[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[NinjaQuick]

Just now, Blademaster91 said:

I didn't really see that much that was offensive, I think discussing this either way is good until there is some actual evidence.

So you're implying he's a shill just by the fact he got paid to research their findings? That is simply assuming and ignoring that a few of these vulnerabilities may be a thing similar to Intel's ME,which ironically enough everyone totally bashed all over that while AMD having a similar issue gets shrugged off as "oh remote access? no big deal not to worry".

No. But when he saw they are using him to validate their claims he should have withdrawn statements at least publicly so they have less weight until more validation is done by other parties. This is where the ethical issue lies.

[mr moose]

1 minute ago, NinjaQuick said:

He is an accomplice to the plan of the sec team that found it (short stocks). As soon as that came to light he should have withdrawn public comments. 

Have you got evidence?  A link to some article claiming this?

 

Because if you don;t then you are making an accusation based on nothing more than your understanding of how the validation process works.

[WkdPaul]

2 minutes ago, VegetableStu said:

Orange note on header has white text on white background ,_,

Thanks, fixed.

[Razor01]

3 minutes ago, NinjaQuick said:

No. But when he saw they are using him to validate their claims he should have withdrawn statements at least publicly so they have less weight until more validation is done by other parties. This is where the ethical issue lies.

 

 

Companies don't have ethics.....  They want notoriety and money for the work they do.  You can't take that out against a company or individual of that company, unless what they are showing is proved fraud.

[Razor01]

Just now, wkdpaul said:

Thanks, fixed.

Thought ya did that on purpose so people had to highlight it to read lol.

[mr moose]

1 minute ago, NinjaQuick said:

No. But when he saw they are using him to validate their claims he should have withdrawn statements at least publicly so they have less weight until more validation is done by other parties. This is where the ethical issue lies.

Not if what he validated is legitimate.  His job is to validate not to judge right or wrong.  

[Razor01]

damn it

[NinjaQuick]

Just now, mr moose said:

Not if what he validated is legitimate.  His job is to validate not to judge right or wrong.  

His job is to validate, not publicly post about it on twitter.

[Blademaster91]

41 minutes ago, NinjaQuick said:

No. But when he saw they are using him to validate their claims he should have withdrawn statements at least publicly so they have less weight until more validation is done by other parties. This is where the ethical issue lies.

Getting paid for validating things is an industry standard from what i'm getting, though I agree that it would have helped his case since a short stock organization is behind CTS although I'm just taking it all with a pile of salt if or until someone else checks their findings to be legitimate.

[Razor01]

Just now, NinjaQuick said:

His job is to validate, not publicly post about it on twitter.

 

 

He did that because he was probably asked to do it so CTS didn't look like a crazy rampaging company looking to get anything they can get from AMD, they still could be though lol, but if their work is legit, it gives them something over their competition.  They were able to find something with just 3 people who were nobody in the security business. 

[SansVarnic]

If the conversation continues to be argumentative and not constructive This Topic Will Be Locked.

[Drak3]

1 hour ago, NinjaQuick said:

This requires DIRECT ACCESS to the HARDWARE.

No, it doesn't. If these vulnerabilities are realistically exploitable, it just requires a skilled hacker to exploit.

 

1 hour ago, NinjaQuick said:

The exploits require hardware flashing, not buffer-overflows you can get using JS

Many modern systems can have the requisite hardware flash occur from within Windows, which could be triggered through several means.

[WkdPaul]

11 minutes ago, Razor01 said:

Thought ya did that on purpose so people had to highlight it to read lol.

nah, that's actually a bug, just reported it ... we have been using those thread message for a while, I'm surprised nobody noticed it before !

 

Night theme FTW!!!!

 

*ok back to topic*

Edited March 15, 2018 by wkdpaul

[Razor01]

5 minutes ago, Drak3 said:

Many modern systems can have the requisite hardware flash occur from within Windows, which could be triggered through several means.

Can you point to this please, something that interests me, would love to read about it if its available!

[Drak3]

2 minutes ago, Razor01 said:

Can you point to this please, something that interests me, would love to read about it if its available!

