13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[thesmokingman]

You know, if I didn't care about this potential security problem, and this were a "real-life forum", brick and mortar and all that, I'd totally get me some popcorn and enjoy seeing the fights between AMD-fans, Intel-fans, skeptical people, paranoid people and everyone else. From a safe distance, of course. Maybe set a betting pool too

So you're really concerned right? No BS? Take a guess how many articles based their news on these findings?

New York-based cyber security firm Trail of Bits told Reuters that it had verified the findings from CTS, which paid $16,000 for a review of the AMD vulnerabilities.

For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said.

https://www.reuters.com/article/us-...irm-says-it-finds-amd-chip-flaw-idUSKCN1GP273

In other news: Home security panels vulnerable to burglars, once they break into the house and befriend the family dog.

Exactly lol!

 

[B-Real]

Take THAT AMD. I dont wanna hear the fanbois anymore.

Before you say anything, have you seen this?

Or have you checked the YT channel comments are disabled? And the domain name amdflaws.com? Correct company. Ridiculous really. A sue is on the way for sure. BTW, your next comment made it clear that you are an Intel tard.

This has the potential to be even worse than Spectre and Meltdown.

Yes, definitely. LOL

It's so funny seeing AMD aficionados going in defense mode

No need for that, as this is a complete BS. Wake up and you will see.

 

[thesmokingman]

^^Hey I recognize those 3 employees now.

 

[Vya Domus]

Before you say anything, have you seen this?

Or did you check the YT channel comments are disabled? Correct company.

Oh come on , don't be so mean. They mean 16 years of experience as in what their brilliant employees have.

 

[B-Real]

Oh come on , don't be so mean. They mean 16 years of experience as in what their brilliant employees have.

Yeppp, just thought that ^^

 

[CrAsHnBuRnXp]

Before you say anything, have you seen this?

Should I? Im not a researcher

 

[thesmokingman]

Oh come on , don't be so mean. They mean 16 years of experience as in what their brilliant employees have.

They implied their company as an entity, not the combined xp of their staff.

 

[Divide Overflow]

I've just heard that if someone had my car keys and access to my car, they could change the memory positions for my driver's seat! This is an outrage! Where's the whitepaper on this critical exploit?!

 

[Dave65]

Take THAT AMD. I dont wanna hear the fanbois anymore.

Quite the fanbaby yourself it seems.

 

[windwhirl]

It is possible. There are enough servers with outdated configuration and / or software hooked on the net. But for a succesfull bios update you need to restart the system. This will look very odd a server rebooting out of nowhere. Once that happend the payload could be triggered again and you could take over the complete system. Thus with any credentials that might apply on the machine. But this should trigger any admin in the first place, that something is going on.

There are several approaches to a succesfull attack. One of m might simply stick a USB drive into a running server and exploit it's chipset by a handwritten program. Upload your payload and good to go. But even if you 'hack' apache, your still a user, and a user compared to root has different priveledges. None of them as close to flashing a bios lol.

Yeah, but two things:
1 - I don't know how server motherboards work, but some desktop ones allow you to update the BIOS/UEFI from within Windows. So, maybe you could do the same on some servers? And would it be mandatory to restart immediately? If not, you could wait until the next scheduled restart, with none the wiser.
2 - Privilege-escalation bugs are common in Windows (every month they fix one of those, at least) and Linux has some too (though I don't know if they are as common as their Windows-counterparts). If patches are not applied, someone could just chain a few exploits together and get in.

However, such an outcome may be avoided, at least for a short time, if the system is inside a VM.

 

[thesmokingman]

An

And your insinuation is?

Oh the excruciating irony escapes you!

 

[B-Real]

Well, if this turns out to be true, it's gonna be a shitstorm for AMD....

Haha, for what reason? Have it caused anything for Intel except for its shitty communication?

Should I? Im not a researcher

I'm not a researcher either, but I found it pretty easily. You should have done so, if you were really interested in the news. In fact, you are only an Intelboy.

 

[thesmokingman]

Yeah, but two things:
1 - I don't know how server motherboards work, but some desktop ones allow you to update the BIOS/UEFI from within Windows. So, maybe you could do the same on some servers? And would it be mandatory to restart immediately? If not, you could wait until the next scheduled restart, with none the wiser.
2 - Privilege-escalation bugs are common in Windows (every month they fix one of those, at least) and Linux has some too (though I don't know if they are as common as their Windows-counterparts). If patches are not applied, someone could just chain a few exploits together and get in.

However, such an outcome may be avoided, at least for a short time, if the system is inside a VM.

Um, maybe you missed it but if you have access to update said bios even in windows, that would mean you already have root/admin... so wtf are you doing? Why even bother with a hack/flaw/bug whatever? Why not get to the business of stealing whatever the eff you are there for?

 

[AsRock]

WOW awesome naming, shame one of the others were not called IntelFall.

