[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[vorticalbox]

https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs

 

This is quite a nice review of the situation.

[leadeater]

12 minutes ago, Suika said:

I entered this thread to watch people ceaselessly protect the manufacturer of their choice and I have not been disappointed.

 

The Gamers Nexus video on the matter is pretty good, here's a link for those who haven't seen it.

 

Regardless of the legitimacy of the proposed attacks... If the bad guy has physical access to your machine, not to mention, elevated privileges... You should automatically assume the worst, with or without an extra little exploit (that sounds like extra effort).

18:24 was a rather interesting part. Unsurprisingly flashing a modified bios on to a system is a security risk for any system by any manufacturer, unique risk it is not.

 

Really glad he contacted the security experts he used for the Meltdown/Spectre coverage.

[JuNex03]

=.= for a security firm their site doesn't even support HTTPS

 

http://www.cts-labs.com

[TOMPPIX]

smear campaign, ignore these "vulnerabilities".

[leadeater]

3 minutes ago, VegetableStu said:

is it important if it's just serving text to visitors one way? o_o

Yes, because it's at least a half way decent method to make sure the site is actually who it says it is and you can cross verify certificate details. It's not perfect because literally anyone can get a cert but it's something, plus it's a freakin security firm.

 

Also it helps ensure no cross site scripting attacks are happening, ya know security .

[LAwLz]

8 hours ago, David89 said:

The whole reason why "we" defend AMD is because THE ONLY thing that may be a real problem for AMD is the ASMedia Shit - and even that is probably not even AMDs fault.

1) So you don't think the other 11 issues brought up are real issues? It is ONLY the ASMedia issues that needs to be fixed according to you? Everything else is fine? I have to strongly disagree with you there.

2) It doesn't matter whose fault it is. What matters is who it affects. If someone came out and said "Meltdown isn't Intel's fault. It was actually Jerry over at VIA that caused this entire thing" would you just go "Oh, then it doesn't need fixing and everything is fine"? I don't think so.

 

8 hours ago, David89 said:

If there are security flaws - so be it. But that whole smear campaign against AMD is an absolute shitshow, because Intel has the same vulnerabilities in their ME.

Did you live under a rock while the ME thing was going down? Intel got a massive amount of shit for it. I don't think I saw even a single person as much as defend Intel over that fuckup. If we assume this is "the same vulnerabilities" then it only makes sense AMD gets as much shit, and yet there is a completely different reaction and people are barely talking about the security issues at all.

 

8 hours ago, David89 said:

The rest of all of those "vulnerabilities" are present on EVERY FRACKING system! Holy mother of Jesus are you dense. Btw, for a good read about why you are already FUC**D big time when code is running at those kinds of levels: https://blogs.msdn.microsoft.com/oldnewthing/20060508-22/?p=31283

No, these vulnerabilities are not present on "every fracking system". They are AMD specific. There might be similar issues on other platforms, such as the ME issues you brought up, but I don't see why that matters. It's not like issues on one platform excuses issues on another.

That is clearly some fanboy mentality where you're very focused on who appears "best", AMD or Intel.

AMD fucked something up? Then I must point out an issue with Intel so that Intel doesn't appear to be better!

Stop it.

 

Also, that link has some valid points, but they are not really relevant to this. With this attack, a program running as admin can do things such as read protected memory from other processes, or run code from the embedded security processor. Both of these things are not things taken into consideration in that blog post. Like I have said over and over now, this makes a bad situation worse.

Just because they rely on another attack doesn't mean they aren't an issue.

 

 

6 hours ago, Taf the Ghost said:

Has anyone found proof that this can work with anything but Physical Access? (At which, there's 1000s of approaches if true.)

Yes, it works without physical access.

I don't understand why people suddenly think so many exploits need physical access. The only time an exploit requires physical access is for things like exploits using a microphone, camera, replacing physical hardware or things like that.

When it comes to executing code, you never need physical access. Everything you can do with a mouse and keyboard, can also be done remotely.

 

6 hours ago, Taf the Ghost said:

but you need physical access for that to work.