Dell packages every BIOS update for their main lineups as executable installers available through their site and their automated program. Same for HP.

ASUS users can use Winflash to flash a BIOS through Windows.

Asrock's BIOS exe offers an option to update through Windows. Same with MSi.

Gigabyte's (shitty, and perhaps old) documentation has instructions on how to download the utility that allows you to update through Windows.

OSX automatically updates its EFI as that's entirely proprietary and the system is set up for that capability.

[Razor01]

good point didn't think of those!

[mr moose]

1 hour ago, NinjaQuick said:

His job is to validate, not publicly post about it on twitter.

It is when asked, All validators (be they software/exploit or hardware) will make a tweet about said validation when asked unless they are under a specific NDA.  There is literally nothing this guy did that points to collusion. 

 

Now just so people don't get the wrong idea (because this forum is full of conclusion jumpers), I am not saying these security threats are dangerous or that CTS is innocent (that remains to be proven), I am saying we don't know yet other than they exist and that trivializing them for any reason is silly.   

 

 

[Liltrekkie]

The only thing I wanna know is, if this CTS group has only been around since 2017, how on earth did they find these exploits in such short about of time, when other groups with a lot more money have been trying to crack AMD's Ryzen processors since before launch, let alone finding 13 of them, and confirming them so soon, along with this so called "verification"???

[mr moose]

6 minutes ago, Liltrekkie said:

The only thing I wanna know is, if this CTS group has only been around since 2017, how on earth did they find these exploits in such short about of time, when other groups with a lot more money have been trying to crack AMD's Ryzen processors since before launch, let alone finding 13 of them, and confirming them so soon, along with this so called "verification"???

It will call come out in the wash.   It may just be that they have all been working on them separately and only formed a company recently, it maybe that they were looking for things that aren't really flaws but can be presented as flaws.   To be honest I am more surprised no one has found flaws in AMD hardware before,  Law of averages says they can't be perfect. 

[Razor01]

11 minutes ago, Liltrekkie said:

The only thing I wanna know is, if this CTS group has only been around since 2017, how on earth did they find these exploits in such short about of time, when other groups with a lot more money have been trying to crack AMD's Ryzen processors since before launch, let alone finding 13 of them, and confirming them so soon, along with this so called "verification"???

 

The only info we have is 1 other security group validated the findings because they were asked to, that security group is well know.  CTS doesn't want to release the code to general public yet but did send the code the companies that need to fix it.  So at this point outside of their moral obligations being crap, there seems to be valid concerns.  2 other people that are in the industry also stated there seems to validity to it, and only one or two websites actually did their research on CTS and talked to them both of them say they are valid.

[Razor01]

46 minutes ago, mr moose said:

It will call come out in the wash.   It may just be that they have all been working on them separately and only formed a company recently, it maybe that they were looking for things that aren't really flaws but can be presented as flaws.   To be honest I am more surprised no one has found flaws in AMD hardware before,  Law of averages says they can't be perfect. 

 

 

My motto if something can be made it can be unmade, security is never a guarantee, Only watchful eyes can stop security breaches.

[pas008]

13 minutes ago, Liltrekkie said:

The only thing I wanna know is, if this CTS group has only been around since 2017, how on earth did they find these exploits in such short about of time, when other groups with a lot more money have been trying to crack AMD's Ryzen processors since before launch, let alone finding 13 of them, and confirming them so soon, along with this so called "verification"???

intels cpus were targeted 

actually the concept/theory was published in june then but nothing came of it right away

and it affected cpus how old? ok

 

now maybe they set out from the get go to target these new amd cpus

 

lets just wait and see like we have always been doing

[Razor01]

4 minutes ago, pas008 said:

intels cpus were targeted 

actually the concept/theory was published in june then but nothing came of it right away

and it affected cpus how old? ok

 

now maybe they set out from the get go to target these new amd cpus

 

lets just wait and see like we have always been doing

 

 

I don't think Intel was targeted per se, Intel's CPU's at the time were much more widely and still are used and predictive branching was something they used.  AMD CPU's didn't at the time.  It wasn't till AMD's Ryzen processors were made for the public did AMD use predictive branching as well but because of how AMD's CPU encapsulated their cache Meltdown didn't affect their chips.  This was the main flaw for Melt down how predictive branching secured certain parts of the CPU.

