Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

Sponsored by, Intel! (R)

... someone needs to dig (deep) into who registered the amdflaw domain and who is funding this.

Re:Sponsored by, Intel! (R)

[sinij]

Yes, couple days to respond is a hit job and not a responsible disclosure. However, if AMD and Intel get into "flaw disclosure" wars, the only winner will be consumers. This is not a bad thing.

Re:Sponsored by, Intel! (R)

You stole my comment!

Re:Sponsored by, Intel! (R)

[gweihir]

Pretty clearly Intel-funded, yes. The 24h notification period is so short that it can be classified as a malicious attack. Nobody with any understanding of how this works does this unless there are strong overriding concerns. What these corrupt a******* did makes people a lot less secure.

Re:Sponsored by, Intel! (R)

[Penguinisto]

Devil's Advocate: the disclosure(s) is (are) vague as hell on exploit details, let alone demonstrations or proof-of-concepts, so there is that.

All said though, still a dick move by CTS-Labs.

Re:Sponsored by, Intel! (R)

I don't agree with this. Ever longer grace periods has been an excuse to put off dealing with problems. Disclosing vulnerabilities is not a crime, despite what people with your view might like. Whomever disclosed these problems, whether Intel or someone else, is not obligated to please AMD.

Re: Sponsored by, Intel! (R)

You cant sell the vulnerability back to the state that forced it in :)

Re:Sponsored by, Intel! (R)

[Opportunist]

Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

Re:Sponsored by, Intel! (R)

[Opportunist]

Design flaws happen. Computer hardware and software are by now SO complex that it is technically impossible to create a secure chip or system that is still affordable.

Of course I can create hardware that's secure. That takes time. To give you an idea, if I had to design hardware with maximum security in mind, you could maybe today buy a CPU akin to a P4 for no more than what an average BMW would cost you.

Re:Sponsored by, Intel! (R)

[Lonewolf666]

Yes, the combination of publication within a day and registering an AMD-denigrating domain for the purpose stinks. As others have written already, it looks like a PR hit job.

With a quick Google search (5 minutes) I could also find nothing substantial about CTS Labs. They have a professional looking website with quite a bit of Bullshit Bingo appeal, and a contact e-mail address on it.
Otherwise not much:
      -no postal address
      -no references from past projects
One might wonder if this is more than a shell company ;-)

Re:Sponsored by, Intel! (R)

GUARANTEED Intel is behind this.

Top Intel design engineers are in Israel where the "Core" series CPU's were designed.
The way I see this, this tactic is to prevent people from jumping platforms since AMD now has femoral artery leak as bad as Intel does.

Re:Sponsored by, Intel! (R)

Many, many years from now, we will be better off.

In the short term, it would be catastrophic, unless you work for a nation state's intelligence groups.

Re:Sponsored by, Intel! (R)

[DRJlaw]

Yes, couple days to respond is a hit job and not a responsible disclosure.

It's responsible enough for Tavis Ormandy. You can simply make up your own shortened periods rather than sticking to a standard 60-90 period. Just make up an excuse and fire away...

Re:Sponsored by, Intel! (R)

You did bother reading the article enough to know that all 4 "vulnerabilities" require physical access, credentials and signed drivers?

Re:Sponsored by, Intel! (R)

[Baloroth]

As opposed to Intel, whose chips are perfectly secure. Except Intel had ~5 months to fix the problem before public disclosure (longer than responsible disclosure standards required). AMD is somehow only given 24 hours? That's not just irresponsible disclosure, that's an indirect attack.

Re: Sponsored by, Intel! (R)

Be a hot dog fancritter, then and go out and buy some more AMD gear.

Re:Sponsored by, Intel! (R)

[Lonewolf666]

OK, but what excuse does CTS Labs give?

I'd call Tavis Ormandy's attitude pretty extreme, but at least he gives some reasons for doing so. What CTS Labs are doing is quite a bit more extreme, and for whom are they really working here?
I think most customers would be interested in working with AMD for at least a few weeks and try to get a solution for the problem before going public. Unless they want to hurt AMD. Intel, is that you?

Re: Sponsored by, Intel! (R)

He's either an Intel employee or a fanboi. Eschewing professionalism by not giving AMD time to respond and criticizing asymmetrically means there is almost certainly an alterior motive at work.

