Dubious Research Discovers Ryzen vulnerabilites

[Mercutio]

There's a strong sense of Déjà vu reading this thread as there are many similarities to the way in which the Meltdown and Spectre thread turned into yet another thread where fanboys promoted facts that supported their team and ignored or downplayed those that didn't.
Come on United.
City. City.
Away the lads/fanboys.

Well... no... specifically, Intel weren't correctly protecting the branch prediction pre-processing results. That was the huge hole in all of this.
AMD due to a random, arbitrary decision around using an AI for branch prediction made the results VERY hard to locate AND they required the correct admin access to view them.

Intel actually had an issue, it was a major security hole that required microcode and windows patches to mitigate. AMD have an issue IF someone can get admin rights to your machine... in which case you're screwed either way.

They're only the same thing if you don't like negative things said about Intel so wish to push back with something that sounds similar enough to gain leverage.

 

[Rroff]

AMD have an issue IF someone can get admin rights to your machine... in which case you're screwed either way.

In most cases as well it isn't as simple as just getting admin rights and running an exe - though that is the basic requirement to make it possible - its likely that to take advantage of these exploits they'd also need some details about the machine itself such as motherboard model, etc. to create customised software for the specific target - hence why its only really applicable to hackers that have like state sponsored resources and a high end target where the pay off is worth it in terms of the disruption or information gathered, etc. (unless they just wanted to maliciously brick the machine - which you can do via an intentionally failed BIOS flash, etc. anyhow).

 

[Mercutio]

In most cases as well it isn't as simple as just getting admin rights and running an exe - though that is the basic requirement to make it possible - its likely that to take advantage of this exploit they'd also need some details about the machine itself such as motherboard model, etc. so create customised software for the specific target - hence why its only really applicable to hackers that have like state sponsored resources and a high end target where the pay off is worth it in terms of the disruption or information gathered, etc. (unless they just wanted to maliciously brick the machine - which you can do via an intentionally failed BIOS flash, etc. anyhow).

so... they'd specifically go after AMD, rather than Intel which has something like 95% of corporate/public/government machines?

Again... it applies to both, evenly. Rootkit is rootkit, if you have admin you can do it to both/either quite evenly. The hole was/is the branch prediction data being left nailed to the fence in plain text pre-patch Intel.

How is "get admin, apply board specific AMD backdoor/flaw" different to "get admin, apply board specific backdoor/flaw"

At the point it's about compromising a bios, they'll both have plenty of ways in if you've already got your hands that far in the till. This "finding" shows a bunch of AMD specific flaws that can be introduced to compromise bios security. They were released under NONE of the usual routines and general practices in the security industry. It's a straight up assassination attempt.

 

[Rroff]

so... they'd specifically go after AMD, rather than Intel which has something like 95% of corporate/public/government machines?

Again... it applies to both, evenly. Rootkit is rootkit, if you have admin you can do it to both/either quite evenly. The hole was/is the branch prediction data being left nailed to the fence in plain text pre-patch Intel.

This isn't just another software rootkit though - depending on which group of these exploits you are utilising. The Chimera stuff for instance relies on two things specific to AMD - that AMD's implementation in the Promontory chipset has an oversight that allows bypassing signed code checks (which doesn't seem to exist on Intel's implementations) and that AMD used a 3rd party for their south bridge implementation in a way that hasn't been traditionally done giving tighter integration to the CPU itself and hence more access to deeper into the CPU.

By utilising this you can bury malicious code away far more effectively than is generally possible.

Few interesting side takes on this as well:

https://twitter.com/OSTIFofficial/status/974348788163928064

EDIT: People would do well actually to spend a bit of time reading through Dan Guido's twitter there are a lot of people chipping in with observations and additional information that isn't making it to other forums and the media.

 

[Mercutio]

This isn't just another software rootkit though - depending on which group of these exploits you are utilising. The Chimera stuff for instance relies on two things specific to AMD - that AMD's implementation in the Promontory chipset has an oversight that allows bypassing signed code checks (which doesn't seem to exist on Intel's implementations) and that AMD used a 3rd party for their south bridge implementation in a way that hasn't been traditionally done giving tighter integration to the CPU itself and hence more access to deeper into the CPU.