Take THAT AMD. I dont wanna hear the fanbois anymore.

Well Intel and Arm might be in the same boat so.

And OMG "The researchers "believe that networks that contain AMD" they believe ?. If this was found on Intel they would dare to say shit yet.

 

[Vya Domus]

I wonder if "RYZENFALL" was intended as "Ryze-and-fall". That would have been smart of them.

 

[windwhirl]

Haha, for what reason? Have it caused anything for Intel except for its shitty communication?

Well, I originally just skimmed over the article. So, I though that for Intel something like this could have had negligible impact (except for the possible lawsuits), but AMD is a bit more vulnerable, because of the much lower market share and the company's more economically complicated situation.
Now, and considering that most of these vulnerabilities need certain uncommon conditions (special privileges and physical access), it doesn't seem to me that it could end up being a shitstorm, though it'd definitely be embarrassing...

Um, maybe you missed it but if you have access to update said bios even in windows, that would mean you already have root/admin... so wtf are you doing? Why even bother with a hack/flaw/bug whatever? Why not get to the business of stealing whatever the eff you are there for?

Maybe I could be waiting for some specific file to be transferred to the server? Or maybe I could be a creep and monitor all communications in and out?

Look at Equifax, the guys just sat down and held the doors open for themselves for a few months. What if someone did that with the NSA? Valuable data would definitely go through there, and there would be people very interested in getting it, no matter the cost. If that happened to the Pentagon's network... well, that could be really worrisome.

 

[CrAsHnBuRnXp]

Haha, for what reason? Have it caused anything for Intel except for its shitty communication?




I'm not a researcher either, but I found it pretty easily. You should have done so, if you were really interested in the news. In fact, you are only an Intelboy.

Not hardly. Im not an "intelboy" i have owned both AMD and Intel. In fact, i got my feet wet with an AMD Athlon XP back in the day. Then a 3200+ after that and an AMD opteron after that.

I go where the performance is. Intel just happens to be that. My original comment in this thread was a stab at the AMD fanboys because of the intel controversy not too long ago and how "amd is so much better" (paraphrasing here) and now we turn around and AMD is on the end of the pitchfork. It's just ironic.

So before you try and call me a fanboy, maybe you should do some research on me before trying to start something.

 

[Xzibit]

^^Hey I recognize those 3 employees now.

The guy in the middle the co-founder Yaron Luk-Zilberman serves as the President at NineWells Capital Management.

NineWells Capital Management, LLC is a privately owned investment manager. The firm manages hedge funds for its clients. NineWells Capital Management is based in New York, New York

That might explain the AMDFlaws.com being registered to a New York number or more sinister as to why AMD wasn't notified in a timely manner.

Funny side note: at least for me. When you visit their site is says "not secure" in browser.

 

[CrAsHnBuRnXp]

Quite the fanbaby yourself it seems.

Read the above post of mine.

 

[thesmokingman]

The guy in the middle the co-founder Yaron Luk-Zilberman serves as the President at NineWells Capital Management.



That might explain the AMDFlaws.com being registered to a New York number.

Funny side note: at least for me. When you visit their site is says "not secure" in browser.

Doh, says a lot doesn't it? Man, I cannot wait until the Feds and SEC get involved in this.

 

[Basard]

OMFG MUH FILES!

Doh, says a lot doesn't it? Man, I cannot wait until the Feds and SEC get involved in this.

They've always been involved.

 

[B-Real]

Not hardly. Im not an "intelboy" i have owned both AMD and Intel. In fact, i got my feet wet with an AMD Athlon XP back in the day. Then a 3200+ after that and an AMD opteron after that.

I go where the performance is. Intel just happens to be that.

Than you should have owned a Zen before the 8600K, and replace the 8600K for a 2600X or 2700X.

 

[CrAsHnBuRnXp]

WOW awesome naming, shame one of the others were not called IntelFall.

Wintelfell. Get it?

Than you should have owned a Zen before the 8600K, and replace the 8600K for a 2600X or 2700X.

Im sorry im not made of money and cant upgrade everytime the latest and greatest comes out like some folks can. I have a baby to think about. Guess that sort of logic is lost on the likes of you.

I get what is best for my money at the time of my upgrade. If I can afford to do a full upgrade path to AMD and they are superior, I will.

 

[B-Real]

I get what is best for my money at the time of my upgrade. If I can afford to do a full upgrade path to AMD and they are superior, I will.

After your starting comment "Take THAT AMD. I dont wanna hear the fanbois anymore." I cannot take you serious. Sorry. GN.

 

[Steevo]

Take THAT AMD. I dont wanna hear the fanbois anymore.

Yeah, all code that requires physical access, admin rights, and could be prevented by using an operating system, specifically Windows to enact is terrible.

Also, I hear if you let a user take a hammer to AMD processors, they break... unlike Intel.