Re:Sponsored by, Intel! (R)

Why? A critical flaw is a critical flaw. Sour grapes doesn't change the facts, kiddo.

Re:Sponsored by, Intel! (R)

[Carewolf]

Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

The place this hole is, is the AMD version of IME, a useless piece of malware designed to remote-controlled your computer, which Intel and AMD puts there for enterprise purposes. Get rid of it from or make it default off and these issues goes away...

I have no fucking clue why they installed those crappy Internet-of-shit operating systems in there by default in the first place.

Re:Sponsored by, Intel! (R)

It's called "I'm not going to buy their chips until they fix it" and "I'm going to institute mitigation X".

Also, most malware creators aren't trying to exploit your system with exploits like this. There's rarely a need. Nation States, though, probably already are exploiting things like this, and the sooner the public knows about, the sooner chip makers will work on a fix. I mean, look at the situation with Intel and Spectre. They have over 6 months and still fumbled pretty bad. So, it's not like I would just presume giving them a substantial lead time magically guarantees a good, prompt response from the vendors.

Re:Sponsored by, Intel! (R)

[sinij]

You stole my comment!

It isn't my fault that your speculative execution and prediction thinking leaked your post idea for everyone to see.

Re:Sponsored by, Intel! (R)

[sinij]

Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

Listing your assumptions: You assume that nobody knew about these flaws before this press release. You assume that release contained sufficient information allowing some quickly reproduce these and move into exploitation. You assume that these could be remotely exploited so your are automatically vulnerable with any kind of system. You assume that these could be successfuly patched resulting in a stable and secure system.

Some of these assumptions might turn out to be false.

Re:Sponsored by, Intel! (R)

[Lunix+Nutcase]

Reporting facts is smearing someone? This is Poe’s Law, right? AMD fans are not this delusional are they?

Re:Sponsored by, Intel! (R)

[q4Fry]

Devil's Advocate: the disclosure(s) is (are) vague as hell on exploit details, let alone demonstrations or proof-of-concepts, so there is that.

I'm not disagreeing here, and I know nothing about the details, but wouldn't that be the ideal competitor-funded FUD? "I'm not going to tell you all the details, but here's an elephant being electrocuted by AC^H^H AMD. How do you explain that, Mr. Tesla?"

Of course, what I'm doing here is Intel-FUD, so maybe I'm just a shill the other way. :^O

Re:Sponsored by, Intel! (R)

[Sir+Holo]

All said though, still a dick move by CTS-Labs.

Who? This is all I've ever heard of them.

Then again: Any media attention is good.

Re:Sponsored by, Intel! (R)

Broadcasting that your neighbor's backdoor is unlocked in a bad part of town is a whee bit irresponsible. I think the smear part more alludes to some perception of an effort to make them look bad by trying to get them to stumble out of the gate.

Re:Sponsored by, Intel! (R)

[Dog-Cow]

Your inability to comprehend a short comment means that the smell is all you, you stupid pile of shit.

Re:Sponsored by, Intel! (R)

[Opportunist]

The thesis is rather that freezing development at a point so you can spend years to test your system makes the chips more expensive and lower in performance.

Re:Sponsored by, Intel! (R)

[Opportunist]

And that wouldn't be a lot better if we learned of this flaw AFTER AMD had time to fix it?

Re:Sponsored by, Intel! (R)

[Opportunist]

Exports to (insert not-so-friendly-state-here) and a government wanting to have a convenient kill switch could be a reason.

Re:Sponsored by, Intel! (R)

[gweihir]

It is not actually clear whether these are indeed "facts". The "whitepaper" is laughably imprecise. The company seems to be a mailbox, not more. Until this is confirmed by AMD, this is essentially a rumor. The short notification so AMD could not deny (or confirm) may be to actually use this for stock-price manipulation. As such, it is possible that the entire thing is a fake clever enough that AMD needs some time to find out whether there actually is substance to this. And that is another reason why you give a vendor 90 days: Then they can confirm or deny that the vulnerability exist based on their own analysis.

Re:Sponsored by, Intel! (R)

[Opportunist]

I assume that a lot fewer hostile actors knew of this flaw before the press release and that the information is sufficient to at the very least spend resources on finding out how to exploit it. Yes. And I dare say with some confidence that this assumption is valid.

