[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[David89]

33 minutes ago, LAwLz said:

I don't have to repeat my claim to be right, because I am right.

Do you not understand how computers work? There is nothing here which requires physical access to the computer. Nothing at all. Not even the BIOS attack.

Can you please explain what you think is possible with physical access that isn't possible remotely on a computer?

 

Are you really going to try and discredit Dan Guido by saying he was paid by them? He is a security consultant which verified their findings as an independent third party.

He is also very known in the security industry.

First of all: Dan Guido said that himself.

 

Second: You just disqualified yourself from EVERY viable discussion with that kind of statement. How old are you? 14?

 

Third: I'm a Sysadmin, so i do actually know a few things about computers. I may not be a security expert, but i do know my way around secure systems. Let's assume those vulnerabilities are real. For Ryzenfall 1-4 the first step is to get through the VSM, which was introduced with Windows 10. After that, you'll need to get access to the LSASS (Local Security Authority Subsystem Service), which has also been reworked with Windows 10 (split in different and isolated threads that can't be accessed directly) and makes it pretty much impossible to gain any access to anything hardware related without any Admin rights. Now, even if you have full Admin rights: You need a driver that has write access to the PSP. After that you have to get the right Bios hashes for the bios in question.

Same applies to Fallout 1-3 - only difference is that it uses the Bootloader of the SP.

 

ALL of that implies however, that you've cracked the Microsoft VSM, which would give you access to EVERY system and not only AMD based ones. And you even need Admin rights to put Chimera to "use" - you'd also need physical access, because you have to restart Windows without the Driver Protection. Which is the case for all of those attacks, btw. So: you need physical access to ALL of those attacks, UNLESS someone has already deactivated the driver protection on that system.

So: 3 of those attacks need a bios flash. The rest of those need drivers. Ever tried to install drivers remotely on Windows? Ever tried to install - even signed but not vendor correct - drivers?

 

Basically, if you go through all of that trouble, EVERY System is vulnerable, not just an AMD one.

 

Still: There are NO technical details inside the Whitepaper from CST, so all of that are just assumptions based on what the results "should" be.

[leadeater]

14 minutes ago, LAwLz said:

@leadeater you got mad at me for maybe giving people the wrong idea about code signing just a few days ago right?

What do you think of people trying to discredit actual security research because of things like "their website has an inflammatory name" and "they have disabled youtube comments"? I find it quite sickening.

I wasn't really that mad, just tired and up too late and not giving much thought in to what I was typing. I wasn't really explaining my point very well which didn't help but off topic, unless you want to discuss somewhere else.

 

When something warrants a fair amount of "this could be bull crap" then scrutiny is fine. The youtube stuff is totally irrelevant though same goes with the domain registration date, that literally has nothing to do with anything so completely agree there. The content on said website, holy crap. See quote from it I posted.

[DoctorWho1975]

I posted of bunch of sketchy other things other then the YT channel but thats all you are looking at. Fine.. go short sell AMD if you believe this an issue, let us know how it works out. I heard Viceroy can give you advice on that.

[Curufinwe_wins]

4 minutes ago, DoctorWho1975 said:

I posted of bunch of sketchy other things other then the YT channel but thats all you are looking at. Fine.. go short sell AMD if you believe this an issue, let us know how it works out. I heard Viceroy can give you advice on that.

Over-hyped? Yes. Shady? Probably. Fake? Probably not. We have three different non-affilated security companies now confirming the existence and correctness of the exploits as reported.

 

[Sauron]

Doen't look nearly as bad as meltdown - not even in the same ballpark. The "master key" one is basically useless, if you're worried about attackers having physical access to your hardware you should be using full drive encryption and even hijacking the CPU doesn't help against that.

 

The rest are a bit vague, the crucial detail that is missing is whether or not the attacks can be performed without having the user install malware on their computer. Either way, this doesn't seem to be an issue that is deeply rooted in the chip architecture and I think a firmware update ought to be enough to fix it without crippling performance.

 

And yes, dick move to publish the vulnerability without waiting the customary 90 days.