No you don't.

For the love of God where do you people get all this misinformation from?

YOU DO NOT NEED PHYSICAL ACCESS TO DO ANY OF THESE ATTACKS.

 

1 hour ago, Vode said:

Requiring to flash the BIOS and physical access to the machine...

Neither flashing the BIOS nor physical access are required.

Stop repeating this misinformation, please.

 

18 minutes ago, TOMPPIX said:

smear campaign, ignore these "vulnerabilities".

It seems to be a smear campaign, but the vulnerabilities are real and should NOT be ignored.

[TOMPPIX]

10 minutes ago, LAwLz said:

but the vulnerabilities are real and should NOT be ignored.

got any proof?

[LAwLz]

18 minutes ago, TOMPPIX said:

got any proof?

Yes, several independent researchers has verified that there exist working PoC.

The thing is that this new company has a rather unique way of disclosing things.

Also, with security you want to be on the side of caution. It is foolish to assume you're safe even when security researchers says they have found issues.

 

They make the overall idea of the attack known to the public, while providing the PoC and other technical details available to some select companies (such as AMD and other security firms).

 

I do not have working code to post if that's what you want as proof, but what I do have are several well known people in the security industry saying that they have verified that the code exists and works as described.

 

 

https://twitter.com/dguido/status/973628511515750400

and

https://twitter.com/gadievron/status/973655430441373696

 

 

Also, if you read the white paper it becomes very apparent that the people who wrote it has a good understanding of processors and security. Despite what people are saying, the white paper does contain a lot of information and makes sense.

[Sauron]

8 hours ago, mr moose said:

 

His historical attitude toward Nvidia/Intel has been nothing short of childish while the first hint of something wrong with AMD and he's guns blazing.   I'd call that hypocritical.

intel was given a lot more time... and they downplayed the issue.

[mr moose]

1 minute ago, Sauron said:

intel was given a lot more time... and they downplayed the issue.

 

The downplaying is clearly a matter of opinion.  Not sure how the time they were given changes anything, we didn't need Torvalds to tell us that 24 Hours was a BS call.  Torvalds is self righteous prick that has shown his colors enough times that his opinion means nothing.   

[asus killer]

i don't know if it's real or a scam. Still i think this is actually the industries fault, AMD/INTEL/... should be the ones actively searching for this faults and dealing with it, but it seems that they either can't or wont (probably the later in my personal opinion), so it's really no surprise that things like this come up. They kind of made their bad for this type of scams. It shouldn't be google doing the industries work, nor is it reasonable for them to find what the industries didn't find for a large number of years.

It's like if MacDonalds were in the burger making business but couldn't care less about quality

 

 

[coasterghost]

A little fun bit I've seen over on reddit. 

 

[leadeater]

29 minutes ago, LAwLz said:

Yes, several independent researchers has verified that there exist working PoC.

The thing is that this new company has a rather unique way of disclosing things.

Also, with security you want to be on the side of caution. It is foolish to assume you're safe even when security researchers says they have found issues.

 

They make the overall idea of the attack known to the public, while providing the PoC and other technical details available to some select companies (such as AMD and other security firms).

 

I do not have working code to post if that's what you want as proof, but what I do have are several well known people in the security industry saying that they have verified that the code exists and works as described.

 

 

https://twitter.com/dguido/status/973628511515750400

 

 

Also, if you read the white paper it becomes very apparent that the people who wrote it has a good understanding of processors and security. Despite what people are saying, the white paper does contain a lot of information and makes sense.

Other researchers without any financial gain, i.e. not paid to review and not given guidance on how to use the exploits have questioned the validity of these vulnerabilities or have pointed out that the level of access and the steps used are not specific to AMD. In other words while the exact specific things they are doing are for AMD platforms they can be done on any system if you have those privileges, comments were also made that some of the vulnerabilities are not vulnerabilities and are only a direct result of having the requisite privileged access.

 

When you're flashing things like the bios or platform security engine firmware (PSP or IME), which you need to be able to do to update them at all, then is it really a vulnerability or just malicious firmware being loaded on to the system thereby making it vulnerable.