Re:Sponsored by, Intel! (R)

[gweihir]

It is a direct attack. I am thinking either Intel is behind this or it is for stock-price manipulation.

Re:Sponsored by, Intel! (R)

[Sir+Holo]

Yes, the combination of publication within a day and registering an AMD-denigrating domain for the purpose stinks. . . a PR hit job. [emphasis mine]
. . .
One might wonder if this is more than a shell company ;-)

How do these tiny, unknown shell companies find zero-day flaws that no one else can?

Must be super-geniuses -- or maybe just sloppy hacks poorly covering their tracks when attempting defamation.

Re:Sponsored by, Intel! (R)

Yeah, and the only reason. Wasting gates for this crap is not free, it costs $$$.

Re:Sponsored by, Intel! (R)

So far not very effective at causing a stock price decline. AMD is up 3.65% today at the time of this post.

Re:Sponsored by, Intel! (R)

[DRJlaw]

OK, but what excuse does CTS Labs give?

Well, according to CTS-Labs website and whitepaper (quoting from the whitepaper):

AMD has recently announced that EPYC and Ryzen embedded processors are being sold as high security solutions for mission-critical aerospace and defense systems. AMD's latest generation Vega GPUs, which also have Secure Processor inside of them, are being integrated as deep-learning accelerators on self-driving cars. We urge the security community to study the security of these devices in depth before allowing them on mission-critical systems that could potentially put lives at risk.

I'd call Tavis Ormandy's attitude pretty extreme, but at least he gives some reasons for doing so.

"Reasons" being he runs out of patience faster than the end date of the responsible disclosure silent period?

For whom are they really working here?

Themselves? I mean, if you bought that Ormandy's 5 day-short shot at Microsoft "was independent of Google," you've got to buy CTS's explanation as well.

I think most customers would be interested in working with AMD for at least a few weeks and try to get a solution for the problem before going public.

From their whitepaper:
"To ensure public safety, all technical details that could be used to reproduce the vulnerabilities have been
redacted from this document. CTS has privately shared this information with AMD, select security
companies that can develop mitigations, and the U.S. regulators. What follows is a description of the
security problems we discovered and the risks they pose for users and organizations."

If the information can't be used directly to exploit vulnerabilities, then why should end users not know that there are security issues with the processors? Especially critical systems end users?

Re:Sponsored by, Intel! (R)

[DRJlaw]

Pretty clearly Intel-funded, yes.

Pretty clearly? Based on what evidence? All you've done is speculated as to motive.

Re:Sponsored by, Intel! (R)

[DarkOx]

We could be using single cycle machines with no pipe-lining, in order execution and several megabytes of SRAM.

They would be slow but they could be they could be secure by now. We chose fast and cheap over reliable.

Re:Sponsored by, Intel! (R)

[Burz]

Have to agree that the intent behind this super-fast disclosure looks malicious. It follows that the research was probably undertaken with malicious intent as well.

A very large chunk of Intel's operations are based in Israel, so that is one possible motivation for Israelis to go after AMD, which is based in the EU. Its widely known that the EU fined Intel over a $billion for threatening PC makers to avoid using too many AMD chips in PC products. There is revanchism and monopolist warfare going on here.

Re:Sponsored by, Intel! (R)

I assume that a lot fewer hostile actors knew of this flaw before the press release and that the information is sufficient to at the very least spend resources on finding out how to exploit it.

The bug to spend resources on to exploit is the one not announced and hence presumably not on the chopping block to be patched. The only reasonable position, then, is to argue that announcements should be delayed to cause criminals to waste resources on patched bugs and further to never officially announce that a bug ever existed so criminals must constantly check if the bug they wish to exploit still exists.

Of course, in the past plenty of hackers have targeted bugs by waiting for an exploit to be patched and then reverse engineering the patch to attack systems not yet updated. So, it can pay to even target patched bugs. It's part of the reason MS started bundling patches to try to obfuscate the actual exploitable bugs. In a meaningful sense, though, it hasn't done much. Sure, now it's probably more resource efficient to go back to finding unknown bugs, but the fact is that plenty of exploitable bugs still exist.

With that in mind, divulging bugs sooner probably isn't helping them that much.

Re: Sponsored by, Intel! (R)

No, it's called being responsible.

Grow up a little more and you might understand why that's a good thing.