[leadeater]

11 minutes ago, Curufinwe_wins said:

The best data mining is when your target never knows you were there and you get to leech indefinitely. That's literally 100% the optimal goal for these type of exploits (think government or corporate espionage). And this is 100% the best way to do it. Gain top level access for a moment (generally through social engineering), install your hopefully-undetectable backdoor, then get the fuck out and let the data roll in.

Yep agree, but these carry such an immense list of requirements to pull it off with multiple steps that would signal an issue for those targets along with at least 1 reboot required and then at will access to the computer remotely or something local on the system transmitting the data which is another detection point.

 

When you might have limited time access to a system you have deployable exploit scripts which puts everything in place. I'd see this as more of an issue that can be exploited somewhere in the supply chain, pre-infecting the computers and supplying them to the target.

[DoctorWho1975]

Gadi Evron is your source? A guy who "got permission" from the AMDFlaws.com guys (he couldn't say CTS Labs could he). Let's see some actual information, not from the CTS Labs circle jerk.

[Drak3]

11 minutes ago, leadeater said:

Then you also need a motherboard or OS that allows you to do a bios flash within the OS, reboot the system and then regain access to the system again after that.

Everything MSI and Dell makes  consumer and business wise, then. Don't know about enterprise, wouldn't surprise me though.

[LAwLz]

1 minute ago, David89 said:

First of all: Dan Guido said that himself.

What did he say exactly? I can't find a citation from him saying that you need physical access anywhere.

 

2 minutes ago, David89 said:

Second: You just disqualified yourself from EVERY viable discussion with that kind of statement. How old are you? 14?

Maybe?

 

3 minutes ago, David89 said:

Third: I'm a Sysadmin, so i do actually know a few things about computers. I may not be a security expert, but i do know my way around secure systems.

Oh I didn't know we were in a dick measuring content. Yes I am a sysadmin too. Am I credible now?

 

4 minutes ago, David89 said:

For Ryzenfall 1-4 the first step is to get through the VSM, which was introduced with Windows 10.

The white paper states that they are able to bypass the VBS including the credential guard, so that isn't really an issue for them.

 

7 minutes ago, David89 said:

After that, you'll need to get access to the LSASS (Local Security Authority Subsystem Service), which has also been reworked with Windows 10 (split in different and isolated threads that can't be accessed directly) and makes it pretty much impossible to gain any access to anything hardware related without any Admin rights.

Yes, and this is where the "you need a privilege escalation exploit" comes in. Again, this is an attack which requires admin privilege already. I have already said this over and over again.

 

8 minutes ago, David89 said:

Now, even if you have full Admin rights: You need a driver that has write access to the PSP. After that you have to get the right Bios hashes for the bios in question.

Same applies to Fallout 1-3 - only difference is that it uses the Bootloader of the SP.

That is only for some of the exploits. You're trying to bundle up the requirements for several exploits into sounding like you need all of them for any one of the exploits, which is not true.

Each group of exploit has its own set of requirements.

 

10 minutes ago, David89 said:

ALL of that implies however, that you've cracked the Microsoft VSM, which would give you access to EVERY system and not only AMD based ones.

Or just admin privilege, which has again and again been stated is a requirement. But this is worse than just having admin privileges, and these risks are not present on all other systems. These exploits, where they can for example execute arbitrary code on the security processor, is unique to AMD. The way these accesses restricted memory might also be unique.

 

12 minutes ago, David89 said:

So: you need physical access to ALL of those attacks, UNLESS someone has already deactivated the driver protection on that system.

Or just admin privilege...

 

12 minutes ago, David89 said:

Still: There are NO technical details inside the Whitepaper from CST, so all of that are just assumptions based on what the results "should" be.

The white paper contains a lot of technical details, just not any PoC, which has been seen by third party security researcher(s). When it comes to secuirty I think it is best to be on the safe side, and not assume everything is fine.

 

14 minutes ago, leadeater said:

The content on said website, holy crap. See quote from it i posted.