By utilising this you can bury malicious code away far more effectively than is generally possible.

Ok, so... on that specific point, hands up.
We don't yet know of similarly deep attack specific to Intel.

The IntelME runs on minix. It's literally a simple unix platform running the show. You want to say that it'll definitely be more secure and definitely less attractive to a potential bad agent?

I'm maybe straw-manning SLIGHTLY there but... come on. You're riding this a long way beyond basic reason yourself too. At the point you're talking about "state sponsored" bad agents, while at the same time conveniently ignoring the huge disparity with the user base split and where a state hackers resources will be spent...

The AMD attack requires elevated local admin, all of them. Like .
The major part of the Intel attacks were that they didn't. Any old bit of java code, accepted to run in a drive-by browser viewing of a bad page was enough to have the machine spill it's guts.

AMD requires:
1) Local admin
2) The determination to develop machine specific root kits for a vastly smaller user base
3) The determination to develop.................................... for home users, generally NOT corp/government.

How are these even REMOTELY similar?

 

[Rroff]

Ok, so... on that specific point, hands up.
We don't yet know of similarly deep attack specific to Intel.

The IntelME runs on minix. It's literally a simple unix platform running the show. You want to say that it'll definitely be more secure and definitely less attractive to a potential bad agent? I'm maybe straw-manning SLIGHTLY there but... come on. You're riding this a long way beyond basic reason yourself too.

Very true we don't know yet - given the previous AMT vulnerabilities, etc. it wouldn't surprise me if some day someone found them in fact I'm worried they will - potentially that dwarfs the likes of Meltdown for impact (which I think also answers your second part).

I'm not sure if this has been linked to yet as I've quite a few people on ignore but this gives a breakdown of what these exploits are and aren't:

https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Most of what I've seen of it reproduced here have been brief snippets misrepresented.

How are these even REMOTELY similar?

Not sure the relevance - sure Meltdown, etc. is worse but that is like trying to whitewash Harold Shipman because not as many people were killed due to him as Hitler. As per the posts I've linked to I've talked along similar lines about this kind of stuff in the Intel thread as well:

https://forums.overclockers.co.uk/posts/31485718

Intel are going to have to up their game - this isn't the only serious and long standing hardware vulnerability that has come to light lately with their hardware - there have been at least 2 AMT disclosures in the last 6 months - and people seem to have quickly forgotten about stuff like https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

EDIT: On a completely different note but on the subject of security this looks like a nasty one: https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ if I'm reading that right in theory a malicious site could use a hand craft ogg file to break out the browser.

 

[smilingcrow]

Well... no... specifically, Intel weren't correctly protecting the branch prediction pre-processing results. That was the huge hole in all of this.
AMD due to a random, arbitrary decision around using an AI for branch prediction made the results VERY hard to locate AND they required the correct admin access to view them.

Intel actually had an issue, it was a major security hole that required microcode and windows patches to mitigate. AMD have an issue IF someone can get admin rights to your machine... in which case you're screwed either way.

They're only the same thing if you don't like negative things said about Intel so wish to push back with something that sounds similar enough to gain leverage.

I wasn't talking about the actual exploits at all but how fanboys responded in both cases.
Thanks for making the point for me as you ignored the whole thrust of my post to push your agenda. Classic.

 

[TrixP10]

Very true we don't know yet - given the previous AMT vulnerabilities, etc. it wouldn't surprise me if some day someone found them in fact I'm worried they will - potentially that dwarfs the likes of Meltdown for impact (which I think also answers your second part).

I'm not sure if this has been linked to yet as I've quite a few people on ignore but this gives a breakdown of what these exploits are and aren't:

https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Most of what I've seen of it reproduced here have been brief snippets misrepresented.



