• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Meltdown-like Vulnerability Affects AMD Zen+ and Zen2 Processors

Joined
Jul 9, 2015
Messages
3,413 (1.00/day)
System Name M3401 notebook
Processor 5600H
Motherboard NA
Memory 16GB
Video Card(s) 3050
Storage 500GB SSD
Display(s) 14" OLED screen of the laptop
Software Windows 10
Benchmark Scores 3050 scores good 15-20% lower than average, despite ASUS's claims that it has uber cooling.
Joined
Jul 9, 2015
Messages
3,413 (1.00/day)
System Name M3401 notebook
Processor 5600H
Motherboard NA
Memory 16GB
Video Card(s) 3050
Storage 500GB SSD
Display(s) 14" OLED screen of the laptop
Software Windows 10
Benchmark Scores 3050 scores good 15-20% lower than average, despite ASUS's claims that it has uber cooling.
Have you read the pdf? Please do if you haven't and if you don't find it, I'll do my best to help you out.
Could you share the link to the specific PDF you mean please? The one in your post is an html page with 2 PDFs.
 
Joined
Aug 20, 2007
Messages
21,469 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
The mitigation for this vulnerability is just a minor, easily made, change to existing mitigations.
That's easy to say but when you have a old software application that's not being updated it just means you are screwed.

I'm pretty sure the decades old court reporter record reading software we run won't see such an update.
 
Joined
Jul 5, 2013
Messages
27,823 (6.68/day)
That's easy to say but when you have a old software application that's not being updated it just means you are screwed.
You're failing to understand how this vulnerability works. Old software, of any kind, is not an entry vector of attack. Like Meltdown, a software package has to be delivered to the target system and run by a user physically attending the system.
I'm pretty sure the decades old court reporter record reading software we run won't see such an update.
See above.
 
Joined
Aug 20, 2007
Messages
21,469 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
You're failing to understand how this vulnerability works. Old software, of any kind, is not an entry vector of attack.
Oh, so the old software already includes an LFFENCE to prevent it being used for priviledge escalation?

I'm starting to think you don't really understand this. I mean that with no offense intended. It's tough material.
 
Joined
Jul 5, 2013
Messages
27,823 (6.68/day)
Oh, so the old software already includes an LFFENCE to prevent it being used for priviledge escalation?
And how would an attacker do that? Hmm? Are they going to wave an Elder wand?
I'm starting to think you don't really understand this.
Likewise, and as AMD has already made a statement on the matter after months of research....
It's tough material.
Seemingly so..
 
Joined
Aug 20, 2007
Messages
21,469 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
And how would an attacker do that? Hmm? Are they going to wave an Elder wand?
A dumb end user. You can't trust them all but you can fence them off. At least, you can on certain cpus.
 
Joined
Jul 5, 2013
Messages
27,823 (6.68/day)
A dumb end user. You can't trust them all but you can fence them off. At least, you can on certain cpus.
So what you are saying is that...
a user physically attending the system.
...is required. At that point older software is not relevant as you still need to deliver a software payload to initiate the attack.

So how am I failing to understand?
 
Joined
Aug 20, 2007
Messages
21,469 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
You can't priviledge escalate a bug that does not exist. Even if the user downloads something via social engineering. That's why a microcode approach is more reliable.
 
Joined
Aug 20, 2007
Messages
21,469 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Joined
Jul 5, 2013
Messages
27,823 (6.68/day)
Ah, I see now...
Yeah. It's not a big hole but it's there. Requires a lot of human failure
My sarcasm might have been a bit too subtle there..

While this vulnerability is real, exploiting it(much like Spectre, Meltdown and all of that ilk) is so crazy difficult that it isn't worth worrying about unless you have something worth stealing and people know you have something worth stealing. So AMD's response is appropriate, as is mine. It's very, very nearly nothing-sauce.
 
Joined
Aug 20, 2007
Messages
21,469 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
It's very, very nearly nothing-sauce.

and I'll profesionally disagree with you.

It's nothing-sauce for the average home user, but not everyone of AMDs clients is the average home user.

I for one am glad there are no Zen/Zen 2 cpus in my org, as I'd have to treat them special, and thats just extra headache for me.

I know you have your opinions on this. I am curious if they'd be the same if you had to sign the same contracts I do, but that's really beyond where we should go for this topic. I respect your right to disagree, regardless.
 
Joined
Jul 5, 2013
Messages
27,823 (6.68/day)
It's nothing-sauce for the average home user, but not everyone of AMDs clients is the average home user.
Fully agree with you there.
I for one am glad there are no Zen/Zen 2 cpus in my org, as I'd have to treat them special, and thats just extra headache for me.
That only requires a risk assessment analysis. However, that difficulty can not be understated for some organizations.
I know you have your opinions on this. I am curious if they'd be the same if you had to sign the same contracts I do, but that's really beyond where we should go for this topic. I respect your right to disagree, regardless.
For business/industrial/corp/gov entities there needs to be serious consideration on a case by case basis. But once again, not all situations warrant concern for potential attack. I am governed by regulations and those guidelines require due diligence. While risk assessment will be done, my earlier statements are based on previous similar vulnerabilities analysis.
 
Top