[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[Arika]

1 minute ago, Bcat00 said:

then go deal with it yourself because i ain't got the patience to satisfy your craving because you can't go read a stinken article or have a look at the links provided by the topic poster. 

 

People aren't obliged to do your work for you because you are too LAZY

 

if you're banking on the

 

Quote

CTS Labs lists one Yaron Luk-Zilberman as the Chief Financial Officer. We found SEC documents containing information on Yaron Luk-Zilberman and noted that he supposedly has affiliation with NineWells Capital Management, LLC, a hedge-fund and investment management firm.

note the wording "supposedly has affiliation". he's also an individual that works at the company who manages a hedge fund. do you know what that means? he manages a hedge fund, he, him self, the individual. I could start a hedge fund but still work at the company im currently employed by, does that mean that my employer is just a front for the hedge fund? absolutely not. it means nothing.

[Notional]

12 minutes ago, Sierra Fox said:

Citation fucking needed.

Citation fucking included in the GamersNexus video. Go watch it. You're welcome.

[Arika]

1 minute ago, Notional said:

Citation fucking included in the GamersNexus video. Go watch it. You're welcome.

see above

[leadeater]

37 minutes ago, LAwLz said:

Please don't do this... Paid code reviews are standard in the industry. If we're going to start questioning independent code review because "they are being paid!" then the entire security industry will crumble.

Paid code review != biased code review, which is what you are implying by separating people into "those who were paid vs those who weren't".

The basis around how they get paid varies, it's more common practice to either work together and share payment from the effected company through a bounty program or by an entity like CERT, iDefense or TippingPoint.

 

Your point is pricey why Responsible Disclosure is a thing and it covers aspects like payment and financial gain. These are all efforts to professionalize the security industry and introduce standards, it used to be the wild west so how things were done and should be done can be different.

 

Analysis of things like financial gain is an important step, not the only step, for verify validity. It should not be ignored.

 

Edit:

Or be directly contracted by the company to find security flaws.

 

37 minutes ago, LAwLz said:

I have actually not seen that many security experts question the validity of the exploits. 9/10 people I have seen come out against this have done so because of the hostile tone of the report and the very short notice, not because the exploits seem false.

Don't mistake "this is unethical" with "these exploits are fake".

I've seen a lot of the former, but none of the latter (from experts, not counting ignorant people on reddit).

See Gamers Nexus video, specifically the responses from those security experts.

 

37 minutes ago, LAwLz said:

Again, only 3 out of 13 exploits requires BIOS modifications. The remaining 10 does not. Please stop focusing so much on those particular ones because they are just a small category of the exploits discovered.

No 3 are for the bios. Ryzenfall, Masterkey and Chimera all utilize replacing firmware in the PSP (not bios) or chipset. If your putting malicious firmware on to an IC is it a security flaw of said IC or are you just using your privilege access to compromise the system. If a system has the capability for it's firmware to be updated then malicious firmware will always be an attack vector, there is no way to prevent this other than removing the ability to update the firmware which is a terrible idea because then you could never update it if it does have a security vulnerability.

 

You ignored the parts after I said bios, PSP and IME are not bios and related to a different vulnerability in the white paper.

 

37 minutes ago, LAwLz said:

Well this company is clearly out for fame and is not acting like they should. That does not mean their findings aren't real though.

Again, you seem to be confusing "unethical" with "it's fake".

This is the former, not the latter.

No I'm saying it can't even be confirmed as true. Not being true doesn't mean fake it simply means not confirmed.

 

37 minutes ago, LAwLz said:

I don't think you can compare this to Meltdown and Spectre at all.

Vendors had months upon months to validate, fix and prepare statements regarding those issues. It also went through the "proper" disclosure procedure (except AMD that started posting about it in public mailing lists before the disclosure date).

It was a lot more organized than this chaotic "lol look at us with all the exploits we've found! AMD sucks!".

It's not even been 24 hours yet.

More info will come in the coming days/weeks.

Which all backs the point that it was easy to see Meltdown and Spectre were legitimate from the get go.

[Taf the Ghost]

4 minutes ago, LAwLz said:

It is very important to note that only a few of the attacks published requires a BIOS flash. 

I was responding about the one that explicitly did. 

 

Though I still stand by my points that this is mostly interesting for some Air Gap attacks, and I've yet to see anything that merits any mention. 

 

And I also stand by my points about AMD taking both direct legal responses, along with filing complaints to the SEC. This wasn't a bug release; it was an intentional hit-piece that is pretty much full-on Fake News. Attempting to do material harm to a company is more than grounds for legal action.

