[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[LAwLz]

3 minutes ago, spartaman64 said:

"But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality.""

am i missing something lol

Yes, you are missing what the PSP is and why this is far more seriously than just having admin privilege. I described it a few posts ago and I recommend reading it. 

 

This is not intended behavior. 

[Taf the Ghost]

I still wonder if this is mostly a Windows exploit that allows for some injection attack vector.

[spartaman64]

9 minutes ago, LAwLz said:

Yes, you are missing what the PSP is and why this is far more seriously than just having admin privilege. I described it a few posts ago and I recommend reading it. 

 

This is not intended behavior. 

PSP can apparently be disabled and i found an article on another PSP vulnerability https://www.theregister.co.uk/2018/01/06/amd_cpu_psp_flaw/ but that one requires physical access 

""since the crafted certificate that exploits the vulnerability needs to be written to NVRAM, the attacker must already have privileged access to the host or physical access. It would let an attacker bypass secure/trusted boot, which is performed by the TPM.""

and i would assume someone like the CEO of trail of bits would know about PSP so maybe this attack requires something similar

edit: yep everywhere i read it says the attacks need admin privileges 

[Razor01]

10 hours ago, Shakaza said:

Yup. My head is reeling at this point. It's also 2 A.M. RIP my brain.

LSD dude lol.

[Razor01]

2 hours ago, LAwLz said:

Yes, you are missing what the PSP is and why this is far more seriously than just having admin privilege. I described it a few posts ago and I recommend reading it. 

 

This is not intended behavior. 

Trying to phrase this differently so people can understand please correct me if I get it wrong. 

 

Even with Admin privileges a person shouldn't be able to load this exploits up is what they are saying but since its can be done these exploits are valid.

[LAwLz]

2 hours ago, Taf the Ghost said:

I still wonder if this is mostly a Windows exploit that allows for some injection attack vector.

To me it seems like the attack vector is the Windows drivers (maybe Linux too? It's not mentioned but that might just be because they haven't tested it). Once the PSP is infected it should be possible to attack any OS though.

 

2 hours ago, spartaman64 said:

PSP can apparently be disabled and i found an article on another PSP vulnerability https://www.theregister.co.uk/2018/01/06/amd_cpu_psp_flaw/ but that one requires physical access 

""since the crafted certificate that exploits the vulnerability needs to be written to NVRAM, the attacker must already have privileged access to the host or physical access. It would let an attacker bypass secure/trusted boot, which is performed by the TPM.""

and i would assume someone like the CEO of trail of bits would know about PSP so maybe this attack requires something similar

edit: yep everywhere i read it says the attacks need admin privileges 

Well first of all, that is a different exploit in the AMD PSP (two major issues discovered in 3 months does not sound that good for the future).

Secondly, it says it needs admin privilege or physical access. The keyword here is "or". In that sense it is similar to these amdflaw exploits. You need admin privilege, which is a hindrance but not as big as you might think. Also, it is still really bad because users should have no access to the PSP at all, even if they run as admin. It was designed to be inaccessible, but now it's not.

Thirdly, it can not be disabled at this point in time. The update specified in the article allowed the PSP to be partially disabled. But disabling security features because they do more harm than good is a really bad situation to be in regardless.

 

 

1 minute ago, Razor01 said:

Even with Admin privileges a person shouldn't be able to load this exploits up is what they are saying but since its can be done these exploits are valid.

Exactly.

It's kind of hard to explain because user/admin mode are software defined privileges, while the PSP is hardware based, but you could think of the PSP as a invisible-super-mega-admin mode which the OS should essentially not even be aware exists. Maybe "god-privilege" would be more fitting.

[spartaman64]

1 minute ago, LAwLz said:

To me it seems like the attack vector is the Windows drivers (maybe Linux too? It's not mentioned but that might just be because they haven't tested it). Once the PSP is infected it should be possible to attack any OS though.

 

Well first of all, that is a different exploit in the AMD PSP (two major issues discovered in 3 months does not sound that good for the future).

Secondly, it says it needs admin privilege or physical access. The keyword here is "or". In that sense it is similar to these amdflaw exploits. You need admin privilege, which is a hindrance but not as big as you might think. Also, it is still really bad because users should have no access to the PSP at all, even if they run as admin. It was designed to be inaccessible, but now it's not.

Thirdly, it can not be disabled at this point in time. The update specified in the article allowed the PSP to be partially disabled. But disabling security features because they do more harm than good is a really bad situation to be in regardless.

we wont know for sure until we see the code but the person who did have a look at it seem to suggest that it requires admin access and linus torvalds seem to think that is a big hindrance as he says the administrator has to be criminally negligent for the exploit to work but maybe im making a mistake thinking that linus knows something about system security idk lol 

[Razor01]

4 minutes ago, spartaman64 said:

we wont know for sure until we see the code but the person who did have a look at it seem to suggest that it requires admin access and linus torvalds seem to think that is a big hindrance as he says the administrator has to be criminally negligent for the exploit to work but maybe im making a mistake thinking that linus knows something about system security idk lol 

 

 

nah admin doesn't need to do anything, even a regular user getting into a phishing scam can start all this off.