 

So you have security researchers with decent credibility, ones who discovered Meltdown and Spectre, warning to exercise caution with this paper but acknowledge that it could be or in parts be true and the fact that none of these even have CVE reference numbers which means they did not work with or have been acknowledged by National Cybersecurity FFRDC, again not suprising if you didn't bother to work with them but it doesn't mean they won't get them.

 

While you shouldn't disregard that these could be real the current recommended actions are do nothing. Until these get some kind of official recognition by CVE, AMD and manufacturers like HP/Dell/Lenovo who will in due time issue advisories there is nothing else to do. No one can confidently say they are either real or fake, it's all pending further analysis.

 

Before anyone points to Meltdown and Spectre and why those were believed they did not lack all the above mentioned traits and were very quickly confirmed by Intel and AMD.

[ScratchCat]

31 minutes ago, LAwLz said:

Did you live under a rock while the ME thing was going down? Intel got a massive amount of shit for it. I don't think I saw even a single person as much as defend Intel over that fuckup. If we assume this is "the same vulnerabilities" then it only makes sense AMD gets as much shit, and yet there is a completely different reaction and people are barely talking about the security issues at all.

 

No, these vulnerabilities are not present on "every fracking system". They are AMD specific. There might be similar issues on other platforms, such as the ME issues you brought up, but I don't see why that matters. It's not like issues on one platform excuses issues on another.

That is clearly some fanboy mentality where you're very focused on who appears "best", AMD or Intel.

AMD fucked something up? Then I must point out an issue with Intel so that Intel doesn't appear to be better!

Stop it.

 

Also, that link has some valid points, but they are not really relevant to this. With this attack, a program running as admin can do things such as read protected memory from other processes, or run code from the embedded security processor. Both of these things are not things taken into consideration in that blog post. Like I have said over and over now, this makes a bad situation worse.

Just because they rely on another attack doesn't mean they aren't an issue.

 

It is tradition now that Intel is the only one having issues. For the last few years few serious vulnerabilities were released which affected AMD processors, Spectre being 2 of them (However in their defense almost every processor had these issues).

Therefore it is explainable that many people put down these vulnerabilities as a scam as they have not happened for a noticable amount of time (Spectre again breaks this trend but it affected almost everything).

 

@Taf the Ghost

Quote

MASTERKEY can often be exploited as part of a remote cyber-attack. Most EPYC and Ryzen motherboards on the market use a BIOS by American Megatrends that allows easy reflashing from within the operating system using a command line utility. Such utility could be used by remote attackers in the course of a cyb

er attack.

Remote attacks are possible with MASTERKEY

[Suika]

34 minutes ago, LAwLz said:

Also, if you read the white paper it becomes very apparent that the people who wrote it has a good understanding of processors and security. Despite what people are saying, the white paper does contain a lot of information and makes sense.

So assuming the threat is real, as awful as CTS-Labs is coming off as, did they really do this for the consumer? Because it certainly looks like they just wanted to leave as big of an impact on AMD to pick up shares on the cheap.

 

Which reminds me, does AMD have a bug bounty program? It doesn't look like they do but I haven't looked terribly hard, which makes this all the easier to believe.

[Bcat00]

it pains me reading some of these comments. Does no one ever use their brains anymore? 

 

Whoever published this article is out to make AMD's stock fall regardless of the stuff they claim is true or not. Why? It's because the real people behind this shell company is in fact a investment firm. They short AMD's stock and wala, when it falls they will make a good amount of money. 

 

This whole scheme likely came about from intel's security flaw so these people got the idea to try it with AMD. Not the first time people did this before, common occurrence in China for "gangster investors" as they call it. Find out if a company is really making XXXX amount through private investigation or etc and then publish it online, make the company stock fall while they short.

 

Easy money right there

[LAwLz]

33 minutes ago, leadeater said:

Other researchers without any financial gain, i.e. not paid to review and not given guidance on how to use the exploits

Please don't do this... Paid code reviews are standard in the industry. If we're going to start questioning independent code review because "they are being paid!" then the entire security industry will crumble.

