[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[Arika]

8 minutes ago, TechyBen said:

Spector =/= Meltdown. Hence the difference. Ahem.

i know.....but you're not understanding what I'm saying.

[David89]

9 minutes ago, Energycore said:

For me the biggest tell on this one is that the researchers violated standard procedure on the time given before public disclosure.

[snip]

Alright, definitely comforting when someone expert in the matter agrees with one

I expect this to die off by thursday.

Not only did they violate standard procedure, they made an extremely bad choice to be in the same bed with a shady companie that has a known history of manipulating stock markets with false claims.

 

I'm not that optimistic though. The only real positive thing is, that AMD's PSP doesn't have the Network stack built in, like Intel's ME. Even if AMDs PSP is as pitted as swiss cheese, it won't matter, because they are not vulnerable from the outside.

 

Edit: About Dan Guido - he specifically states, he has been paid by CST and "all 13 Flaws have been confirmed", while others already laid waste to some of those flaws, because they are simply not flaws "per se".

[leadeater]

19 minutes ago, Energycore said:

I expect this to die off by thursday.

Right, after the people who wanted to have gained all the money they set out to on the stock market. Hope it doesn't die out by Thursday, I hope anyone who gained any money from this gets thoroughly investigated to make sure there was no stock market manipulation going on and if there was throw the biggest book possible.

 

Regardless if said security issues are true these are separate issues, both could be legitimate or any combination there of.

 

I would also like to reiterate 24 hours is not common, it's extremely uncommon time frame of notification. Notification from the effected company to consumers can often be 24 hours, it's usually longer to people with paid support agreements. Security vulnerabilities usually have months of notice from the party that found it and notifying the effected parties to public disclosure, this is called Responsible Disclosure.

 

Quote

Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months. It is easier to patch software by using the Internet as a distribution channel.

 

Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion. While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly debated topic tied to the concept of vulnerability disclosure. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organisations follow the responsible disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCP or ZDI.[1] Independent firms financially supporting responsible disclosure by paying bug bounties include Facebook, Google, Mozilla, and Barracuda Networks.[2]

 

Vendor-sec was a responsible disclosure mailing list. Many, if not all, of the CERT groups coordinate responsible disclosures.

https://en.wikipedia.org/wiki/Responsible_disclosure

 

Ultimatums of disclosure is highly unprofessional.

[hobobobo]

35 minutes ago, Blademaster91 said:

Their reply wasn't about the details of the subject but how biased people are being about it,if this was about Intel everyone would be believing it.

Researcher and CEO of Trail of Bits,Dan Guido says all 13 vulnerabilities worked on their first attempt.

https://twitter.com/dguido/status/973628933034991616

Have you actually looked at the details of this? The sketchiness is pretty crazy.

 

 

 

 

If someone chooses to run all software in admin mode they have a bit more to worry about though yeah it's essentially a "blackbox" since AMD refused to make their secure processor open source so third party security firms could fill any potential holes.

Not saying its not sketchy, just if its real - it is scary until it gets patched. It alleges that it is possible to put a "sleeper" inside cpu security enclave which will not be affected by os wipe/possibly bios wipe. In this case it is a legit concern, since there is currently no way to know how security enclave operates and the extent it can affect the whole network of systems.

[Mira Yurizaki]

19 minutes ago, Sierra Fox said:

The whole Spector meltdown debacle when it was announced that the issues were resolved the AMD side of things were along the lines of "yay AMD thank you for doing it so fast" Intel side was more "fuck you, it should never have happen in the first place"

My problem with that whole debacle was people failing to understand the entirety of the situation and cherry picking the worst parts of it. And also trusting another company's word on the matter just because they said so.

 

I mean heck, I was given flak already in this thread for saying you shouldn't trust AMD any more than Intel when it comes to security because they're just as bad in practice.

[Energycore]

1 minute ago, leadeater said:

Right, after the people who wanted to have gained all the money they set out to on the stock market. Hope it doesn't die out by Thursday, I hope anyone who gained any money from this gets thoroughly investigated to make sure there was no stock market manipulation going on and if there was throw the biggest book possible.

Oh yeah, I don't hope that we by thursday forget about the scum that did this (though if you look at my status update AMD closed its trading day on relatively good bullish sentiment - will have to watch tomorrow's open to see the impact of these news).

 

What I meant to say, and sorry if I implied something else, is that these vulnerabilities aren't really significant enough for us to worry about. People smearing companies in the space is more important to my eyes.

