Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Coaxialgamer

[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

wkdpaul

Please keep the conversation civil and respectful, as per the Community Standards;

Quote
  • Ensure a friendly atmosphere to our visitors and forum members.
  • Encourage the freedom of expression and exchange of information in a mature and responsible manner.
  • "Don't be a dick" - Wil Wheaton.
  • "Be excellent to each other" - Bill and Ted.
  • Remember your audience; both present and future.

 

Message added by wkdpaul

Recommended Posts

20 minutes ago, Space Reptile said:

why are people still replying in this thread? 

 

oh i see , LAwLz is replying to every post trying to tell everyone its real ..... 



yay

The issues are real, however the issues also probably apply to anything with a co-processor and an updatable BIOS.

 

Anandtech had an call with CTS:

  • They seem not as professional as other groups, they did not know/lied about the rules governing security issues in Israel and irresponsibly released information about the issues after 24 hours.
  • There is still no explanation on how Viceroy could produce the 25 page report in less than 3 hours after the exploits were released.
  • Lack of preparing CVEs even though they worked for Unit 8200, the Israeli NSA.
  • Complete focus on how catastrophic this is and how AMD cannot not fix these issues within months.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

Link to post
Share on other sites
8 hours ago, Space Reptile said:

why are people still replying in this thread? 

 

oh i see , LAwLz is replying to every post trying to tell everyone its real ..... 



yay

What does sand look like from so close?


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
On 3/13/2018 at 8:25 AM, VegetableStu said:

WHERE'S YOUR AMD NOW?!

 

(I kid please put down that nice pitchfork you have there my nose hurts)

Just gotta pick your poison. Intel bugs or AMD bugs? 

Link to post
Share on other sites
2 hours ago, mr moose said:

What does sand look like from so close?

Like tiny bits of obsidian. It's very pretty. The sound of the surf is nice as well. The fact of the matter is we have no clue about how serious these flaws actually are because the relevant authorities were not given significant time to study them, execute them, and attempt to fix or mitigate them due to the rather FUCKING obvious attempt at a hatchet job targeting AMD. All we actually know is what they can accomplish given effectively unlimited access to a system. This is about as useful in determining their impact as a pine cone used for toilet paper.

Link to post
Share on other sites
1 minute ago, ravenshrike said:

 This is about as useful in determining their impact as a pine cone used for toilet paper.

LOL now I can't get that picture out of my head

Link to post
Share on other sites
3 minutes ago, ravenshrike said:

 The fact of the matter is we have no clue about how serious these flaws actually are

 

This is the only bit of your post that is relevant.     Until we know this, dismissing their importance is foolish.   As has been made abundantly clear many times over in this thread;  There is a difference between the cock sacks that tried to use these exploits for personal gain, and the legitimacy of the exploits.   No one here is or has defended CTS.  but many of us want proper investigation of the exploits.  And to be honest trivializing the exploits because people can't separate the two above mentioned issues is disingenuous to all security in the tech world. 

 

 


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
3 minutes ago, mr moose said:

but many of us want proper investigation of the exploits.

The clock for which started what, 5 days ago? Meanwhile you and Lawlz are Chicken Littleing over them. The earliest you're going to see significant analysis on them is gonna be at least 2-3 weeks, and probably longer. Well, unless the fixes for them are really easy which is still a possibility.

Link to post
Share on other sites
9 minutes ago, ravenshrike said:

The clock for which started what, 5 days ago? Meanwhile you and Lawlz are Chicken Littleing over them. The earliest you're going to see significant analysis on them is gonna be at least 2-3 weeks, and probably longer. Well, unless the fixes for them are really easy which is still a possibility.

How does that change anything we've said?    So far you keep trying to argue that time of reporting and motivation for reporting have some sort effect on the legitimacy of the threat.

 

That makes no sense and is conflating separate issues.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
13 minutes ago, mr moose said:

How does that change anything we've said?    So far you keep trying to argue that time of reporting and motivation for reporting have some sort effect on the legitimacy of the threat.

 

That makes no sense and is conflating separate issues.

Meanwhile you and Lawlz are flagrantly conflating legitimacy and magnitude. The exploits exist, yes, and they appear to do what is claimed. But that is all that is known about them at this time. To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

Link to post
Share on other sites

Someone finally made a Star Troopers reference. We're done here. Close up the site, it's been nice knowing y'all. 


