is specifically tailored for CPU/GPU? 

I think there is or heard of it being done, but the opposite is also being looked into AI driven malware is a concept too lol

[Sauron]

2 hours ago, LAwLz said:

Yes, but this flaw makes things a lot worse.

How many times do I have to repeat myself? This makes a bad situation even worse. Getting access to the PSP is far worse than "just" having admin privilege.

Of course it's bad, all I'm saying is this isn't like meltdown where you could be pwned through javascript without so much as a warning.

[Arika]

9 minutes ago, Sauron said:

Of course it's bad, all I'm saying is this isn't like meltdown where you could be pwned through javascript without so much as a warning.

Down playing it because it's not as bad as <other exploit> shouldn't even be an argument.

 

Why is everyone so upset about the latest mass shooting when the holocaust was worse?

 

They both suck but one doesn't diminish the other

[Sauron]

Just now, Sierra Fox said:

Down playing it because it's not as bad as <other exploit> shouldn't even be an argument.

 

Why is everyone so upset about the latest mass shooting when the holocaust was worse?

"Why are you comparing genocides to hardware vulnerabilities?" is a better question... the magnitude of the two things isn't even comparable.

 

There is a hardware vulnerability in amd chips; that's a fact and nobody has a problem with admitting that. Now, the next thing to ask is "how bad is it?" and "should I be worried?" and the answers to those questions are "moderately" and "only if you aren't careful", which is a hell of a lot better than meltdown. This doesn't mean I don't care or that I don't think it's an issue, it just means your digital life is not in immediate danger.

 

I'm also calling BS on the claim that this was somehow too serious to wait for the standard 3 months before announcing it to the public.

 

None of this has anything to do with downplaying anything, least of all mass shootings - perhaps tone down your hyperboles a bit or people will have a hard time taking you seriously.

[Arika]

14 minutes ago, Sauron said:

"Why are you comparing genocides to hardware vulnerabilities?" is a better question... the magnitude of the two things isn't even comparable.

 

 

An extreme example sure, but an example none the less

 

Quote

There is a hardware vulnerability in amd chips; that's a fact and nobody has a problem with admitting that.

24 pages would disagree. There are quite a few posts essentially stating that this is

• fake and it's a smear campaign
• Fake and paid for by Intel
• Fake and just a way to get more money
• Fake
• Etc

 

People are writing it off simply due to the circumstances of the release, does that make the flaws any less real? No, they have been confirmed by other independents yet there are still people who are refusing to accept this.

 

At this point people don't take me seriously because I'm an Intel shill apparently so any opinions I have on the matter are invalid or discredited. Do I care? Nope. I'll continue to buy what suits me at the time, the fanboys can do what ever the hell they want.

[LAwLz]

Ian Cutress is live on TechteamGB talking about it right now.

 

[Misanthrope]

30 minutes ago, Sierra Fox said:

An extreme example sure, but an example none the less

 

24 pages would disagree. There are quite a few posts essentially stating that this is

• fake and it's a smear campaign
• Fake and paid for by Intel
• Fake and just a way to get more money
• Fake
• Etc

 

People are writing it off simply due to the circumstances of the release, does that make the flaws any less real? No, they have been confirmed by other independents yet there are still people who are refusing to accept this.

 

At this point people don't take me seriously because I'm an Intel shill apparently so any opinions I have on the matter are invalid or discredited. Do I care? Nope. I'll continue to buy what suits me at the time, the fanboys can do what ever the hell they want.

Sorry but not "just" but also due to the fact that the described vulnerabilities require pretty damn compromised circumstances to compromise them further. As in once you have that much access to a system you can probably do some damage, maybe not as much but it's already fairly bad.