3 minutes ago, leadeater said:

I would also like to reiterate 24 hours is not common, it's extremely uncommon time frame of notification. Notification from the effected company to consumers can often be 24 hours, it's usually longer to people with paid support agreements. Security vulnerabilities usually have months of notice from the party that found it and notifying the effected parties to public disclosure, this is called Responsible Disclosure.

Yes this can't be said enough. The people who found this out didn't think "hey, we can help AMD resolve this" when they did. They most likely though "hey we can turn this into FUD and profit from it".

 

Would you know if a company is obligated by law to notify the company a certain time before making it public, or is it only a dick move?

[LAwLz]

1 hour ago, apm said:

the exploits might be real but not usable in the wild, if an attacker has admin access and can just flash the bios you have a lot of bigger problems than these exploits.

a whitepaper without any technical details is not meant to protect the public, but to influence stockholders.

these exploits are theoretical, as far as i understand it you cant just mod a bios and flash ryzen motherboards with it.

What exactly do you mean by "not usable in the wild"? The PoC is still not disclosed so the risk of it being out in the wild is fairly small. But like I said before, these exploits requires some other exploit before they can be used.

They make a bad situation worse.

Also, these are not just theoretical. They have working code for them too.

 

 

47 minutes ago, Energycore said:

You say that, but do you have an example of this actually happening? When has AMD done something sketchy, but people in LTT written it off? I'd love to see it.

 

The fact that the vulnerabilities are real doesn't take away from the "smear campaign" as we're calling it, as the firm didn't notify AMD with enough time and they seem to have tipped people who talk about stocks.

 

EDIT: I should have read your whole post

About how you can benefit this, there's a kind of stock trading you can do in certain exchanges where the exchange lends you some shares, then you sell them at a high price (sell them "short"), buy them lower, then give them back. Any money made because you bought lower than you sold is your profit. So given that and a bit of Occam's Razor leads me to conclude that this is most likely why they're doing this.

 

Whether or not legitimate or legal, this was done in bad blood imo.

Yeah I agree, but it is worrying to see so many people in this thread soley focus on that, while ignoring that these security issues are real.

 

 

30 minutes ago, DoctorWho1975 said:

Problem is to exploit these you would have to have enough access to pick up the computer and walk away with it. If you have that kind of access, there are more issues.

23 minutes ago, David89 said:

Having to need physical access to the machine is a must in all of those cases, so even IF there are real flaws in the System from "the inside" - what do they matter if the attacker has physical access to your machine?

This is completely false. You do not need physical access to use these exploits.

I repeat, you do NOT need physical access to use these exploits. Please stop saying this because it is false.

 

30 minutes ago, DoctorWho1975 said:

And what about Linux? Considering how much enterprise shit runs on Linux wouldn't you want to exploit it? I'm sure there are companies with EPYC processors, in a data center, who have no windows in their network.

What about Linux?

 

 

27 minutes ago, mr moose said:

The bias is certainly real when it comes to certain users.

I'd say it's more than just "certain users".

 

 

24 minutes ago, David89 said:

Personally, i REALLY would like to know, how and why Dan Guido has said anything at all. Many other Security Experts are saying that pretty much all of that is - at least until now - absolute bullcrap.

And "many other security experts" are saying that this is not absolute bullcrap.

Why are you so hellbent on defending AMD and spreading misinformation about this?

 

 

 

23 minutes ago, Energycore said:

As for the latter, they seem to be unimportant as they require that your computer already be compromised.

This is a terrible mentality to have when it comes to security.

Just because an exploit requires an already compromised system doesn't mean it should be ignored.

[Energycore]

Just now, LAwLz said:

This is a terrible mentality to have when it comes to security.

Just because an exploit requires an already compromised system doesn't mean it should be ignored.

Well, I'd rather they were addressed without me being notified because they showed up in the news

 

Am I lazy for that?

[ARikozuM]

5 hours ago, Energycore said:

Isn't this against the law in some way? Every other vulnerability has been given months in advance before being announced. What gives?

It's just an common agreement between parties. If you go to the doctor, you have a "customary" charge for a physical, his charge for the physical, and the charge that your insurance charges. Your area's customary charge could be $20, the doctor charges $40, and the insurance charges $10. Nothing is put into law, it just is what it is. 

 

Though, if anything I would have expected a month rather than a day. If they were seeking compensation, they're trying to hard to get it and set their bluff to fail. 

