[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[TechyBen]

4 minutes ago, mynameisjuan said:

Intel checks too. These are all different architectures, you cant compare one to the other security wise and call one lazy because it had more vulnerabilities.

 

Still my point stands is you cant test for literally any situation. 

"we believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture"

Ah... I never knew ARM was susceptible to Meldown " This contradicts some early statements made about the Meltdown vulnerability as being Intel-only."

The last I saw it was Intel only. That explains a lot... Guess I was out of the loop after the first early reports.

[Thermosman]

This may have been posted already but whatever

These companies appear very biased

[LAwLz]

10 minutes ago, TechyBen said:

If Spectre is still a problem... it's still a problem for Intel too.

Yes

 

11 minutes ago, TechyBen said:

Thus AMD are not worse than Intel, and in fact fair better. AMD = 2 exploits, Intel 3 (as only they are effected by Meltdown).

Ehm... Who cares which one is "worse" or "better" than the other? The fact of the matter is that both are vulnerable.

This is pretty similar to what I was talking about here:

6 hours ago, LAwLz said:

That is clearly some fanboy mentality where you're very focused on who appears "best", AMD or Intel.

AMD fucked something up? Then I must point out an issue with Intel so that Intel doesn't appear to be better!

Who care about the image of AMD or Intel? I certainly don't care if AMD are "no worse than Intel". What I care about is if I am vulnerable or not.

Also, judging which brand is "better" based on a handful of exploits is kind of silly, don't you think?

I mean, I am not going to start posting in threads about how bad Intel processors are because of the ME bug, nor will I post about how bad AMD processors are because of these issues.

 

18 minutes ago, TechyBen said:

Meldown effects Intel's specific use.

Well, it actually affected more processors than just Intel. I believe Apple indirectly confirmed that their mobile processors were affected by it too, and ARM confirmed that some of their processors were.

AMD managed to avoid that one though.

 

22 minutes ago, TechyBen said:

I apologise, but everyone I've seen complain AMD got a free pass have said "but the Meldown Spectre bug AMD got" when mentioning AMD, when it is not a combined "thing" (it's the Meltdown bug or the Spectre bug), and AMD did not get Spectre! Annoys me every time. And shows they don't actually know the differences.

AMD is vulnerable to Spectre, not Meltdown.

But yes you are correct when you say they are two different things, and AMD processors are only vulnerable to the Spectre attacks.

 

24 minutes ago, TechyBen said:

AMD and the rest of the industry (ARM etc) were doing computing as we expect and it turns out we all made a mistake and missed a security risk (were too busy chasing speed, and forgot a timing side channel). Meltdown is Intel not doing the security check on things it should be doing!

That's a rather simplistic view of things.

This wasn't "the industry busy chasing speed increases, and Intel cutting corners". It's far more complex than that.

 

 

 

1 minute ago, Thermosman said:

This may have been posted already but whatever

These companies appear very biased

Just remember that someone can be very biased, and still be correct.

[mynameisjuan]

11 minutes ago, TechyBen said:

"we believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture"

Ah... I never knew ARM was susceptible to Meldown " This contradicts some early statements made about the Meltdown vulnerability as being Intel-only."

The last I saw it was Intel only. That explains a lot... Guess I was out of the loop after the first early reports.

I am not talking about any security flaw in particular....just in general bugs are hard to find and almost always are by accident. But people think its easy to avoid and even easier to find. 

[Taf the Ghost]

1 hour ago, leadeater said:

You cannot by default talk to the PSP, that is the point of the PSP. You the user of the system can't see it or interact with it. They are gaining access to it through that signed drivers but they don't exactly tell you how.

 

Like I said since there are zero details I don't know if they are modifying the driver, still fits above statement, or there is a flaw in the driver giving you access you shouldn't have.

 

Also nice that isn't actually in the white paper, I specifically checked for statements like that but it wasn't in it, because they are vague as hell about that signed driver requirement.

 

You missed the point, the system is infected because you actually infected it by putting that HDD in it. Before the HDD was in it it was not infected as in without the malicious firmware all the bad things they say they can do cannot be done.

 

Edit:

Why this matters is because when other companies say something is a privileged execution attack they don't go listing all the theoretical things they can do with that attack. They don't treat what you can do with it as the vulnerability itself.

I've gotta ask, did CTS Labs get a hold of the ability to sign the drivers by "other than legal means"? This wouldn't be the first Stolen Cert attack, but we're back to this mostly being a Nation State attack vector.

[Thermosman]

6 minutes ago, LAwLz said:

Yes

 

Ehm... Who cares which one is "worse" or "better" than the other? The fact of the matter is that both are vulnerable.

This is pretty similar to what I was talking about here:

Who care about the image of AMD or Intel? I certainly don't care if AMD are "no worse than Intel". What I care about is if I am vulnerable or not.

Also, judging which brand is "better" based on a handful of exploits is kind of silly, don't you think?

I mean, I am not going to start posting in threads about how bad Intel processors are because of the ME bug, nor will I post about how bad AMD processors are because of these issues.

 

Well, it actually affected more processors than just Intel. I believe Apple indirectly confirmed that their mobile processors were affected by it too, and ARM confirmed that some of their processors were.