Not sure the relevance - sure Meltdown, etc. is worse but that is like trying to whitewash Harold Shipman because not as many people were killed due to him as Hitler. As per the posts I've linked to I've talked along similar lines about this kind of stuff in the Intel thread as well:

https://forums.overclockers.co.uk/posts/31485718



EDIT: On a completely different note but on the subject of security this looks like a nasty one: https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ if I'm reading that right in theory a malicious site could use a hand craft ogg file to break out the browser.

Bored now

https://seekingalpha.com/article/4157242-amd-cts-labs-story-failed-stock-manipulation

 

[Rroff]

Bored now

https://seekingalpha.com/article/4157242-amd-cts-labs-story-failed-stock-manipulation

What of it?

Rather than clown comments, sniping and repeatedly linking to content you've obviously not digested and does not refute and in some cases even backs up what I'm saying maybe contribute something to the thread.

 

[humbug]

What of it?

Rather than clown comments, sniping and repeatedly linking to content you've obviously not digested and does not refute and in some cases even backs up what I'm saying maybe contribute something to the thread.

The whole thing contradicts your argument, that's why he keeps quoting it at you.

 

[r7slayer]

I found a MASSIVE MASSIVE EXPLOIT and every PC suffers from this even more so servers. Holding down the power button turns them off
*OMG SHOCK HORROR*

Just like these exploits they listed you need admin privileges and to have some sort of physical access to the computer such as sat in front of it. So unless your leaving your computer turned on with no password then the hacker can walk upto your computer and rain anarchy. Just like my new exploit i found where they can literally turn off your computer with nothing you can do.

I'm sorry Rroff but entertaining this which not only affects AMD but intel too, but this campaign is made out to only affect AMD is complete and utter nonsense. Ive spent too much time looking into this and found it to be completely stupid. But you are entertaining and humouring this. The general consensuses is this is fake news.

 

[Rroff]

I found a MASSIVE MASSIVE EXPLOIT and every PC suffers from this even more so servers. Holding down the power button turns them off
*OMG SHOCK HORROR*

Just like these exploits they listed you need admin privileges and to have some sort of physical access to the computer such as sat in front of it. So unless your leaving your computer turned on with no password then the hacker can walk upto your computer and rain anarchy. Just like my new exploit i found where they can literally turn off your computer with nothing you can do.

I'm sorry Rroff but entertaining this which not only affects AMD but intel too, but this campaign is made out to only affect AMD is complete and utter nonsense. Ive spent too much time looking into this and found it to be completely stupid. But you are entertaining and humouring this. The general consensuses is this is fake news.

*facepalm* go and actually read some of the links in the last page - no physical access is required the rest of your points are as wrong as that one. This is the research multiple sites are using as a basis to downplay the implications and it says:

Exploitation requirements

• All exploits require the ability to run an executable as admin (no physical access is required)
  
• MASTERKEY additionally requires issuing a BIOS update + reboot

It would be nice if for two seconds some people in this thread stopped acting like a football team fanboy army and actually went and objectively read and digested the information out there instead of repeating the same wrong information or trying to refute me with links that actually support what I'm saying.

EDIT: As always because people seem to quickly forget my initial posts we are still waiting for AMD to confirm how viable these exploits actually are - all security researchers have done so far is verify that the proof of concept is based on something real but it needs significant resources or AMD testing to verify actual workability.

 

[humbug]

r7slayer is right, the only way this could possibly effect you is if you invite a computer hacker into your home and physical access to your computer, this for any computer with any CPU in it.

CTS-Labs have been discredited for twisting that into something its not, to such an extent they may yet find themselves in a court of law.

Some people just cannot accept the truth of all this and let it go.

This thread needs to be closed.

 

[Rroff]

I think people need to read this article and actually take it in: https://www.extremetech.com/computi...ith-amd-security-disclosures-digs-deeper-hole this is the basis for a large part of the Seeking Alpha article that many here are leaning on. Notice statements such as:

Where Zilberman errs is when he blames the entirety of the response to CTS Labs’ disclosures on the company’s decision not to provide technical proof of its findings. He writes that his company has been “paying that price of disbelief in the past 24h.”