Yeah the viceroyresearch website is hilarious (in a bad way). I don't think that invalidates anything said in the white paper though.

[Curufinwe_wins]

4 minutes ago, leadeater said:

Yep agree, but these carry such an immense list of requirements to pull it off with multiple steps that would signal an issue for those targets along with at least 1 reboot required and then at will access to the computer remotely or something local on the system transmitting the data which is another detection point.

 

When you might have limited time access to a system you have deployable exploit scripts which puts everything in place. I'd see this as more of an issue that can be exploited somewhere in the supply chain, pre-infecting the computers and supplying them to the target.

Thus my comment about corporate and governmental espionage being the obvious and high profile uses for something like this.

 

It doesn't matter if it is ludicrously difficult to pull off ONCE, if you can do it and then sit on the system for a long time [for that type of hack]. It isn't something the general public needs to worry about. They aren't interesting enough for the effort to be worth it. 

[leadeater]

2 minutes ago, Drak3 said:

Everything MSI and Dell makes  consumer and business wise, then. Don't know about enterprise, wouldn't surprise me though.

Bit easier/safer on the server side. They run dual bios and have IPMI/iDRAC/iLO where you can do a lot of the firmware updates outside of the OS but with the OS running then you just reboot the server. Anything goes wrong, swap bios.

[Sauron]

29 minutes ago, leadeater said:

While fair, rather hilarious from that guy lol.

At least Torvalds doesn't disclose security flaws on day one for attention ¯\_(ツ)_/¯

@mr moose I wouldn't say it's hypocritical, he may be loud and obnoxious but he only throws companies under the bus when he believes they deserve it, and not without giving them a chance.

[Razor01]

2 minutes ago, Sauron said:

At least Torvalds doesn't disclose security flaws on day one for attention ¯\_(ツ)_/¯

@mr moose I wouldn't say it's hypocritical, he may be loud and obnoxious but he only throws companies under the bus when he believes they deserve it, and not without giving them a chance.

Err he just threw this company under the bus without giving them a chance.....

 

I shouldn't say this to the dark lord lol

 

Cool avatar man.

[LAwLz]

7 minutes ago, leadeater said:

Yep agree, but these carry such an immense list of requirements to pull it off with multiple steps that would signal an issue for those targets along with at least 1 reboot required and then at will access to the computer remotely or something local on the system transmitting the data which is another detection point.

 

When you might have limited time access to a system you have deployable exploit scripts which puts everything in place. I'd see this as more of an issue that can be exploited somewhere in the supply chain, pre-infecting the computers and supplying them to the target.

You don't need to reboot to execute a lot of them.

The only real requirement is having admin privilege, and that is not that hard (especially not through phishing).

 

5 minutes ago, DoctorWho1975 said:

Gadi Evron is your source? A guy who "got permission" from the AMDFlaws.com guys (he couldn't say CTS Labs could he). Let's see some actual information, not from the CTS Labs circle jerk.

"You have no third party source!"

"Oh you have one? Well it's just one so it doesn't matter!"

"Oh you have another one? Well that's still not enough!"

"Damn a third one? It's just CTS circle jerking!"

 

You will never be pleased, will you?

[Curufinwe_wins]

6 minutes ago, Sauron said:

At least Torvalds doesn't disclose security flaws on day one for attention ¯\_(ツ)_/¯

@mr moose I wouldn't say it's hypocritical, he may be loud and obnoxious but he only throws companies under the bus when he believes they deserve it, and not without giving them a chance.

Here is the thing though... without looking it up... do you know the name of the companies that discovered Meltdown? That discovered HeartBleed? etc etc. This is the company's first major discovery. While I don't agree with it... This is a massive opportunity to catapault them into the minds of the entire industry in an instant, and they can always just sign NDA's or etc with future companies that contract them out on the basis of these discoveries.

 

Not having a giant repertoire means that they kinda need to get every ounce of exposure they can from this before they fade back into nothingness.

4 minutes ago, Razor01 said:

Err he just threw this company under the bus without giving them a chance.....