 

Its looking at Mac OS vs Windows, Windows has more flaw reports, yeah but that is because 90% of the world uses Windows, its bound to have more flaws found.  That doesn't mean Window is less secure, its just that more people are focused on hacking Windows systems.

[sambarr]

7 minutes ago, Razor01 said:

Its looking at Mac OS vs Windows, Windows has more flaw reports, yeah but that is because 90% of the world uses Windows, its bound to have more flaws found.  That doesn't mean Window is less secure, its just that more people are focused on hacking Windows systems.

I won't forget this pearl anytime soon:

http://osxdaily.com/2017/11/28/macos-high-sierra-root-login-without-password-bug/

 

Every time someone tells you Macs are more secure, send them this URL.

[leadeater]

3 hours ago, Shakaza said:

So far, I'm hearing contradicting things, and from what I can gather, the gist of the situation is this: These exploits do not seem excessively severe, such as in the ease of compromising a system or an ability to subsequently compromise other systems on the same network, but they are present. LAwLz has also presented evidence that these specific issues are unique to AMD's processors, meaning they may have relevance over other "one size fits all" exploits if it's easier to do it this way. If, however, he turns out to be wrong, I would say this isn't really an issue at all, but may still need to be addressed in the future. I would also tend to trust his judgement on this more than a couple of the people who have posted here, because of the fact that he seems to err on the side of security and has not evidenced a preference for any one company in this thread.

The exploits that have been written are AMD specific, they target those systems and processors. What is being done could be done on any other processor and chipset with the same level of privileged access to those hardware components that you shouldn't actually have, but you would have to target those systems specifically and create different actual attack firmware and bypass any security measures in those chipsets or processors that are supposed to block you from accessing them.

 

You shouldn't be able to load on malicious bios firmware that targets the Secure Processor (PSP) and writes the attack firmware in to the PSP. The bios firmware should always require being signed by the manufacture so it is verified, some OEM systems from the likes of HP and Dell do enforce this but gaming focused products from companies like Gigabyte do not. Essentially two parties dropped the ball here, AMD and motherboard manufacturers.

 

You also shouldn't be able to gain access in to the chipset of the system and be able to read or write to that chipset, this should also be locked down and require restricted access only to signed firmware updates for that chipset. Accessing the chipset uses a standard signed driver, how not sure, but this alone shouldn't get you the access that is being detailed.

 

The risk of these being exploited is very low due to the required level of access to the system to do it, but if carried out the system would be significantly compromised and the attacker would have access to special memory areas where important security related things are kept like encryption keys and passwords. They would also be able to execute code with privileges higher than the OS and would not be able to be detected.

 

My issues with this whole thing actually has nothing to do with the security vulnerabilities at all, even though I don't yet view them as confirmed myself that doesn't mean they are fake or not true. I don't like how they are talking up the impact of the exploits and saying how they can do a whole wide range of bad things or even physically damage the hardware, the vulnerabilities do no such thing at all and they include things like what exploits they put in the malicious firmware themselves. The vulnerabilities are serious enough as they are they don't need over trumpeting and misrepresentation.

 

But the above complaint is nothing compared to what I consider an utter disregard for responsible disclosure of security vulnerabilities. They can claim public interest and public safety all they like but that is nothing but nonsense, their actions are completely and utterly counter to this claim. I'd go so far as saying reckless disregard for public safety and malicious intent to bring another company in to disrepute.

 

I also question their claim about them notifying government authorities, along with AMD/Microsoft/Intel etc, due to the lack of being issued a CVE identifier for any of their discovered vulnerabilities. This could be due to the lack of time they gave to verify the vulnerabilities but that further backs my point about improper conduct.

 

There is no place for their conduct and I have no sympathy for the backlash they have gotten. What they have discovered does not excuse or justify their actions. If they are having problems with people questioning their credibility then they should learn from this and never do it again.