 

I don't think its a good idea to bring up what Linus Trovalds says about AMD lol!  He seems to be omitting the most obvious ways admin privileges are gained currently with Trojans and viruses.

[spartaman64]

2 minutes ago, Razor01 said:

 

 

nah admin doesn't need to do anything, even a regular user getting into a phishing scam an start all this off.

 

I don't think its a good idea to bring up what Linus Trovalds says about AMD lol!  He seems to be omitting the most obvious ways admin privileges are gained currently with Trojans and viruses.

a company setting up their systems so that any random employee have admin access are probably asking for trouble and if the hacker has admin privileges you are boned already 

[LAwLz]

18 minutes ago, spartaman64 said:

we wont know for sure until we see the code but the person who did have a look at it seem to suggest that it requires admin access and linus torvalds seem to think that is a big hindrance as he says the administrator has to be criminally negligent for the exploit to work but maybe im making a mistake thinking that linus knows something about system security idk lol 

On GNU/Linux he has a point. Needing root privilege is a big obstacle because running things as root is a chore and looked down upon in the GNU/Linux community.

That's not the case on Windows though, were it's usually a one button press that people don't think twice about, and some even disable completely because they don't like getting interrupted by it. Not to mention all the various privilege escalation exploits that popup every now and again.

 

 

Just to be clear, I think they are overhyping it quite a bit, and I am not worried for my computer (which is a Ryzen 1700X), but this could actually be a major issue and it should definitely be fixed, just like the ME issues were.

They are also dicks for publishing it the way they did, they are shady and all that. Completely agree with what most people are saying there, but that does not mean we can brush this under the rug and pretend everything is fine with AMD chips.

 

 

Edit:

10 minutes ago, spartaman64 said:

a company setting up their systems so that any random employee have admin access are probably asking for trouble and if the hacker has admin privileges you are boned already 

Getting access to the PSP is much worse than just having admin privilege.

Yes it is already a bad situation if someone with malicious intentions has admin privileges, but these exploits makes the situation worse.

 

If you want an analogy, think of this like the tsunami that hit Japan in 2011.

If getting admin privilege is the tsunami wave, then these exploits are the nuclear meltdowns that were caused as a result. They turn a bad situation into an even worse situation.

You don't ignore the nuclear meltdowns just because you think the wave was bad enough, right? You need to fix both.

[Razor01]

8 minutes ago, spartaman64 said:

a company setting up their systems so that any random employee have admin access are probably asking for trouble and if the hacker has admin privileges you are boned already 

They still shouldn't be able to put persistent invasive malware on your system even with the admin privileges.

 

How many times did your computer get infected with going to various sites, sites you think are legit.  I have in the past, learned not to look at my emails that have links to things I wasn't looking for after the first couple of times that happened many years ago.  Windows 10 hasn't changed much from Windows 7 or Vista when this is concerned either.  I don't even use UAC anymore, and ask my IT department to disable it on my work PC too, because I do a lot of testing of new upcoming or trail software with that there its just a pain in the ass for me.

[mynameisjuan]

9 minutes ago, Razor01 said:

I don't even use UAC anymore, and ask my IT department to disable it on my work PC too, because I do a lot of testing of new upcoming or trail software with that there its just a pain in the ass for me.

Your IT staff are a bunch of idiots. If they get hacked then they honestly deserve it. 

[Sauron]

14 minutes ago, Razor01 said:

They still shouldn't be able to put persistent invasive malware on your system even with the admin privileges.

While this is true, with administrator privileges they can still completely destroy your system, even without this flaw.

[Razor01]

3 minutes ago, mynameisjuan said:

Your IT staff are a bunch of idiots. If they get hacked then they honestly deserve it. 

 

No they aren't, that specific system isn't on the same network lol, they created a separate guest network specific for people that have specific needs.

[Taf the Ghost]

34 minutes ago, LAwLz said:

To me it seems like the attack vector is the Windows drivers (maybe Linux too? It's not mentioned but that might just be because they haven't tested it). Once the PSP is infected it should be possible to attack any OS though.

I went looking and couldn't find any way to update the BIOS from Linux, on Ryzen, that isn't "here's a USB stick maker and go download the BIOS from the Motherboard manufacturers homepage". Maybe I didn't look hard enough, but it strikes me that all of the talk of signed drivers as necessary for the attack vector to work really points to a Windows issue. In fact, it might specifically be a Windows 10 bug more than anything else. (Considering they're claiming attacks on the BIOS, Chipset firmware and the SP via a signed driver exploit, this really does sound more & more like an exploit in Windows 10.)