 

[Blademaster91]

1 hour ago, Sierra Fox said:

This thread and the others about spectre

I'm just going to quote my self from earlier since I'm not talking about the context of these supposed flaws

That's my issue. Regardless of if it's real or not, this forum has an air of AMD can do no wrong and Intel can do no right.

The whole Spector meltdown debacle when it was announced that the issues were resolved the AMD side of things were along the lines of "yay AMD thank you for doing it so fast" Intel side was more "fuck you, it should never have happen in the first place"

Pretty much, though this forum isn't as bad as some other forums i've been browsing through. The worse thing is people just disregard the security flaws because of the source and them recently creating a Youtube channel or using stock images for a background when it doesn't mean much at all.

1 hour ago, Energycore said:

For me the biggest tell on this one is that the researchers violated standard procedure on the time given before public disclosure.

I'll admit that even though I personally can't find sketchy stuff about the HardOCP article, it is true that sketchy stuff from Intel/Nvidia is more likely to be reported in these forums. It might not be bias for AMD, for me personally it's more of a bad sentiment for companies that clearly don't mind doing shady stuff. If they have the history of doing it, every time they do it is more telling for me.

Lest we forget when ATi cheated on Futuremark Benchmarks back in the mid 2000s.

I expect this to die off by thursday.

The Nvidia GPP subject is just hearsay and rumors,sketchy at best until there is more proof, HardOCP editor having their own clear bias despising Intel & Nvidia with the rest of the thread being their echo chamber or risk the hammer if you disagree with him. You're forgetting about a more recent example,AMD RX560 rebrand that was actually a lesser GPU with no indication that it wasn't a real RX560,yet no one gave it a second look in comparison to the GTX970 fiasco.

1 hour ago, David89 said:

Personally, i REALLY would like to know, how and why Dan Guido has said anything at all. Many other Security Experts are saying that pretty much all of that is - at least until now - absolute bullcrap.

An attack doesn't need physical access for some of these exploits, why are you saying Dan Guido isn't a reliable source,just because he got paid for it even though they are an independent researcher?

[hobobobo]

3 minutes ago, Razor01 said:

Err he just threw this company under the bus without giving them a chance.....

to be fair, they deserve to be thrown under the bus for unethical conduct and the way all this whitepaper stuff is written, presented and handled, disregard validity of the info. Its their choice to do it this way, doesnt mean its ok and thay should be patted on the head for this

[Energycore]

Just now, Blademaster91 said:

The Nvidia GPP subject is just hearsay and rumors,sketchy at best until there is more proof, HardOCP editor having their own clear bias despising Intel & Nvidia with the rest of the thread being their echo chamber or risk the hammer if you disagree with him. You're forgetting about a more recent example,AMD RX560 rebrand that was actually a lesser GPU with no indication that it wasn't a real RX560,yet no one gave it a second look in comparison to the GTX970 fiasco.

That's right! It's a bit different but it's definitely obnoxious. So that's 2 cases now.

[leadeater]

5 minutes ago, Curufinwe_wins said:

Here is the thing though... without looking it up... do you know the name of the companies that discovered Meltdown? That discovered HeartBleed? etc etc

I'll do a John Oliver, the companies names were Big Research Company Co.  (You'll get the joke if you've watched a lot of Last Week Tonight)

[David89]

15 minutes ago, LAwLz said:

[SNIP]

the FRACK? Are you for real? The whole reason why "we" defend AMD is because THE ONLY thing that may be a real problem for AMD is the ASMedia Shit - and even that is probably not even AMDs fault. It's about the "HOW" this is going down. If there are security flaws - so be it. But that whole smear campaign against AMD is an absolute shitshow, because Intel has the same vulnerabilities in their ME. That's btw one big reason why many thousands signed an open letter to AMD to make their PSP OpenSource to prevent this kind of stuff.

 

The rest of all of those "vulnerabilities" are present on EVERY FRACKING system! Holy mother of Jesus are you dense. Btw, for a good read about why you are already FUC**D big time when code is running at those kinds of levels: https://blogs.msdn.microsoft.com/oldnewthing/20060508-22/?p=31283

 

I'm done here.