[Notional]

4 minutes ago, Sierra Fox said:

note the wording "supposedly has affiliation". he's also an individual that works at the company who manages a hedge fund. do you know what that means? he manages a hedge fund, he, him self, the individual. I could start a hedge fund but still work at the company im currently employed by, does that mean that my employer is just a front for the hedge fund? absolutely not. it means nothing.

3

Dude, press the link in your own post to the CTS site. Literally on the site:

Quote

Yaron co-founded CTS-Labs in 2017, and previously served as an intelligence analyst in the Israeli Intelligence Corps Unit 8200. He is also the founder and Managing Director of NineWells Capital, a hedge fund that invests in public equities internationally.

1

"Supposedly". LOL.

[LAwLz]

3 minutes ago, Bcat00 said:

Because it's tiring to see people say "burden of proof is on you" all the time on this forum.

Then maybe you should stop making unsubstantiated claims?

At the end of the day, they are right. The burden of proof is on the one making the claim. It is not their responsibility to verify what you are saying.

 

5 minutes ago, Bcat00 said:

Hello, i'm a random person on the net, why should i spend 10-20 minute of my life just to satisfy a kid or ignorant person's laziness just so they can go have a look or change their mind? It doesn't make sense to me. It's like someone crying and crying like snobby brat that can't wipe their own ass.

Also, you should already have made that 10-20 minutes of research before you make the claim. The other person however, who might be starting at 0 research, might require an hour just to confirm what you said. is it really too much to ask for you to link to the evidence you have already gathered? Unless of course, you're making claims before you have done any research...

Again, it is your responsibility to research and prove the things you post, not your readers' responsibility.

[laminutederire]

Why has it been going on for 14 pages when we basically have no proof of anything. The whitepaper is not very well written (I wonder what University has taught them to publish a paper like this), but most importantly it's just about claims with no real details on how they did it, so from our point of view there is basically nothing to talk about except wait for it to be disproved or wait for them to provide actual details about their claims so that we can check their validity ourselves I guess.

[Arika]

1 minute ago, Notional said:

Dude, press the link in your own post to the CTS site. Literally on the site:

"Supposedly". LOL.

hey, you said the source was gamer nexus. "supposedly" is gamer nexus' wording. not mine.

[Notional]

1 minute ago, Sierra Fox said:

hey, you said the source was gamer nexus. "supposedly" is gamer nexus' wording. not mine.

Are you satisfied with the "fucking quote" then?

[Arika]

Just now, Notional said:

Are you satisfied with the "fucking quote" then?

that's he a manager of a hedge fun? sure.

 

but with the claim that CTS labs is just a shell company for an investment firm? no. is an unsubstantiated claim.

[LAwLz]

3 minutes ago, leadeater said:

The basis around how they get paid varies, it's more common practice to either work together and share payment from the effected company through a bounty program or by an entity like CERT, iDefense or TippingPoint.

 

Your point is pricey why Responsible Disclosure is a thing and it covers aspects like payment and financial gain. These are all efforts to professionalize the security industry and introduce standards, it used to be the wild west so how things were done and should be done can be different.

 

Analysis of things like financial gain is an important step, not the only step, for verify validity. It should not be ignored.

Well let's look at it this way.

If I get hired to do a security audit on company I expect to be trusted. If my report says that I did not find any vulnerabilities, do you think it make sense to start questioning me because "that person was paid to do the audit!"? I think that would look like a bad attempt to undermine the credibility of the report without having to actually look into any of the technical details.

It's a cheap shot that doesn't pack any substantial punch.

 

6 minutes ago, leadeater said:

See Gamers Nexus video, specifically the responses from those security experts.

I'm at work right now (funnily enough, patching BIOSes to protect again the Intel ME vulnerability). I'll watch it later though.

 

8 minutes ago, leadeater said:

No 3 are for the bios. Ryzenfall, Masterkey and Chimera all utilize replacing firmware in the PSP (not bios) or chipset. If your putting malicious firmware on to an IC is it a security flaw of said IC or are you just using your privilege access to compromise the system. If a system has the capability for it's firmware to be updated then malicious firmware will always be an attack vector, there is no way to prevent this other than removing the ability to update the firmware which is a terrible idea because then you could never update it if it does have a security vulnerability.

 

You ignored the parts after I said bios, PSP and IME are not bios and related to a different vulnerability in the white paper.

OK fair point. I don't see how this could be classified as anything but a vulnerability though. Would you be happier if I said it was a security risk? Because that is an accurate description for sure, although the risk of it being exploited seems fairly small at this point.

 

10 minutes ago, leadeater said:

No I'm saying it can't even be confirmed as true. Not being true doesn't mean fake it simply means not confirmed.

Better to be safe than sorry when it comes to security. Also, I think the testimonies from other experts is enough to confirm that it is true.