 

 

[mynameisjuan]

12 minutes ago, Razor01 said:

 

No they aren't, that specific system isn't on the same network lol, they created a separate guest network specific for people that have specific needs.

It doesnt matter if its on a guest network. Someone infects a machine on the guest network, other guest clients can be affected. I dont see how "i am too lazy to press yes" is a specific need. 

[Razor01]

9 minutes ago, mynameisjuan said:

It doesnt matter if its on a guest network. Someone infects a machine on the guest network, other guest clients can be affected. I dont see how "i am too lazy to press yes" is a specific need. 

 

 

Don't worry about the company's network I work for, they are just fine

[mynameisjuan]

Just now, Razor01 said:

Don't worry about the company's network I work for, they are just fine

Well at least they think they are. If I was the director they would of been fired long ago.

[Razor01]

Just now, mynameisjuan said:

Well at least they think they are. If I was the director they would of been fired long ago.

Its in the IT handbook, different people have different needs, can't rule out something just because its common practice.  The draw back is that system is my dev system, I can't  upload and download files quickly on that, I need to use my laptop, transfer files over and the do my thing.  Pain in the ass in one way but that's ok.  Any case this is OT.

[yian88]

CTS= intel damage control proxy unit?

AMD is fine intel is not.

[LAwLz]

39 minutes ago, Sauron said:

While this is true, with administrator privileges they can still completely destroy your system, even without this flaw.

Yes, but this flaw makes things a lot worse.

How many times do I have to repeat myself? This makes a bad situation even worse. Getting access to the PSP is far worse than "just" having admin privilege.

 

 

37 minutes ago, Taf the Ghost said:

I went looking and couldn't find any way to update the BIOS from Linux, on Ryzen, that isn't "here's a USB stick maker and go download the BIOS from the Motherboard manufacturers homepage". Maybe I didn't look hard enough, but it strikes me that all of the talk of signed drivers as necessary for the attack vector to work really points to a Windows issue. In fact, it might specifically be a Windows 10 bug more than anything else. (Considering they're claiming attacks on the BIOS, Chipset firmware and the SP via a signed driver exploit, this really does sound more & more like an exploit in Windows 10.)

It seems that way, but I don't think it's correct saying this is a Windows 10 issue. It's a hardware issue but the attack vector seems to be a Windows driver (not necessarily Windows 10 specific, most likely Windows in general). Also, the driver is the attack vector for some of the attacks, but not all of them.

Once the system is infected though, it should be operating system independent.

 

It could also be that they just haven't looked into the GNU/Linux drivers. Absence of evidence is not evidence of absence.

 

 

Edit: After thinking about it a bit more I am 100% sure that saying "it's a Windows exploit" is wrong.

Here is my rational for it. The PSP runs its own system which should not let the OS running along-side it modify it. It should just serve as a root of trust which the client OS contact to make decisions for it.

If we assume that the findings are true however (which I don't see any reason to doubt), then the way the PSP was designed makes it vulnerable to attacks from the OS running alongside it. Even if the attack is limited to just Windows as the "slave" OS, it's still a design flaw in the PSP. You wouldn't say the "attacker" is the one who has a vulnerability, right? It's the target that is vulnerable, and the target is the PSP.

 

Windows is just a proxy used to carry out the attack against the PSP. If I run aircrack-ng on GNU/Linux to attack a WEP network then it's not GNU/Linux that is vulnerable, it's the WEP network.

 

If I run these exploits on Windows to attack the PSP then it's not Windows that's vulnerable, it's the PSP.

[NinjaQuick]

18 minutes ago, mynameisjuan said:

Well at least they think they are. If I was the director they would of been fired long ago.

Then you'd have a stagnant and uncomfortable Rd staff with really slow deployment and lots of unnecessary frustration. It is very common, even in top development houses, to have fully unconstrained users on workstations. Imagine automation runs requiring manual uac consent every run on every new build. Seems like a total nightmare.

[Gullerback]

Seeing as other sec experts pretty much say, if you need root access your already vulnerable.  This seems more like market assassination especially with gamernexus' investigation into the companies all made within the last year/this year

[done12many2]

On 3/13/2018 at 4:40 PM, Sierra Fox said:

The bias on this forum never ceases to amaze me. If this was Intel everyone would be losing their collective shit and saying they will be switching, But because it's AMD 

"Oh this is a smear campaign paid for by Intel"

"Fake"

"It's fine it will be fixed"

" It won't affect consumers, only companies"

 

The fuck guys?

 

It's good to see that other people see it.

[XenosTech]

1 hour ago, Razor01 said:

I don't even use UAC anymore, and ask my IT department to disable it on my work PC too, because I do a lot of testing of new upcoming or trail software with that there its just a pain in the ass for me.

Sounds like me at work but only difference is I am part of the IT department lol