[Majestic]

The funny thing is, it didn't really cause a big swing on the stock market, did it? So I hope they find the one who pulled this shitty smear campiagn. It's going to be extra funny seeing as they got nothing out of it.

[DoctorWho1975]

3 minutes ago, Energycore said:

 

 

What I meant to say, and sorry if I implied something else, is that these vulnerabilities aren't really significant enough for us to worry about. People smearing companies in the space is more important to my eyes.

Yes this can't be said enough. The people who found this out didn't think "hey, we can help AMD resolve this" when they did. They most likely though "hey we can turn this into FUD and profit from it".

 

 

Especially when registering a YT channel just THREE days before you are going to go public and the inflammatory domain name less then a month.

[leadeater]

1 minute ago, Energycore said:

Would you know if a company is obligated by law to notify the company a certain time before making it public, or is it only a dick move?

Only a dick move unless it for some reason violates any computer security laws, depending on how dickish and how impactful it is it could trigger some form of government investigation  i.e. Senate Inquiry which to be clear isn't quite the same thing as a legal inquiry in to any wrong doings under law.

[straight_stewie]

7 hours ago, Coaxialgamer said:

but only allowed them 24 hours instead of the customary 90 days , which is kind of a duck move in my opinion

Seems like it's still 13 zero days then.

[8uhbbhu8]

lmao smear campaign. That's all it is. Nothing here can be done without local access to the pc and and local privileges. Basically there's no need to do any of this cause you already have full access at the point where you can do any of them. Only way I could see this being exploited properly is if attackers got into the factories where these things were created and modified the master bios and microcode so it was put onto every processor, chipset, and bios before they were rolled out to the public. 

[David89]

1 minute ago, LAwLz said:

This is completely false. You do not need physical access to use these exploits.

I repeat, you do NOT need physical access to use these exploits. Please stop saying this because it is false.

 

And "many other security experts" are saying that this is not absolute bullcrap.

Why are you so hellbent on defending AMD and spreading misinformation about this?

 

Please prove me wrong with data. I'm sorry, but i give a crap about your statement if you can't back it up with something else than one guy on Twitter saying he had access to the technical reports. And i don't care if he has 13 years of experience, he's still only one guy.

And you repeating your claim won't make it right.

 

Those "many other security experts" are still (it's around 23:20, 13th March of 2018, Euro Time) only that one guy. Where as at least four (!) said, that it's highly unlikely to be having any impact.

And why are you so hellbent on making sure everyone believes ONE source?

[leadeater]

2 minutes ago, straight_stewie said:

Seems like it's still 13 zero days then.

Not quite a zero day, but they have effectively made it one.

 

Quote

A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.[1] An exploit directed at a zero-day vulnerability is called a zero-day exploit, or zero-day attack.

 

[dtaflorida]

The Tomshardware article states that:

Quote

A PSP security flaw was disclosed in the beginning of this year, but everyone’s attention quickly moved to Meltdown and Spectre after that.

So maybe they did give more than 24hr of notice?

[Razor01]

8 minutes ago, David89 said:

 

Please prove me wrong with data. I'm sorry, but i give a crap about your statement if you can't back it up with something else than one guy on Twitter saying he had access to the technical reports. And i don't care if he has 13 years of experience, he's still only one guy.

And you repeating your claim won't make it right.

 

Those "many other security experts" are still (it's around 23:20, 13th March of 2018, Euro Time) only that one guy. Where as at least four (!) said, that it's highly unlikely to be having any impact.

And why are you so hellbent on making sure everyone believes ONE source?

 

 

Can you do bios flashes over the inet or network?  You have your answer then.

[apm]

3 minutes ago, David89 said:

 

Please prove me wrong with data. I'm sorry, but i give a crap about your statement if you can't back it up with something else than one guy on Twitter saying he had access to the technical reports. And i don't care if he has 13 years of experience, he's still only one guy.

And you repeating your claim won't make it right.

 

Those "many other security experts" are still (it's around 23:20, 13th March of 2018, Euro Time) only that one guy. Where as at least four (!) said, that it's highly unlikely to be having any impact.

And why are you so hellbent on making sure everyone believes ONE source?

a guy who was even hired by the company in question.

[LAwLz]

14 minutes ago, Energycore said:

Well, I'd rather they were addressed without me being notified because they showed up in the news

 

Am I lazy for that?

That's not what you said though.

You said they were not important because your system already needed to be compromised.