Re:Sponsored by, Intel! (R)

Spoken like an Intel employee trying to divert attemtion.

Re:Sponsored by, Intel! (R)

[ELCouz]

[...]We chose fast and cheap over security.

FTFY.

Re:Sponsored by, Intel! (R)

[thegarbz]

I have no fucking clue why they installed those crappy Internet-of-shit operating systems in there by default in the first place.

Then you should start by reading the manual and going over the years of history of what bulk customers have been asking for.

Re:Sponsored by, Intel! (R)

"the only winner will be consumers" - not until these are fixed however, until then the script kiddies who make these flaws into exploits are the only winners.

Re: Sponsored by, Intel! (R)

They intentionally omitted details so that the release wouldn't be exploitable.

Re: Sponsored by, Intel! (R)

Spoken like an AMD employee trying to create FUD.

Re:Sponsored by, Intel! (R)

Either it is fake or they had help from someone who does not want his name in it,

Re:Sponsored by, Intel! (R)

>still a dick move

>>"We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

Re:Sponsored by, Intel! (R)

[fazig]

Sure they didn't have to disclose them to the public. But to be honest I still prefer this than them keeping it for themselves or perhaps selling it to some intelligence agency without telling anyone else. I mean they probably have already. But by telling the public the consumers can pressure the manufacturer to change something in the future. For example I'm not fond of that Secure Processor thing in itself and would not mind if both Intel and AMD ditched such implementations altogether.
Of course this is assuming that these security flaws are real and not made up.

Re:Sponsored by, Intel! (R)

[DRJlaw]

That's it. Keep attacking the source of any information that you find inconvenient. Don't prove or disprove any information yourself.

Re:Sponsored by, Intel! (R)

[jd]

You design it using something like VHDL, Verilog or SystemC. These are amenable to verification using theorem provers. Your compiler can be written using VST and verified. This will not produce a perfect product, you only demonstrate that the source and thus the low-level hardware description match the specification. However, specifications are much easier to prove correct than complex code.

You also use extreme programming methods. In other words, develop your test harness first and then develop to the test. This allows you to verify code correctness where a theorem is impossible or impractical.

Ok, so we have a system virtually identical to what hardware manufacturers use already, only perhaps changing the order of a few things and making sure the development tools produce what we expect. So how do we improve on that?

KISS it.

Complexity is the enemy of reliability, any engineer knows that.

You don't need one core that does absolutely everything. You don't need a complex instruction set. You can use a hybrid processor, something closer to the 486 or the Cell processor instead of a single unified core. And people should be using SMP as well as multicore to make better use of the bus anyway.

If Intel and AMD are unsure about criticality, they can look at SEL4, the same as the rest of us.

Re: Sponsored by, Intel! (R)

Then the bulk customers can pay through the nose for it, they have the money anyway, and not fuck over the rest of the planet with their insecure bs by default crap just because they want to avoid paying for an addin card. PCI and USB exists for a reason you know, and the rest of the world has no use for this crap. Unless you're a dictatorship or a black hat that is....

Re:Sponsored by, Intel! (R)

You're sexually harrassing me. Noted.

Re:Sponsored by, Intel! (R)

AMD did this to themselves. Users did not ask for 'secret security processors' but AMD and intel forced them on us anyway. Fuck them all.

Re:Sponsored by, Intel! (R)

The bulk customers are now getting what they asked for: 0-day attacks on them. I hope they enjoy it.

But MAFIAA is not a bulk customer, the TPM that is part of these useless extra processors, is used for DRM. The thing that drives these insane changes is immaterial property. IP has more value when it is protected better.

Re:Sponsored by, Intel! (R)

Based on a relatively charitable view of CTS-Labs. They're either incompetent, pointlessly malicious, or are gaining something. Assuming they are gaining something is the mostly charitable choice. Of the things they could be gaining, the mostly likely options are acclaim and money. Doing it for acclaim would be very petty, whereas cold hard cash is a reasonable motivator.

So the most charitable view of CTS-Labs is that they are being paid off, and the mostly likely source of that money is Intel, who frequently act unethically to advance their business.

Incidentally, the other AC was also taking the most charitable view of you, in assuming that you stand to gain something from defending Intel instead of being too stupid to figure this out.