Except that’s not what actually happened. Few reputable publications have questioned the existence of the flaws themselves, particularly when Dan Guido of TrailofBits declared that he’d validated and confirmed that all 13 exist.

One aspect that article doesn't sufficiently cover is the implications of the ASMedia controllers:

If these Asmedia flaws are common to Intel, AMD, and standalone cards, Intel users and expansion card users absolutely should’ve been notified. If they’re unique to AMD users, CTS Labs needed to explain why. It has not.

There are several aspects here as to why currently this is a focus on AMD - despite the sub-standard security and lacking mitigation against exploitation inherent on these controllers to actually leverage them in any useful way as in uploading a modified firmware is dependant on oversights in the AMD architecture where Masterkey can be used to work around the signed code checks and that in their Promontory chipset AMD have given them closer integration to the main system meaning that once compromised they can be better used to do malicious things with the rest of the system - on other implementations they are currently less directly connected into the CPU so it isn't enough just to break into them - you need to then find ways to breakout from them into the main system - on AMD this has been shown as theoretically possible due to the specific way AMD have implemented the controllers.

(EDIT: Rather than take my word for it - here is the exact wording from Dan Guido: "The chipset has full access to the system memory and devices. The CHIMERA vulnerability abuses exposed interfaces of the AMD Promontory chipset to gain code execution in the chipset processor." this is s a significant difference to Intel and other's implementation - you don't just need a flawed chipset on the board you need both a way to get to those flaws and way to effectively utilise them).

Finally

While we’re still waiting for AMD or another third party to release more details, it’s clear there’s a real problem here. But the question raised by CTS Labs behavior isn’t whether there are flaws in AMD’s chipsets or Ryzen CPUs. It’s a question of whether those flaws were fairly or accurately characterized given the company’s scaremongering, and a further question of whether the disclosure was targeted and timed as part of a scheme to harm AMD’s stock price, as opposed to a straightforward, good-faith security disclosure.

On these issues, Zilberman is silent.

It is almost certainly a case of a fledgeling security company going off half-cocked chasing their 15 minutes of fame and being taken advantage of by entities with an interest in seeing AMD fail or some other financial investment but that doesn't mean there is nothing at all to the technical side, despite being weaponised for financial or other gain and blown out of proportion, or that because many of these issues aren't particularly noteworthy that some aspects of them can't be leveraged [pending verification] for deeper intrusions as the concepts tend to suggest is possible despite being overplayed for what they are.

 

[humbug]

I think people need to read this article and actually take it in: https://www.extremetech.com/computi...ith-amd-security-disclosures-digs-deeper-hole this is the basis for a large part of the Seeking Alpha article that many here are leaning on. Notice statements such as:



One aspect that article doesn't sufficiently cover is the implications of the ASMedia controllers:



There are several aspects here as to why currently this is a focus on AMD - despite the sub-standard security and lacking mitigation against exploitation inherent on these controllers to actually leverage them in any useful way as in uploading a modified firmware is dependant on oversights in the AMD architecture where Masterkey can be used to work around the signed code checks and that in their Promontory chipset AMD have given them closer integration to the main system meaning that once compromised they can be better used to do malicious things with the rest of the system - on other implementations they are currently less directly connected into the CPU so it isn't enough just to break into them - you need to then find ways to breakout from them into the main system - on AMD this has been shown as theoretically possible due to the unique way AMD have implemented the controllers.

Finally

How do you get this.

AMD - despite the sub-standard security and lacking mitigation against exploitation inherent on these controllers to actually leverage them in any useful way as in uploading a modified firmware is dependant on oversights in the AMD architecture where Masterkey can be used to work around the signed code checks

From this.

If these Asmedia flaws are common to Intel, AMD, and standalone cards, Intel users and expansion card users absolutely should’ve been notified. If they’re unique to AMD users, CTS Labs needed to explain why. It has not.

And then what you are ignoring.

