13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[lexluthermiester]

I wouldn't say that a vulnerability that needs an already deeply exploited system to be exposed is to be considered "major".

But 13 of them is. And like Meltdown & Spectre this situation turning into something much larger.

 

[ikeke]

True, but then again, so is everything else these days. Meltdown & Spectre require even more specific conditions to be exploited. And those are taken seriously. The main reasons certain groups of people are calling foul is that these are mostly AMD specific vulnerabilities coming out of an Intel friendly country from an unknown group who made a mistake concerning the announcement. The same kind of group kept bashing Intel over Meldown & Spectre calling them flaws of design, which they are not. Then it came to light that Spectre affected every CPU made, with few exceptions, since 1993. Then those same people stopped whining and looked at the problems for what they were. Now we have information that shows Intel platforms are affected to some degree by these new vulnerabilities.

What the people complaining seem to be missing is that these discoveries are beneficial to everyone. It doesn't matter who likes what company, who profits from them, who made a mistake in timing of announcement or what level of specific expertise is needed to pull off an effective exploit. What matters is the knowledge we all gain from these discoveries and the benefit from that knowledge for future advancements.

Incorrect, it's the way these were communicated that people are calling foul.

Meltdown and Spectre allow for unprivileged account on a VM to read from host memory. I'd say thats almost a universal exploit.

https://blog.acolyer.org/2018/01/15/meltdown/
https://blog.acolyer.org/2018/01/16/spectre-attacks-exploiting-speculative-execution/

 

[Veradun]

But 13 of them is. And like Meltdown & Spectre this situation turning into something much larger.

If you give me your car keys I can:
- open you car
- get inside
- remap your control unit
- turn on the engine
- drive it to end of the world
- steal the contents
- damage the interiors
- install a remotely controlled microphone
- install a remotely controlled camera
- tinker with the seat so that in case of a crash you get killed
- fart on your seat

So your car has major security issues.

 

[lexluthermiester]

Incorrect, it's the way these were communicated that people are calling foul.

Then their complaining about nothing. There are no legal requirements anywhere in the world that state those making a discovery of a vulnerability have to give the manufacturers any heads up at all. So therefore any warning at all, even if a bit sloppy, is better than nothing.

If you give me your car keys I can:
- open you car
- get inside
- remap your control unit
- turn on the engine
- drive it to end of the world
- steal the contents
- damage the interiors
- install a remotely controlled microphone
- install a remotely controlled camera
- tinker with the seat so that in case of a crash you get killed
- fart on your seat

So your car has major security issues.

There is one flaw in your logic. You don't need the car keys for that. Every car, even the newest ones, can be hot wired or tricked into operating without the key. Likewise, PC's, regardless of the OS, can be tricked into operating without the proper "keys", giving full access to the device. It is then a trivial effort to exploit them, just like a car.

 

[Veradun]

Then their complaining about nothing. There are no legal requirements anywhere in the world that state those making a discovery of a vulnerability have to give the manufacturers any heads up at all. So therefore any warning at all, even if a bit sloppy, is better than nothing.

No. The goal of warning the involved companies far before going public is to protect first and foremost whoever is affected by the vulnerabilities since they would be fixed before there is notice of those vulnerabilities. If you go public, even without a full disclosure, you give wannabe attackers a direction on where to look for the holes. So definitely no, it's not better this way.

 

[EarthDog]

Listen, I can't do much about the front door of the house already being broken open, however, I can lock down the bedrooms.

 

[lexluthermiester]

No. The goal of warning the involved companies far before going public is to protect first and foremost whoever is affected by the vulnerabilities since they would be fixed before there is notice of those vulnerabilities. If you go public, even without a full disclosure, you give wannabe attackers a direction on where to look for the holes. So definitely no, it's not better this way.

Ok, you're just trolling. Let it go.

 

[ikeke]

Then their complaining about nothing. There are no legal requirements anywhere in the world that state those making a discovery of a vulnerability have to give the manufacturers any heads up at all. So therefore any warning at all, even if a bit sloppy, is better than nothing.


There is one flaw in your logic. You don't need the car keys for that. Every car, even the newest ones, can be hot wired or tricked into operating without the key. Likewise, PC's, regardless of the OS, can be tricked into operating without the proper "keys", giving full access to the device. It is then a trivial effort to exploit them, just like a car.