 

 

12 minutes ago, DoctorWho1975 said:

 

Especially when registering a YT channel just THREE days before you are going to go public and the inflammatory domain name less then a month.

Serious question, why does everyone seem so focused on when they registered their youtube channel and domain name?

I really can't see why this is relevant whatsoever. Would them having registered the youtube channel 3 years ago changed the situation in any way shape or form?

 

 

9 minutes ago, 8uhbbhu8 said:

Nothing here can be done without local access to the pc

This is false. Please stop repeating this.

You do NOT need local access to the PC. It can be done remotely, as long as you have some way of privilege escalation.

 

 

9 minutes ago, David89 said:

Please prove me wrong with data. I'm sorry, but i give a crap about your statement if you can't back it up with something else than one guy on Twitter saying he had access to the technical reports. And i don't care if he has 13 years of experience, he's still only one guy.

And you repeating your claim won't make it right.

I don't have to repeat my claim to be right, because I am right.

Do you not understand how computers work? There is nothing here which requires physical access to the computer. Nothing at all. Not even the BIOS attack.

Can you please explain what you think is possible with physical access that isn't possible remotely on a computer?

 

 

5 minutes ago, Razor01 said:

Can you do bios flashes over the inet?  You have your answer then.

Yes you can. Here is an article about it from American Megatrends' own website.

But even if you couldn't, only 3 out of the 13 security vulnerabilities requires a BIOS flash. That would leave 10 other security holes open even if it wasn't possible to remotely flash BIOSes (which it is).

 

 

1 minute ago, apm said:

a guy who was even hired by the company in question.

Are you really going to try and discredit Dan Guido by saying he was paid by them? He is a security consultant which verified their findings as an independent third party.

He is also very known in the security industry.

[David89]

Just now, Razor01 said:

 

 

Can you do bios flashes over the inet?  You have your answer then.

No. I don't, because either i completely misunderstood how the PSP and UEFI work, or i am right in that those are separated "enough" so that this can't be exploited in that way. Also, at least on my board i have to have the UEFI Network stack enabled to flash over the Internet, which i don't and as a Sysadmin it is standard policy in many companies to also turn that feature off.

3 minutes ago, dtaflorida said:

The Tomshardware article states that:

A PSP security flaw was disclosed in the beginning of this year, but everyone’s attention quickly moved to Meltdown and Spectre after that.

So maybe they did give more than 24hr of notice?

Timeline
========
09-28-17 - Vulnerability reported to AMD Security Team.
12-07-17 - Fix is ready. Vendor works on a rollout to affected partners.
01-03-18 - Public disclosure due to 90 day disclosure deadline.

Everyone's attention moved to Meltdown and Spectre, because the PSP was already fixed.

[Mira Yurizaki]

17 minutes ago, Energycore said:

Yes this can't be said enough. The people who found this out didn't think "hey, we can help AMD resolve this" when they did. They most likely though "hey we can turn this into FUD and profit from it".

 

Would you know if a company is obligated by law to notify the company a certain time before making it public, or is it only a dick move?

I don't think it's productive to restrict when a person can or cannot publicly disclose a vulnerability. Though I think in some countries (like Germany), there are laws in place that if the reporter had malicious intent, they can be criminally charged.

 

However, I think there should be laws in place that also protect the reporter from retaliation if the disclosure was in good faith. I keep thinking there were reports of people discovering a flaw, only to be threatened with legal action because they had the "gall" of reporting it. Poking around in software somehow can fall under "derivative works" as far as copyright law goes.

[do_root]

None of these vulnerabilities can be exploited remotely, you need to gain access to the system before you can attempt any of these attacks. You could gain access to said system(s) over the internet, but the exploits mentioned in this require local system access before they can be used.

I'm not surprised to see this, however, I have my suspicions about this being a smear campaign. I would like to see AMD's response to this.

[LAwLz]

Just now, do_root said:

None of these vulnerabilities can be exploited remotely, you need to gain access to the system before you can attempt any of these attacks. You could gain access to said system(s) over the internet, but the exploits mentioned in this require local system access before they can be used.

I don't think "local system access" means what you think it means.

What you need is a local admin privilege. That can be done remotely. It means local as "running on the computer", not local as in "you need physical access to the computer".

[Majestic]

By the way, did anyone make archives of the original articles rolling out? I'd love to see the "iterative journalism" at work. I'm guessing they are adding a lot of  weaselwords to their initial press releases right now, or flatout removing them.

 

I was a little busy this afternoon so had no time to archive everything.