Re:Sponsored by, Intel! (R)

I have no fucking clue why they installed those crappy Internet-of-shit operating systems in there by default in the first place.

link

This was in 1999. Simply put, "You can't secure what you don't understand."

Including an entire separate operating system for management is one boat load of attack surface added to the mix. Hardware should generally be delivered reasonably secure by default. This kind of crap should not just be off by default, but not programmed into motherboards by default. If a company wants it, they can specify that part variation where it is loaded.

Programming something unused into a motherboard is itself a potential security vulnerability, since an attacker could possibly turn it on via some method and then have a larger toolkit. If you want a really secure system, first don't install anything on there you don't need.

Re:Sponsored by, Intel! (R)

The advisory came with its own disclaimer that CTS—the Israeli research organization that published the report—"may have, either directly or indirectly, an economic interest in the performance" of the stock of AMD or other companies. It also discloses that its contents were all statements of opinion and "not statements of fact."

Quote from this article.

Re: Sponsored by, Intel! (R)

[Bing+Tsher+E]

Neither one of you could ever be an Intel or AMD employee.

They keep their rabid fanboys outside the company. They're happy with you blustering and bickering out there on the sidewalk. They certainly don't want people with your mindset inside the company fucking things up.

Re:Sponsored by, Intel! (R)

[DRJlaw]

Adding more words does not transform speculation as to motive into evidence.

Incidentally, the other AC was also taking the most charitable view of you, in assuming that you stand to gain something from defending Intel instead of being too stupid to figure this out.

Yes, those are the only two possible explanations, and you are the arbiter of stupidity.

Re:Sponsored by, Intel! (R)

[bongey]

Except it isn't facts, requiring administrative rights to install malware isn't close to a "critical" flaw. It's a fucking smear job.

Re:Sponsored by, Intel! (R)

[Opportunist]

Being legally able and allowed to export to (country the US does not like) could offset that, easily.

Re:Sponsored by, Intel! (R)

[gweihir]

I retract that, this is far too obvious and amateur-level for Intel. This is a stock-scam.

Re:Sponsored by, Intel! (R)

[ne7minder]

They might also want to check for any unusual stock transactions in the days before this announcement.

BS

What is BS if the researchers really only gave them 24 hours.

Not quite comparable to Intel's snafu

[erapert]

These vulnerabilities look like they are almost all problems with the chipset or AMD's equivalent to Intel's Management Engine.
So these aren't quite on par with Spectre and Meltdown.

Some firmware updates should fix almost all of this.
Still, it was sort of an asshole move to only give AMD 24 hours' notice just so they could get their 15 minutes of fame.
And, yes, it's disgusting to see AMD put out products with lots of weaknesses like this.

Re:Not quite comparable to Intel's snafu

[sl3xd]

Saying they aren't on par with Spectre or Meltdown is missing the point - it's an apples to oranges comparison, just like IME's many problems aren't comparable to Spectre or Meltdown.

It's not clear that firmware updates can fix it -- it depends on whether it's something that can be updated in firmware. Many security-critical hardware designs doesn't allow firmware updates, because at that stage modifiable firmware is a security hole in and of itself.

At the end of the day, it sounds like AMD's Secure Processor has similar problems as Intel's Management Engine. It's not exactly unexpected, as every remote management 'feature' of the type has historically been riddled with security holes, regardless of vendor.

I can't help but wonder, though, what the source of "24 hours notice" is; the articles I saw don't explain. I recall in years past, there are cases where researchers tried for months to get Microsoft to take their claims seriously. Microsoft wouldn't even acknowledge them, and when the researchers released it as a zero-day, and Microsoft shrieked they weren't given any notice...

If AMD really was only given 24 hours notice, it was outrageously unprofessional and unethical behavior by the research company.

Honestly, I'm more willing to believe corporate America would lie in an attempt to CYA than researchers would act in a way so unethical that nobody will work with them in the future.

Re:Not quite comparable to Intel's snafu

Unfortunately, I work in IT security so I am all too aware of how unethical many "security researchers" are.

Don't get me wrong, there are some really outstanding ones. Kaspersky hires some very competent and ethical researchers. And then you have Tavis Ormundy who is extremely good, but was hired as an attack dog against any non-Google product (well, he isn't the only one they hired, but he's the poster child). At least with Google's project zero overall security is improved because they do report before disclosure and ruthlessly out other people's bugs so it *is* positive, just a bit asshole-ish.