AMD managed to avoid that one though.

 

AMD is vulnerable to Spectre, not Meltdown.

But yes you are correct when you say they are two different things, and AMD processors are only vulnerable to the Spectre attacks.

 

That's a rather simplistic view of things.

This wasn't "the industry busy chasing speed increases, and Intel cutting corners". It's far more complex than that.

 

 

 

Just remember that someone can be very biased, and still be correct.

They may still exist, but the companies are mainly fearmongering and if they exist they require root and bios flash access that they are pointless

[LAwLz]

7 minutes ago, Taf the Ghost said:

I've gotta ask, did CTS Labs get a hold of the ability to sign the drivers by "other than legal means"? This wouldn't be the first Stolen Cert attack, but we're back to this mostly being a Nation State attack vector.

According to them, they do not need to sign anything.

They are using already valid, already installed, drivers from AMD and ASMedia as the attack vector for some of these exploits.

If that's the case then they don't need to sign anything because the security holes are in the AMD and ASMedia drivers, rather than modified ones.

 

6 minutes ago, Thermosman said:

They may still exist, but the companies are mainly fearmongering and if they exist they require root and bios flash access that they are pointless

They require admin privilege, but that's not too difficult to get. People fall for phishing attacks all the time, and even if they don't they usually click on UAC without thinking.

BIOS flashing is only required for 3 out of 13 of the exploits. The remaining 10 do not require a BIOS flash.

The BIOS updates can be done from within Windows as well.

 

Edit: And before you say that you're already screwed if they have admin privilege, please remember that admin is not the highest privilege you can have.

 

 

Here is an unlikely scenario which is possible with these vulnerabilities.

1) You download a sketchy file from the Internet. It might be a pirated game or something along those lines.

2) You install the game. While going through the installation wizard, an UAC prompt appears. Well, you're just installing a game so let's click OK on that!

3) You now have malware with admin privileges on your computer.

So far it's all standard stuff that can happen anybody. This is a pretty common occurrence. Now we get to the Ryzen specific things though...

4) The malware uses these exploits to compromise the PSP. It might even silently infect your BIOS in the background.

5) You now have an undetectable, un-removable malware on your computer. It can do whatever it wants with your computer, it can not be deleted, and it can not even be detected.

Not even a complete reinstall of Windows would fix it. It could potentially even block further flashes of the BIOS, so you'd have to throw it out and buy a new motherboard (assuming you figure out that you're infected).

 

Improbably, but not impossible. 

[Thermosman]

7 minutes ago, LAwLz said:

According to them, they do not need to sign anything.

They are using already valid, already installed, drivers from AMD and ASMedia as the attack vector for some of these exploits.

If that's the case then they don't need to sign anything because the security holes are in the AMD and ASMedia drivers, rather than modified ones.

 

They require admin privilege, but that's not too difficult to get. People fall for phishing attacks all the time, and even if they don't they usually click on UAC without thinking.

BIOS flashing is only required for 3 out of 13 of the exploits. The remaining 10 do not require a BIOS flash.

The BIOS updates can be done from within Windows as well.

 

Edit: And before you say that you're already screwed if they have admin privilege, please remember that admin is not the highest privilege you can have.

Once you have admin basically any malware can be installed by so the CPU doesnt matter. Any higher level of privilege can be obtained with admin in windows

[Thermosman]

https://www.extremetech.com/computing/265582-everything-surrounding-new-amd-security-allegations-reeks-hit-job

[Mira Yurizaki]

7 minutes ago, TechyBen said:

"we believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture"

Ah... I never knew ARM was susceptible to Meldown " This contradicts some early statements made about the Meltdown vulnerability as being Intel-only."

The last I saw it was Intel only. That explains a lot... Guess I was out of the loop after the first early reports.

Meltodwn is a problem with how out-of-order execution was implemented. This has found to also be a problem in IBM and ARM processors. The thing I don't like about AMD is while they explained why their processors aren't affected by Meltdown, I'm questioning since when this paging architecture of theirs existed. To me it'd make sense they did this since first implementing x64, or at the very least, since Athlon (since Intel started telling AMD to make their own system bus architecture then). Taking it at face value, it's like AMD implemented it right the first time, but given how AMD's PR likes to jab at its competitors any chance it can get, I'm going to question just how true their statement really is.

[Taf the Ghost]

3 minutes ago, LAwLz said:

According to them, they do not need to sign anything.

They are using already valid, already installed, drivers from AMD and ASMedia as the attack vector for some of these exploits.

If that's the case then they don't need to sign anything because the security holes are in the AMD and ASMedia drivers, rather than modified ones.

CTS has said a lot of things without any proof, so far, so we're going to have to wait for some real confirmation.

 

@leadeater

 

I don't have a working Ryzen/Linux combo right now, but I can't find any even unofficial way to perform it currently. (There are for some generations previous, however.) Wouldn't some weird Windows Exploit explain most of this?

[ItsMitch]

Anyone able to sum this up for me? That's a lot of replies and 16 pages...... 