Cor Caeruleus Reborn v6

Spoiler

CPU: Intel - Core i7-8700K

CPU Cooler: be quiet! - PURE ROCK 
Thermal Compound: Arctic Silver - 5 High-Density Polysynthetic Silver 3.5g Thermal Paste 
Motherboard: ASRock Z370 Extreme4
Memory: G.Skill TridentZ RGB 2x8GB 3200/14
Storage: Samsung - 850 EVO-Series 500GB 2.5" Solid State Drive 
Storage: Samsung - 960 EVO 500GB M.2-2280 Solid State Drive
Storage: Western Digital - Blue 2TB 3.5" 5400RPM Internal Hard Drive
Storage: Western Digital - BLACK SERIES 3TB 3.5" 7200RPM Internal Hard Drive
Video Card: EVGA - 970 SSC ACX (1080 is in RMA)
Case: Fractal Design - Define R5 w/Window (Black) ATX Mid Tower Case
Power Supply: EVGA - SuperNOVA P2 750W with CableMod blue/black Pro Series
Optical Drive: LG - WH16NS40 Blu-Ray/DVD/CD Writer 
Operating System: Microsoft - Windows 10 Pro OEM 64-bit and Linux Mint Serena
Keyboard: Logitech - G910 Orion Spectrum RGB Wired Gaming Keyboard
Mouse: Logitech - G502 Wired Optical Mouse
Headphones: Logitech - G430 7.1 Channel  Headset
Speakers: Logitech - Z506 155W 5.1ch Speakers

 

Link to post
Share on other sites
44 minutes ago, ravenshrike said:

To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

You are correct in saying that it is premature to claim these vulnerabilities are on par or worse than Spectre/meltdown.

I am not sure why you brought that up though because neither @mr moose nor I have said they are.

Link to post
Share on other sites
1 hour ago, ravenshrike said:

Meanwhile you and Lawlz are flagrantly conflating legitimacy and magnitude. The exploits exist, yes, and they appear to do what is claimed. But that is all that is known about them at this time. To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

I think the only person who suggested it was the equivalent of Meltdown is the OP.

 

Anyway, would you rather prefer the local police not respond to some kid's bomb threat because "obviously it was a kid who was trolling us" and it happens to be the real thing?

Link to post
Share on other sites
1 hour ago, ravenshrike said:

Meanwhile you and Lawlz are flagrantly conflating legitimacy and magnitude. The exploits exist, yes, and they appear to do what is claimed. But that is all that is known about them at this time. To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

That is completely untrue,  outside of the OP I don't think anyone and certainly not me has made claims regarding the severity of the threats, we have always maintained it is an unknown and for that reason alone should not be dismissed as trivial.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites

just saw the video of one of the exploits posted by CTS.

 

-Step 1 find a datacenter with an unlocked door

-step 2 place gun to head of admin for root access to hypervisor (because only an idiot lets the hypervisor access the public network)

-step 3 load custom bios. 

-step 4 Profit?

Link to post
Share on other sites

I have speculation that what CTS disclosed may not really be a new vulnerability.

 

I made a reference to the x86 Memory Sinkhole flaw once or twice recently and something clicked in my mind. For those not familiar with the x86 Memory Sinkhole, it was a hardware flaw discovered by security researcher Christopher Domas and presented in BlackHat 2015. Here's the video of it:

The gist of the attack is:

  • This exploits a flaw with the implementation of the movable memory window of the Advanced Programmable Interrupt Controller (APIC). The flaw is that the APIC memory window can slide over the memory range where System Manager (basically the security part of Intel systems) lives. Through some carefully crafted instructions, you can tell System Manager to access and execute stuff in memory under your control.
    • According to Wikipedia, AMD licensed APIC from Intel starting with the Athlon. So APIC has lived with AMD for a long time.
  • The attacker installs and runs an "attack driver", which requires root access.
  • This driver invokes System Manager to execute memory outside of its own little bubble.
  • In the demonstration, System Manager was tricked into installing a rootkit into itself that sniffs the contents of the processor's registers. When a magic number appears on it, System Manager escalates the context to root privileges and anything ran after is ran as root.

If I understand it, Mastereky, Ryzenfall, and Fallout requires the attacker to install tainted firmware which breaks the PSP. This sounds suspiciously similar to how Christopher attacked the demonstration machine. Christopher noted towards the end of his presentation (around 40:25) that in AMD's documentation, "the APIC window takes precedence over the SMRAM window." This is the flaw that Christopher used to attack Intel systems, meaning that AMD as of 2015 (I'm presuming he read the most recent one and AMD had kept it up to date) should be vulnerable to Memory Sinkhole.

 

The real question is whether or not AMD fixed Memory Sinkhole in Zen. I'd have no reason to believe AMD would've fixed it prior because that was about when AMD was full on "new micro-architecture!" mode. And if Memory Sinkhole was not fixed in Zen and is vulnerable to Memory Sinkhole, I wouldn't be surprised if CTS just prepackaged this flaw into something else and presented it as new.

 

EDIT: Some background research tells me Memory Sinkhole may be mitigated through software: http://blog.jacobtorrey.com/mitigations-to-the-memory-sinkhole

Link to post
Share on other sites
5 minutes ago, M.Yurizaki said:

I have speculation that what CTS disclosed may not really be a new vulnerability.