It appears that CTS Labs first found vulnerabilities in Asustek’s chipsets and validated them (likely on Intel (NASDAQ:INTC) x86 systems). Then, the Company went to look for those same errors and others in AMD x86-based systems. However, instead of pointing out that security problems existed in tens, if not hundreds, of millions of systems with Intel and AMD chips, CTS decided to target AMD.

Intel and AMD use the same Chip-Sets in the same way, the chances are this was found during the original Intel Spectre exploit discoveries. if one is vulnerable then yes so is the other and its no good you saying people ain't reading it right, its in plain black and white, everything you are quoting is in direct contraction to what you say about it.

I know you're reading all this, you respond to this thread everytime i do, its obvious.

 

[r7slayer]

All exploits require the ability to run an executable as admin (no physical access is required)

So just like any other virus then? Seriously Rroff...
It's been aimed at AMD like it's significant to only them, but really it affects Intel also. And to run a executable as an admin means some how getting that said executable on a user's PC then getting them to run it with admin privileges. You would have to disguise it as something else legitimate? Which means some one who is not very smart or a uneducated user that download something from a non legit site. And most antivirus are good at picking up non certified executables anyway. More a PEBKAC problem than a vulnerability. Or rather that is the vulnerability PEBKAC.

Maybe take a step back and see its not like a football team army coming in at AMD's defence but more people who are wise enough to realise it's complete utter nonsense blown out of disproportion under the recent guise of the spectre and meltdown issues.

• MASTERKEY additionally requires issuing a BIOS update + reboot

Again this requires physically access to the PC ... Unless the user likes leaving their computer widely available on their home network over the internet. Which when you read it back where is the vulnerability there?

(and most likely needs admin privileges again)

 

[Rroff]

All exploits require the ability to run an executable as admin (no physical access is required)

So just like any other virus then? Seriously Rroff...
It's been aimed at AMD like it's significant to only them, but really it affects Intel also. And to run a executable as an admin means some how getting that said executable on a user's PC then getting them to run it with admin privileges. You would have to disguise it as something else legitimate? Which means some one who is not very smart or a uneducated user that download something from a non legit site. And most antivirus are good at picking up non certified executables anyway. More a PEBKAC problem than a vulnerability. Or rather that is the vulnerability PEBKAC.

Maybe take a step back and see its not like a football team army coming in at AMD's defence but more people who are wise enough to realise it's complete utter nonsense blown out of disproportion under the recent guise of the spectre and meltdown issues.

• MASTERKEY additionally requires issuing a BIOS update + reboot

Again this requires physically access to the PC ... Unless the user likes leaving their computer widely available on their home network over the internet. Which when you read it back where is the vulnerability there?

(and most likely needs admin privileges again)

The problem here is that it isn't just like any other virus though it might have the same requirements to gain a foothold in the first place - the problem is that once it gains a foothold it has far more usefulness in terms of persistence and ability to be used to gain lateral elevation through an otherwise secure network:

Potential technical impact

• Code execution in the PSP and SMM (no visibility to typical security products)
• Persistence across OS reinstallation and BIOS updates
• Block or infect further BIOS updates, or brick the device
• Bypass Windows Credential Guard
• Bypass Secure Encrypted Virtualization (SEV)
• Bypass Secure Boot
• Bypass or attack security features implemented on top of the PSP (e.g., fTPM)

Notice the "no visibility to typical security products" and that it can bypass many typical security measures once in place.

You are thinking in too narrow a scope - it has already been defined that the exposure for the average home user is fairly insignificant - I said as much with my first two comments in this thread but there are areas like business networks where these features can be far more useful and the scale of using these exploits less of a barrier for entry i.e. if you are a state sponsored hacking group that are trying to steal trade secrets and there are many more potential avenues to get into those networks - exposed remote access, social manipulation, employee laziness, etc. despite the often tougher security especially around local admin user controls.

Also exploits do happen that allow an attacker into the system - just a few days ago a critical issue was found in Firefox:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/

Notice the threat level for this flaw is "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing." very timely disclosure for my purposes - bingo there is your potential way into even the average home user system* and a way to get that exe rolling - a BIOS flash and reboot later (which DOES NOT REQUIRE PHYSICAL ACCESS) and boom. Well aside from it isn't quite that simple as you'd need to craft the software uniquely to take advantage of the specific motherboard, etc. used by the target hence why Dan's update:

There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities.