Paid code review != biased code review, which is what you are implying by separating people into "those who were paid vs those who weren't".

 

33 minutes ago, leadeater said:

Other researchers without any financial gain, i.e. not paid to review and not given guidance on how to use the exploits have questioned the validity of these vulnerabilities or have pointed out that the level of access and the steps used are not specific to AMD.

I have actually not seen that many security experts question the validity of the exploits. 9/10 people I have seen come out against this have done so because of the hostile tone of the report and the very short notice, not because the exploits seem false.

Don't mistake "this is unethical" with "these exploits are fake".

I've seen a lot of the former, but none of the latter (from experts, not counting ignorant people on reddit).

 

33 minutes ago, leadeater said:

In other words while the exact specific things they are doing are for AMD platforms they can be done on any system if you have those privileges, comments were also made that some of the vulnerabilities are not vulnerabilities and are only a direct result of having the requisite privileged access.

Source on this? Bypassing VSM and SSM seems to be fairly unique to AMD, and it is not something you can do with just regular admin privilege.

 

33 minutes ago, leadeater said:

When you're flashing things like the bios or platform security engine firmware (PSP or IME), which you need to be able to do to update them at all, then is it really a vulnerability or just malicious firmware being loaded on to the system thereby making it vulnerable.

Again, only 3 out of 13 exploits requires BIOS modifications. The remaining 10 does not. Please stop focusing so much on those particular ones because they are just a small category of the exploits discovered.

 

33 minutes ago, leadeater said:

So you have security researchers with decent credibility, ones who discovered Meltdown and Spectre, warning to exercise caution with this paper but acknowledge that it could be or in parts be true and the fact that none of these even have CVE reference numbers which means they did not work with or have been acknowledged by National Cybersecurity FFRDC, again not suprising if you didn't bother to work with them but it doesn't mean they won't get them.

Well this company is clearly out for fame and is not acting like they should. That does not mean their findings aren't real though.

Again, you seem to be confusing "unethical" with "it's fake".

This is the former, not the latter.

 

33 minutes ago, leadeater said:

While you shouldn't disregard that these could be real the current recommended actions are do nothing. Until these get some kind of official recognition by CVE, AMD and manufacturers like HP/Dell/Lenovo who will in due time issue advisories there is nothing else to do. No one can confidently say they are either real or fake, it's all pending further analysis.

The current recommendation is to do nothing, correct. But that's only because there is nothing we can do right now.

Actually, I would say the current recommendation is for people to shut up if they don't know what they are talking about, but sadly very few people will follow that advice.

 

33 minutes ago, leadeater said:

Before anyone points to Meltdown and Spectre and why those were believed they did not lack all the above mentioned traits and were very quickly confirmed by Intel and AMD.

I don't think you can compare this to Meltdown and Spectre at all.

Vendors had months upon months to validate, fix and prepare statements regarding those issues. It also went through the "proper" disclosure procedure (except AMD that started posting about it in public mailing lists before the disclosure date).

It was a lot more organized than this chaotic "lol look at us with all the exploits we've found! AMD sucks!".

It's not even been 24 hours yet.

More info will come in the coming days/weeks.

 

 

 

33 minutes ago, ScratchCat said:

Remote attacks are possible with MASTERKEY

Physical access is not needed for any of the 13 exploits published.

 

 

 

22 minutes ago, Suika said:

So assuming the threat is real, as awful as CTS-Labs is coming off as, did they really do this for the consumer? Because it certainly looks like they just wanted to leave as big of an impact on AMD to pick up shares on the cheap.

I don't think they did this to protect consumers. I think it is rather clear that they did it for fame, and possibly stock manipulation.

That does not make the vulnerabilities any less real though.

But with that being said, I don't agree that they have been as reckless as people make them out to be. For example they have provided the PoC to AMD and a few other security firms, but not released that to the public. 