 

I made a reference to the x86 Memory Sinkhole flaw once or twice recently and something clicked in my mind. For those not familiar with the x86 Memory Sinkhole, it was a hardware flaw discovered by security researcher Christopher Domas and presented in BlackHat 2015. Here's the video of it:

The gist of the attack is:

  • This exploits a flaw with the implementation of the movable memory window of the Advanced Programmable Interrupt Controller (APIC). The flaw is that the APIC memory window can slide over the memory range where System Manager (basically the security part of Intel systems) lives. Through some carefully crafted instructions, you can tell System Manager to access and execute stuff in memory under your control.
    • According to Wikipedia, AMD licensed APIC from Intel starting with the Athlon. So APIC has lived with AMD for a long time.
  • The attacker installs and runs an "attack driver", which requires root access.
  • This driver invokes System Manager to execute memory outside of its own little bubble.
  • In the demonstration, System Manager was tricked into installing a rootkit into itself that sniffs the contents of the processor's registers. When a magic number appears on it, System Manager escalates the context to root privileges and anything ran after is ran as root.

If I understand it, Mastereky, Ryzenfall, and Fallout requires the attacker to install tainted firmware which breaks the PSP. This sounds suspiciously similar to how Christopher attacked the demonstration machine. Christopher noted towards the end of his presentation (around 40:25) that in AMD's documentation, "the APIC window takes precedence over the SMRAM window." This is the flaw that Christopher used to attack Intel systems, meaning that AMD as of 2015 (I'm presuming he read the most recent one and AMD had kept it up to date) should be vulnerable to Memory Sinkhole.

 

The real question is whether or not AMD fixed Memory Sinkhole in Zen. I'd have no reason to believe AMD would've fixed it prior because that was about when AMD was full on "new micro-architecture!" mode. And if Memory Sinkhole was not fixed in Zen and is vulnerable to Memory Sinkhole, I wouldn't be surprised if CTS just prepackaged this flaw into something else and presented it as new.

Wasn't that presentation only made after AMD and Intel fixed the issue?


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
Just now, mr moose said:

Wasn't that presentation only made after AMD and Intel fixed the issue?

Intel independently discovered it and fixed it in Sandy Bridge. AMD is up in the air.

 

Christopher also likely only researched it in-depth on Intel systems before formally disclosing it, making it appear to be an Intel-only flaw.

Link to post
Share on other sites

AMD just posted an initial assessment of the CTs Lab findings and it looks like they agree that there are some issues, however they think they can mitigate all of this with some BIOS & Firmware patches without impacting performance.

 

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

 

Quote

On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
 
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

 

As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.

 

Link to post
Share on other sites

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

 

Quote

As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.

 

AMD is working with ASMedia to fix their issues. BIOS & firmware updates will be coming out soon to address the issues. So, from AMD, we have confirmation this wasn't much of anything interesting. There's a problem here to be fixed, but it's nothing serious. This was, as I had honed in on a few days ago, very much more valuable in an Air Gap attack, but it was probably too hard to pull off to be worth anything to an Intelligence Service.

Link to post
Share on other sites

Lo and behold, it looks like I was correct.

 

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

 

 

On 3/15/2018 at 6:38 PM, ravenshrike said:

That being said, the 24 hour notice could easily very well be that CTS knows that patches to make the exploits in question exponentially more difficult or even impossible are relatively easy to create. After all, their disclaimer was explicitly that the entire hatchet job was their opinion which means they could be lying through their teeth about the difficulty of any fixes in order to maximize their short term financial position.

 

 

Link to post
Share on other sites
11 minutes ago, ravenshrike said:

 

Speaking if call, I received a call from CTS lab, it appears they may all be unemployed soon...

But fear not. They'll come back on TV starring in "The housewives of computer security", your new and exclusive soap opera of genius!

"We posted that thing and out of blue when adnantech was calling us, we received a double call from Hollywood to begin our career because they loved our drama potential. You understand we had to finish the call with them, it was too important. It will be an no not to work for Viceroy studios!" Said the random dude from CTS.

(Oh btw, good job on calling that!)

Link to post
Share on other sites

And the moral of today's story is that, no matter how hilariously unprofessional, sketchy, and seemingly unqualified a security research firm may be, we should definitely wait for their work to be reviewed before making the rash decision of ceaselessly defending your manufacturer of choice.


hating popular things as a personality trait is infinitely more cringe than liking things unapologetically

Link to post
Share on other sites

Great job from AMD putting out a bios update to completely remove all of these "bugs", that require a fully compromised system with full administrator rights. CTS is a joke seemingly involved in a blatant stock manipulation conspiracy. What an absolutely retarded ordeal.


Watching Intel have competition is like watching a headless chicken trying to get out of a mine field

CPU: Intel I7 4790K@4.6 with NZXT X31 AIO; MOTHERBOARD: ASUS Z97 Maximus VII Ranger; RAM: 8 GB Kingston HyperX 1600 DDR3; GFX: ASUS R9 290 4GB; CASE: Lian Li v700wx; STORAGE: Corsair Force 3 120GB SSD; Samsung 850 500GB SSD; Various old Seagates; PSU: Corsair RM650; MONITOR: 2x 20" Dell IPS; KEYBOARD/MOUSE: Logitech K810/ MX Master; OS: Windows 10 Pro

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×