No legal requirement is a slippery slope. Lets not go there.

It's standard procedure in the industry, though.

Also, to add, it's increasingly difficult, without access to specific exploits, to run a car without key. Theres a whole industry who works tirelessly to find the exploits, though. But we call them thieves.

 

[lexluthermiester]

No legal requirement is a slippery slope. Lets not go there. It's standard procedure in the industry, though.

The point is, they have no obligations. No one does. Therefore the fact that they disclosed the technical details only to responsible parties was a good thing and they followed a proceedure, even if it wasn't perfect.

Also, to add, it's increasingly difficult, without access to specific exploits, to run a car without key. Theres a whole industry who works tirelessly to find the exploits, though. But we call them thieves.

Yes, and that is the kind of people we have to worry about with technology as well. PC's, much like cars, have varying levels of difficulty in cracking.

 

[ikeke]

Responsible parties is something I can't agree with. Purely based on the fact that Viceroy was one of the first to publish on this issue after CTS-Labs.

 

[lexluthermiester]

Responsible parties is something I can't agree with. Purely based on the fact that Viceroy was one of the first to publish on this issue after CTS-Labs.

Semantics and nitpicking. I was referring to AMD.

 

[ikeke]

You cant say that they disclosed them to responsible parties, since for fact they provided information on these to Viceroy well in advance (25 page report Viceroy published 3h after CTS-Labs went public suggest they had time to prepare).

If information was for sale then how can you assume that the exploits werent?

 

[anubis44]

That's it? You're just going to call me a fanboy?

Not fact, opinion. It is your opinion, and only your opinion. That opinion is based on assumptions that have no credibility.

I'm not going to remark on the rest of that drivel. Let it go, seriously.

So, having an article posted on a high traffic tech journal website with the title: "Vulnerabilities discovered in AMD Zen, including backdoors" doesn't lend credibility to the baseless accusations of 'vulnerabilties' in AMD Zen CPUs? That's NOT a fact? Hmmm. Perhaps you also don't think it's true that a headline in an otherwise credible newspaper that says 'Alien contact made' implies that we've made contact with aliens? Very interesting idea of yours there on what is a fact and what isn't.

Also, your failure to remark on the rest of my post doesn't make it drivel. That's just your opinion. As for letting this go, well, I own shares of AMD, and I'm not too thrilled with the idea of a website posting bogus allegations that serve to damage AMD's share value as a news item. So no, I'm not going to just 'let it go.'

 

[EarthDog]

baseless accusations of 'vulnerabilties' in AMD Zen CPUs?

Oh, it isnt ikekekekeke, its anubis that belives they don't exist...apologies ikeke

...sweet baby jebus people...

 

[anubis44]

Oh, it isnt ikekekekeke, its anubis that belives they don't exist...apologies ikeke
...sweet baby jebus people...

Oh, you mean the 'vulnerability' that exists if you:
1) Have the administrator password
2) Are personally at the machine
3) Can flash the BIOS

You mean THAT crazy vulnerability? The one that EVERY computer ever made has? Yeah, that's a really BIG news item. Nobody in tech EVER suspected that you could take control of a computer and install malware on it if you personally flashed the bios with a corrupt one. That was a vulnerability we were talking about in the 1980s, people. It's not NEWS. It's common knowledge. It's like saying: NEWSFLASH! Humans need BLOOD in their bodies or they DIE! Quick! It's an EMERGENCY! We've JUST FIGURED THIS OUT!!! It's not that it isn't true, it's that it's not true that it's some kind of newly discovered vulnerability. It's not NEWS. It's like saying: "Warning! Your car could be stolen if somebody breaks the window and the keys are in the car! Everybody needs to hear this! It's NEWS!!!" No, it isn't news.

 

[lexluthermiester]

As for letting this go, well, I own shares of AMD, and I'm not too thrilled with the idea of a website posting bogus allegations that serve to damage AMD's share value as a news item. So no, I'm not going to just 'let it go.'

So you admit you're biased and unable to be objective. If you'd said that to begin with..