And if you don't trust Dan Guido, maybe you trust Matthew Green or Thomas H Ptacek? They haven't commented on the issue with their own words, but they have both retweeted Guido's statement.

 

19 minutes ago, leadeater said:

Which all backs the point that it was easy to see Meltdown and Spectre were legitimate form the get go.

To me that just means you can't compare the two situations.

They are completely different in almost every single way.

It doesn't make sense to compare them.

 

 

 

19 minutes ago, Taf the Ghost said:

it was an intentional hit-piece that is pretty much full-on Fake News.

Doesn't "fake news" mean that the news are fake? These news are real but presented in a hostile way.

[ScratchCat]

Forget market manipulation - This is an experiment to see how many forums one can plunge into chaos with a single press announcement /s

 

Quote

Update 3/14 5:00am ET

Reported by Ars Technica, a second security firm has now spoken publicly about being contacted by CTS-Labs for verification of the vulnerabilities. Gadi Evron, CEO of Cymmetria, stated in a series of tweets that:

1. He knows CTS-Labs and vouches for their technical capabilities, but has no knowledge of their business model
2. All the vulnerabilites do not require physical access (a simple exe is all that is needed)
3. Fallout does not require a reflash of the BIOS
4. CTS-Labs believes that the public has a right to know if a vendor they are using makes them vulnerable, which is why no substantial lead time was given.

https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond

Point 4 seems slightly hypocritical - In effect CTS is increasing the chance of the vulnerabilities being exploited which is not in the public interest.

[Taf the Ghost]

3 minutes ago, LAwLz said:

Doesn't "fake news" mean that the news are fake? These news are real but presented in a hostile way.

Actually, no, part of the information can be real, but the "news" is fake. Previous to 2017, we'd call it "spin", but in one of the most tone-deaf media moves in history, the major Cable Channels pushed the concept of "fake news" to attack the current US Administration. Let's just say that's backfired horribly.

 

In this case, we have a collection of known attack vectors, yet no actual proof they've been used by CTS nor proof it is exclusive to AMD systems. Hacked BIOS attacks can work on most systems from, what, 2012 and on? 

 

The only potentially interesting one, as mentioned by a few security researchers, is the ASMedia chipset's security being weak. But, again, they just state that, and we have yet to have proof it does. There are already Intel IME attacks in the wild, so these type of low-level attack vectors exist, though this is really only important for Nation-State level hacking.

[laminutederire]

11 minutes ago, LAwLz said:

Better to be safe than sorry when it comes to security. Also, I think the testimonies from other experts is enough to confirm that it is true.

And if you don't trust Dan Guido, maybe you trust Matthew Green or Thomas H Ptacek? They haven't commented on the issue with their own words, but they have both retweeted Guido's statement.

Does it matter what people have tweeted or retweeted? Are we really at this point in time where a tweet is enough to prove something?

The fundamental criterion of scientificity is falsiability, which is just isn't present here since we basically have nothing to refute their claims on, because of that, no it isn't scientifically proven that it is true.

I may be or may not be, at this point you can say it's true, but it only is a "statement of opinion and not a statement of facts" to paraphrase the legal disclaimer of the whitepaper at hand. And it will be until we have an actual scientifical paper explaining the methodology and principles leading to those exploits.

[leadeater]

33 minutes ago, LAwLz said:

Well let's look at it this way.

If I get hired to do a security audit on company I expect to be trusted. If my report says that I did not find any vulnerabilities, do you think it make sense to start questioning me because "that person was paid to do the audit!"? I think that would look like a bad attempt to undermine the credibility of the report without having to actually look into any of the technical details.

It's a cheap shot that doesn't pack any substantial punch.

That is a different circumstance though, thought it depends on what you mean by that. The company doing the review to get paid is probably all above board, further reading of Anandtech article basically confirms this, it was a favor at first until they were given 13 to verify.

 

It was important to note that they only verified the steps to execute the exploits, basically they can say you can carry them out as documented. There's still the question of are all of these actually security vulnerabilities with the effected technologies. Because like I mentioned if your replacing firmware or using a signed driver by the vendor (this is very unclear to me exactly what this entails) are these vulnerabilities at all, by that I mean with the technologies themselves.

 

33 minutes ago, LAwLz said:

OK fair point. I don't see how this could be classified as anything but a vulnerability though. Would you be happier if I said it was a security risk? Because that is an accurate description for sure, although the risk of it being exploited seems fairly small at this point.

My point really was though that literally everything that can be firmware updated falls under this, like EVERYTHING. Do we need a security whitepaper released for every product on earth that falls under this to tell us "Hey if someone replaces the firmware with a malicious one you're at risk", think this falls under stating the obvious.