[cj09beira]

5 minutes ago, SC2Mitch said:

Anyone able to sum this up for me? That's a lot of replies and 16 pages...... 

its simply bullshit, said flaws need so much machine access that by that time you can do anything you want, its just someone trying to attack amd's stock

[ItsMitch]

Just now, cj09beira said:

its simply bullshit, said flaws need so much machine access that by that time you can do anything you want, its just someone trying to attack amd's stock

Yikes... 

[Jito463]

11 minutes ago, SC2Mitch said:

Anyone able to sum this up for me? That's a lot of replies and 16 pages...... 

The abbreviated version:

CTS claims there are 13 vulnerabilities in AMD Ryzen/Epyc processors, specifically in regards to the PSP.

CTS is a company that didn't exist until last year, and only provided AMD with 24 hours to respond before they made their findings public.

CTS may have ties to a company known for stock market manipulation.

 

Right now, no one knows if the flaws are real, but the whole thing reeks of a hit job.

[Taf the Ghost]

12 minutes ago, SC2Mitch said:

Anyone able to sum this up for me? That's a lot of replies and 16 pages...... 

 

5 minutes ago, cj09beira said:

its simply bullshit, said flaws need so much machine access that by that time you can do anything you want, its just someone trying to attack amd's stock

The attacks are theoretically real, but at the moment it looks like a few people are going to want some good lawyers, as this is a hit-job even if real.

 

Second, if these attacks are real and easy to produce, these would have been far more valuable on the Black Market.

[Techicolors]

so we hold out until further information from AMD?

[Taf the Ghost]

12 minutes ago, Technicolors said:

so we hold out until further information from AMD?

Pretty much. There are claims to a Proof of Concept in the hands of others, but right now we have nothing interesting. In related news, you can run certain Coffee Lake i3s & i5s on Z170 & Z270 boards with the right BIOS modification.

 

Considering how much they talked about piggybacking on signed drivers, these aren't generalized exploits but targeted ones. This information really was more valuable to the NSA, CIA, MI6 or the like. Good Zero Days go for upwards of 500k USD, so this really seems more and more of a hitjob to short the stock. However, AMD is a big enough company to return fire.

 

Though a few of the approaches "work" because things can be updated generally, so they'll likely try to hide behind that in court.

[Orangeator]

9 minutes ago, Taf the Ghost said:

However, AMD is a big enough company to return fire.

Yep, and personally I am waiting for the shit to hit the fan when AMD comes after everyone involved with big ass lawsuits.

[Mira Yurizaki]

34 minutes ago, Technicolors said:

so we hold out until further information from AMD?

No, first party information about computer security should be taken with a grain of salt. It's like going to ISIS territory and asking them if it's safe to live there ("of course it is!")

 

Wait until security researchers come up with a consensus.

[cj09beira]

15 minutes ago, Taf the Ghost said:

Pretty much. There are claims to a Proof of Concept in the hands of others, but right now we have nothing interesting. In related news, you can run certain Coffee Lake i3s & i5s on Z170 & Z270 boards with the right BIOS modification.

 

Considering how much they talked about piggybacking on signed drivers, these aren't generalized exploits but targeted ones. This information really was more valuable to the NSA, CIA, MI6 or the like. Good Zero Days go for upwards of 500k USD, so this really seems more and more of a hitjob to short the stock. However, AMD is a big enough company to return fire.

 

Though a few of the approaches "work" because things can be updated generally, so they'll likely try to hide behind that in court.

thats very specific of you  

[LAwLz]

1 hour ago, Thermosman said:

Once you have admin basically any malware can be installed by so the CPU doesnt matter. Any higher level of privilege can be obtained with admin in windows

Something tells me you don't know what the security processor is or what it does...

You are NOT suppose to be able to run arbitrary code on it, regardless of what privilege you have in the host OS.

 

 

56 minutes ago, Taf the Ghost said:

CTS has said a lot of things without any proof, so far, so we're going to have to wait for some real confirmation.

I don't see why you would believe everything but the part about being able to use already signed drivers for the exploit.

 

45 minutes ago, cj09beira said:

its simply bullshit, said flaws need so much machine access that by that time you can do anything you want, its just someone trying to attack amd's stock

Please. Stop. Talking. About. Things. You. Do. Not. Understand.

[Razor01]

2 minutes ago, LAwLz said:

Something tells me you don't know what the security processor is or what it does...

You are NOT suppose to be able to run arbitrary code on it, regardless of what privilege you have in the host OS.

 

 

I don't see why you would believe everything but the part about being able to use already signed drivers for the exploit.

 

 

 

Point one yeah that is also why its a black box, because no one but AMD should know the inner workings of it.

 

Point two, yep injecting code into a previously signed driver can and will work as a exploit

[Mira Yurizaki]

4 minutes ago, Razor01 said:

Point one yeah that is also why its a black box, because no one but AMD should know the inner workings of it.

Except that's a problem because it's security by obscurity. Nobody can independently audit it to make sure it's actually doing what it's supposed to do.

 

Contrary to what people may think about security, knowing how something works isn't a flaw. AES is open for anyone to examine, implement, and tweak, but that doesn't mean it's insecure because of it.

[Spongy141]

not sure if this was posted yet.