 

[EarthDog]

Oh, you mean the 'vulnerability' that exists if you:
1) Have the administrator password
2) Are personally at the machine
3) Can flash the BIOS

You mean THAT crazy vulnerability? The one that EVERY computer ever made has? Yeah, that's a really BIG news item. Nobody in tech EVER suspected that you could take control of a computer and install malware on it if you personally flashed the bios with a corrupt one. That was a vulnerability we were talking about in the 1980s, people. It's not NEWS. It's common knowledge. It's like saying: NEWSFLASH! Humans need BLOOD in their bodies or they DIE! Quick! It's an EMERGENCY! We've JUST FIGURED THIS OUT!!! It's not that it isn't true, it's that it's not true that it's some kind of newly discovered vulnerability. It's not NEWS. It's like saying: "Warning! Your car could be stolen if somebody breaks the window and the keys are in the car! Everybody needs to hear this! It's NEWS!!!" No, it isn't news.

But, the allegations are not bogus. You can minimize them if you would like, we get it, you own stock, its in your own vested interest to do so.

Cheers though... I tried to stay out of this thread because as we know, opinions are like assholes and all (everybody has one). I should have tried harder.

We'll let the CVE's and further explanations take care of this noise.

 

[ikeke]

Explanation for one was, from the video, that you need specific motherboard with OS on bare metal and admin on said combo. They acknowledged in video that it wont work on all motherboards.

Again, once you have admin with possibility to flash bios anything is possible. You have full access on the machine, you can do anything.

 

[EarthDog]

What about the other 12?

 

[ikeke]

Haven't seen them, cant say.

But thisfar CTS-Labs has not been able to validate their extraordinary claims of, quote:

https://amdflaws.com/
Am I affected?
Any consumer or organization purchasing AMD Servers, Workstations, or Laptops are affected by these vulnerabilities.

Which, I'd say is as clear of a case of FUD as there ever was.

 

[EarthDog]

Which, I'd say is as clear of a case of FUD as there ever was.

Is it though? I don't think so. They do go on to explain things a bit and we, both, have no idea of the scope of these. I'm just amazed that so many people can call it absolutely BS without flinching and with such little ACTUAL evidence. Oh well, time will tell.

 

[ikeke]

If they have such extraordinary claims then I'm not buying it after first example. Again, im pointing at the case they made as these being super critical flaws, not at the exploits per se.

For all its worth it could right now boil down to broken BIOS verification mechanism on some OEMs implementation. Now, that is not difficult to fix, I know for fact.

edit: Also, BIOS password in place? Exploit useless.

editx2: and now, this https://www.anandtech.com/show/12556/amd-confirms-exploits-patched-in-weeks

The salient high-level takeaway from AMD is this:

1. All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
2. All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
3. No performance impact expected
4. None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
5. These are not related to the GPZ exploits earlier this year.

https://community.amd.com/community...amd-technical-assessment-of-cts-labs-research

Someones going to get a call from the law..
https://www.bloomberg.com/news/arti...-vulnerability-says-report-exaggerated-danger

 

[EarthDog]

Certainly much ado about nothing it seems...though all real!

 

[bug]

If they have such extraordinary claims then I'm not buying it after first example. Again, im pointing at the case they made as these being super critical flaws, not at the exploits per se.

For all its worth it could right now boil down to broken BIOS verification mechanism on some OEMs implementation. Now, that is not difficult to fix, I know for fact.

edit: Also, BIOS password in place? Exploit useless.

editx2: and now, this https://www.anandtech.com/show/12556/amd-confirms-exploits-patched-in-weeks

The salient high-level takeaway from AMD is this:

1. All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
2. All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
3. No performance impact expected
4. None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
5. These are not related to the GPZ exploits earlier this year.

https://community.amd.com/community...amd-technical-assessment-of-cts-labs-research

Someones going to get a call from the law..
https://www.bloomberg.com/news/arti...-vulnerability-says-report-exaggerated-danger

#4 could be a bit more troublesome, because everything AMD has released since 2013 includes PSP. Though all should be patchable just the same.

 

[lexluthermiester]

Looks like AMD has confirmed these vulnerabilities, completely. https://www.techpowerup.com/242550/initial-amd-technical-assessment-of-cts-labs-research
Interesting info.