 

To make a highly inaccurate joke, you don't need a warning label on a hammer saying "If you hit your hand it will hurt".

[DELTAprime]

I wonder if Linus will just read the headlines on the WAN show that AMD are screwed or if he will do what other techtubers doing and dig a bit deeper and find the issues with this report?

[Carclis]

I'm not sure if this is even an issue or not but it seems pretty damn coincidental that Viceroy Research release this on the same day. It's so amateurish that it detracts from the issues being presented.

[Notional]

10 minutes ago, DELTAprime said:

I wonder if Linus will just read the headlines on the WAN show that AMD are screwed or if he will do what other techtubers doing and dig a bit deeper and find the issues with this report?

"AMD is screwed with confirmed security issues... And now 15 minutes of sponsor spots".

[leadeater]

6 minutes ago, VegetableStu said:

First up, and this isn't the first time: STOP EATING ALL THE JERKY, AT LEAST SAVE SOME FOR WAN. dammit

Which reminds me I really should order some, shipping to NZ is going to suuuuuuck though.

 

Edit:

LOLLOOLOLLOLOLOL, ouch.

 

Single item btw.

[Notional]

Just now, leadeater said:

Which reminds me I really should order some, shipping to NZ is going to suuuuuuck though.

Shipping to Denmark is about as expensive as the products themselves. Kinda pointless. Would love to try them out. They should have an outlet in EU to get around that nonsense.

[Arika]

9 minutes ago, leadeater said:

Which reminds me I really should order some, shipping to NZ is going to suuuuuuck though.

 

Edit:

LOLLOOLOLLOLOLOL, ouch.

 

Single item btw.

And the first class package is 30-90 business days right?

[leadeater]

4 minutes ago, Sierra Fox said:

And the first class package is 30-90 business days right?

Not actually sure, doesn't say. It's about roughly that from memory, I got something off ebay and used that option, huge mistake. Took sooooo long. Long enough I thought they got lost in shipping, contact seller who gave me a refund and I brought the items again (Xeons) and paid for better shipping, that new order arrived and then about a week later the original purchase turned up.

[Brooksie359]

6 hours ago, Sierra Fox said:

yes it is what i imagine would have happen and what has happened countless times in the past. It is an assumption based on previous experiences. I'm not denouncing the hypocrisy I'm pointing it out. there is no "Alternative selves" in this situation, there is an inherent bias in some people on this forum that AMD can do no wrong and therefore will defend it to the death, yet Intel in a similar situation would not be afforded the same defense by these people.

 

 

Regardless of bias  this seems to be a very suspicious way to disclose security flaws and the company itself is quite suspicious. Even the security flaws are talked about in a manner that isn't professional and are bias in nature. Of this were Intel would people bash them instead of looking at how weird the source of this information is? Maybe but that doesn't make the source any less suspect and likely to have stake in the lowering of AMD stock.

[LAwLz]

49 minutes ago, laminutederire said:

Does it matter what people have tweeted or retweeted? Are we really at this point in time where a tweet is enough to prove something?

When it is tweeted by respectable security researchers then yes, it is a testimony with their reputation on the line.

That is worth a lot as evidence.

 

52 minutes ago, laminutederire said:

The fundamental criterion of scientificity is falsiability, which is just isn't present here since we basically have nothing to refute their claims on, because of that, no it isn't scientifically proven that it is true.

That is not strictly true.

We do not have the PoC, but that's because it has not been disclosed. What we do have are statements from people with the PoC, and they are saying it is real.

Something can be scientifically proven without the general public having the means to prove it for themselves. I don't have access to the LHC and yet I would say the Higgs boson has scientifically been proven to exist. What do I base that on? The testimonies of scientists with far greater resources and knowledge than me.

 

56 minutes ago, leadeater said:

My point really was though that literally everything that can be firmware updated falls under this, like EVERYTHING. Do we need a security whitepaper released for every product on earth that falls under this to tell us "Hey if someone replaces the firmware with a malicious one you're at risk", think this falls under stating the obvious.

Did you not read the paper or did you just not understand it? Not everything can be attacked in this way because not everything has a central point of trust which has privileges such as modifying IOMMU configurations or bypassing SMM.

 

This is not just "flash malicious code to BIOS or firmware and it can do things". The architecture of the AMD system allows it to do additional things which is more similar to the Intel ME issues. 

 

1 hour ago, Notional said:

"AMD is screwed with confirmed security issues... And now 15 minutes of sponsor spots".

Not clickbait enough.

The video title needs at least one question mark and some random words in all caps.

"AMD is DOOMED? These exploits can PWN your AMD CPU!"