[Razor01]

Just now, hobobobo said:

to be fair, they deserve to be thrown under the bus for unethical conduct and the way all this whitepaper stuff is written, presented and handled, disregard validity of the info. Its their choice to do it this way, doesnt mean its ok and thay should be patted on the head for this

 

Well the problem with that is, if any of these come out to be real, Linus is on the hook, they can go after him.  And its not like he can do anything about it either.  But we are talking about a penny company vs Linus who can just wait it out for 1 year and make the problem go away on his end.  This other company though, they will be in the shitter by then.  Looking at their website, if they are legit, they don't have money man.  To me it looks like a guy that just started up.  He might have been one of the best of the brightest in school we don't know and starting doing this and came up this problem.

[Razor01]

Just now, David89 said:

the FRACK? Are you for real? The whole reason why "we" defend AMD is because THE ONLY thing that may be a real problem for AMD is the ASMedia Shit - and even that is probably not even AMDs fault. It's about the "HOW" this is going down. If there are security flaws - so be it. But that whole smear campaign against AMD is an absolute shitshow, because Intel has the same vulnerabilities in their ME. That's btw one big reason why many thousands signed an open letter to AMD to make their PSP OpenSource to prevent this kind of stuff.

 

The rest of all of those "vulnerabilities" are present on EVERY FRACKING system! Holy mother of Jesus are you dense. Btw, for a good read about why you are already FUC**D big time when code is running at those kinds of levels: https://blogs.msdn.microsoft.com/oldnewthing/20060508-22/?p=31283

ASmedia, and AMD, when ASmedia made what they had to make for AMD platforms, it becomes AMD problem by association.  AMD pays ASmedia , they outsourced their product to ASmedia, its AMD's product.

[Drak3]

10 minutes ago, leadeater said:

Bit easier/safer on the server side. They run dual bios and have IPMI/iDRAC/iLO where you can do a lot of the firmware updates outside of the OS but with the OS running then you just reboot the server. Anything goes wrong, swap bios.

High end MSI boards have dual BIOS too now. Which is nice, my system crashed running 4GHz via OCGenie & BIOS 1.2 quite awhile ago, and I've been running 4.5GHz manual & 1.0 for the past 3/4 of a year.

[hobobobo]

12 minutes ago, Razor01 said:

 

Well the problem with that is, if any of these come out to be real, Linus is on the hook, they can go after him.  And its not like he can do anything about it either.  But we are talking about a penny company vs Linus who can just wait it out for 1 year and make the problem go away on his end.  This other company though, they will be in the shitter by then.  Looking at their website, if they are legit, they don't have money man.  To me it looks like a guy that just started up.  He might have been one of the best of the brightest in school we don't know and starting doing this and came up this problem.

Apperently not smart enough to google proper conduct in such situation. Its not like securit jobs rely on public goodwill, so private talks with amd and 3rd parties would have garnered considerable amount of recognition anyway. And stock manipulation, even with this being real, is not out of the question by a longshot

 

Maybe im just jaded, but i always asume malevolent intent if there is any to be perceived

[Razor01]

Just now, hobobobo said:

Apperently not smart enough to google proper conduct in such situation. Its not like securit jobs rely on public goodwill, so private talks with amd and 3rd parties would have garnered considerable amount of recognition anyway. And stock manipulation, even with this being real, is not out of the question by a longshot

 

 

An unknown company with the ability to manipulate stock, is kind of unheard of.  The reason why meltdown and specter did was because the people that found those are well know, there was no second guessing.

 

Stock market swings are ruled by the big boys, large investment banks.  They really don't look at the rumor mill for information, that is a sure way to make a loss.

 

While I worked at Credit Suisse many years go, we were making a prototype AI trading system, before AI on a GPU was mainstream.  We took their automated pricing models and used them to teach the AI system, one of the variables was rumor mill but it had such a low weight it was inconsequential really.  The pricing models were done by the traders, so its what they use to trade on a day to day basis.