That doesn't mean the threat isn't there [in concept - it is still pending verification from AMD] just that there are limited areas where its worth even trying to utilise it.


* Sure this particular avenue will quickly become cut off as users update Firefox to patched versions and/or avoid browsing dodgy sites that might take advantage of the flaw. But it just demonstrates that these things happen.

 

[humbug]

No of this is anything new, just as CTS-Labs tried Roff is taking a fundamental truth and twisting it into a new exploit vulnerability, when infact these are universal rout kit tools that the security industry as a whole is and has already been tackling since the dawn of internet computing, again just as CTS-Labs did Roff is also completely ignoring the fact that Intel system are equally effected, its why CTS-Labs are now discredited, they had an agenda to damage AMD.

Keep your Windows Firewall and Anti Virus upto date, this is a continuation of the AMD fear mongering.

 

[TrixP10]

No of this is anything new, just as CTS-Labs tried Roff is taking a fundamental truth and twisting it into a new exploit vulnerability, when infact these are universal rout kit tools that the security industry as a whole is and has already been tackling since the dawn of internet computing, again just as CTS-Labs did Roff is also completely ignoring the fact that Intel system are equally effected, its why CTS-Labs are now discredited, they had an agenda to damage AMD.

Keep your Windows Firewall and Anti Virus upto date, this is a continuation of the AMD fear mongering.

I think this thread has become very tribal - blue team vs red team.

I'm ALL AMD and none of these current threats bother me in the slightest. I do get the feeling that some of the blue team (not all) are still smarting from the Meltdown debacle. Meltdown patches - what Meltdown patches. Yeah - Meltdown, that serious threat. When all said and done CTS-Labs pr stunt was a pure attempt at market manipulation. AMD has recently become quite a threat to the big boys and subsequently since their success they have been a target of short sellers and dubious 'market analysts'. That topic is a more worthy discussion than CTS-scams.labs.

 

[Rroff]

I think this thread has become very tribal - blue team vs red team.

I'm ALL AMD and none of these current threats bother me in the slightest. I do get the feeling that some of the blue team (not all) are still smarting from the Meltdown debacle. Meltdown patches - what Meltdown patches. Yeah - Meltdown, that serious threat. When all said and done CTS-Labs pr stunt was a pure attempt at market manipulation. AMD has recently become quite a threat to the big boys and subsequently since their success they have been a target of short sellers and dubious 'market analysts'. That topic is a more worthy discussion than CTS-scams.labs.

I'm really not sure what you are referring to - aside from the fact the pro-AMD lot are constantly trying to make comparisons to Intel, as if that matters, which in this context it doesn't - just because someone else is worse doesn't make something wrong less so.

Aside a couple of people who've borderline trolled from the nVidia versus AMD angle there has been little to no contribution from anyone here from the blue team - if you take a moment to read some of my posts I've linked to I've been far more scathing in regard to Intel when it comes to flaws like this than I have of AMD.

The only thing I've been particularly critical of AMD over in this instance is their handling of PR - the rest - well these things happen and the main thing is they are addressed and dealt with as quickly as possible.

I don't like AMD and I've never hid that - I am not a fan of the way they talk big but generally fail to deliver on the talk and then say nothing at all when they should be talking and can't support them as a company because of that. To read from that that I have to be pro-Intel is misguided at best. My position on Intel is ambiguous at best I've made positive and negative comments about them in roughly equal measure - I don't love them, don't really hate them though there are things they do such as lack of transparency or control over AMT features and incremental performance increases, holding back tech progress as there hasn't been much competition before Zen came along and ever increasing prices and at times anti-competitive practises which don't really enamour me with the company.

Now nVidia fanboy you could put me in that camp, though I'm not a huge fan of the company but I do like their products and they generally deliver when they say they will, mostly.