 

22 minutes ago, Suika said:

Which reminds me, does AMD have a bug bounty program? It doesn't look like they do but I haven't looked terribly hard, which makes this all the easier to believe.

Not that I am aware of, and I haven't been able to find anything about one either.

It's worth noting that historically, security exploits relying on hardware components have been fairly rare so it has not really been needed. That might change now with more and more exploits like these being published though.

 

 

 

6 minutes ago, Bcat00 said:

it pains me reading some of these comments. Does no one ever use their brains anymore? 

-snip-

The intentions of the messenger does not make the message any less real or serious.

[Arika]

13 minutes ago, Bcat00 said:

Why? It's because the real people behind this shell company is in fact a investment firm.

Citation fucking needed.

[Bcat00]

Just now, Sierra Fox said:

Citation fucking needed.

Go read the published document or check out their site. It doesn't take much 

[Arika]

Just now, Bcat00 said:

Go read the published document or check out their site. It doesn't take much 

no, the burden of proof is on you.

you can't make a claim then say "go research it yourself"

[Bcat00]

Just now, Sierra Fox said:

no, the burden of proof is on you.

you can't make a claim then say "go research it yourself"

then go deal with it yourself because i ain't got the patience to satisfy your craving because you can't go read a stinken article or have a look at the links provided by the topic poster. 

 

People aren't obliged to do your work for you because you are too LAZY

[Taf the Ghost]

43 minutes ago, ScratchCat said:

It is tradition now that Intel is the only one having issues. For the last few years few serious vulnerabilities were released which affected AMD processors, Spectre being 2 of them (However in their defense almost every processor had these issues).

Therefore it is explainable that many people put down these vulnerabilities as a scam as they have not happened for a noticable amount of time (Spectre again breaks this trend but it affected almost everything).

 

@Taf the Ghost

Remote attacks are possible with MASTERKEY

You have to remotely execute Code to then remotely allow the new BIOS to respond to certain commands. 

 

This might be a weird attack vector for a MitM phishing approach. Get someone to update a BIOS with faked signed drivers to inject malicious code. Which you can do on any system that allows BIOS updates anyway.

 

This is slightly interesting in as an attack vector for getting into an Air Gapped system, as you'd be escalating from a USB drive vector and this could be a way to embed the vector into a place you're not going to find. However, that's a big file to deliver and you can do that on any modern computer system already.

[LAwLz]

8 minutes ago, Bcat00 said:

then go deal with it yourself because i ain't got the patience to satisfy your craving because you can't go read a stinken article or have a look at the links provided by the topic poster. 

 

People aren't obliged to do your work for you because you are too LAZY

Hey, did you know that AMD were the ones who invited cancer? They did it because Hitler paid them to do so.

What you want evidence? Stop being lazy and go research it for yourself!

 

It is not other peoples' responsibility to verify your claims, even if you are correct.

 

 

 

Edit:

3 minutes ago, Taf the Ghost said:

You have to remotely execute Code to then remotely allow the new BIOS to respond to certain commands. 

 

This might be a weird attack vector for a MitM phishing approach. Get someone to update a BIOS with faked signed drivers to inject malicious code. Which you can do on any system that allows BIOS updates anyway.

 

This is slightly interesting in as an attack vector for getting into an Air Gapped system, as you'd be escalating from a USB drive vector and this could be a way to embed the vector into a place you're not going to find. However, that's a big file to deliver and you can do that on any modern computer system already.

It is very important to note that only a few of the attacks published requires a BIOS flash. 

You do however need admin privilege for any of the attacks to work.

[Bcat00]

Just now, VegetableStu said:

that's a really angry way to say "Google is your friend"

Because it's tiring to see people say "burden of proof is on you" all the time on this forum.

 

Hello, i'm a random person on the net, why should i spend 10-20 minute of my life just to satisfy a kid or ignorant person's laziness just so they can go have a look or change their mind? It doesn't make sense to me. It's like someone crying and crying like snobby brat that can't wipe their own ass.

 

 

[Azryu]

Seems spooky, looking forward to hearing about it on the Wan Show if it gets confirmed as legit.