Then you have guys who are trying to make a living who are desperate for the 15-seconds of fame that they are hoping will allow them to make a living doing what they do. Some report before disclosure, some just disclose. Especially when they have been ignored and downplayed in the past.

From there it just goes down hill. Towards the bottom of the heap you have some who will try to blackmail the affected party (not necessarily a corporation). Or the ones who try to sell the vulnerability to "interested parties".

Bottom line, no reason to trust a "security researcher" over a company.

Re:Not quite comparable to Intel's snafu

Nor is there any reason to trust a "company" over a security researcher.

pretty lame summary

[nimbius]

https://amdflaws.com/ for the actual exploits detailed. the "whitepaper" is mostly fluff, unless you enjoy pretty icons and charts..completely remiss of any technical implementation details outside of how vulnerable Windows is to this flaw. Idiotic green screen video confirms this exploit appears to have more studio production value than actual security value. https://www.youtube.com/watch?...

Re:pretty lame summary

[Luthair]

I feel like in the aftermath of Heartbleed it started to become common for researchers to try to brand their discoveries and are increasingly hyping hoping the mainstream press covers which works as an advertisement for the researcher and their org.

Re:pretty lame summary

[AmiMoJo]

At this point we have no idea how bad this is. Could be that AMD release a patch next week and it's all fixed, no fuss. Could be as bad as Meltdown, with a major performance hit. Or it could be complete bullshit. We just don't know.

Re:pretty lame summary

[Penguinisto]

I'm kind of wondering that myself. They're (somewhat fortunately) quite vague with describing the flaws... A couple of them *appear* to be remote-exploit flaws (almost couldn't give a flying fuck about local privilege escalations, save for specific circumstances I won't detail here, though you'd pretty much be able to find parallel circumstnaces in your own workworld.)

Then again, it's hard to tell at first glance. One one hand I'm glad they didn't bother with exploit POC/demonstrations, but on the other, the amdflaws site and whitepaper is (at least this morning) hellishly short on details that one could use to properly assess the actual threat(s).

Re:pretty lame summary

You are correct Avi! Oy!

Re:pretty lame summary

[AmiMoJo]

I don't think any of them are remotely exploitable, but these days you have to worry about Javascript running locally too.

For servers local exploits are a problem too, especially those running VMs.

Re:pretty lame summary

[Carewolf]

At this point we have no idea how bad this is. Could be that AMD release a patch next week and it's all fixed, no fuss. Could be as bad as Meltdown, with a major performance hit. Or it could be complete bullshit. We just don't know.

It is apparently a just a scam, the company behind had shorted AMD stocks, and have been caught and warned over similar scams in the past

Re: pretty lame summary

There is nobflaw. It's a fake site by a shell and a shill.

The "exploit" requires all of:
Physical access
A local login
Installing a signed driver
Bios settings be flipped ti gave the AME on.

Re:pretty lame summary

[esperto]

Do you have a source for this?

Open Source betrayal

AMD has contributed so much to the open source community over the years and actively works with them on graphics cards (ATI) and on CPUs (AMD was quick to release x86_64 for Opteron and even a simulator that boots Linux)

All that good will is flushed down the toilet in an instant. Because Open Source community is not an single organizatoin that can be reasoned with. They are a mob of lone actors that have been shown time and time again to be unreliable.

Re:Open Source betrayal

[Bruce+Perens]

I am especially unreliable! Kava! Kava! Booyah! Picard Maneuver! Han Shot First!

However, I can't imagine what your comment has to do with this story.

Re:Open Source betrayal

[Penguinisto]

Get back under the bed, you... !

I agree though - this isn't an OSS=bad issue at all. Dick move by the researchers aside, this is still a net benefit (many eyes still making bugs shallow, etc.)

Overall, I'd rather find out (even under crap circumstances like this) in public, then to have script kiddies exploiting it like crazy in private.

Re:Open Source betrayal

The kiddies will be exploiting this in public now instead of private and there isn't shit you can do about it. You present a false dichotomy. There is at least one other option, hold off on the release for 6 months while AMD creates work arounds or microcode patches.

Are the kiddies going to exploit the issue in secret during that time? Probably. But you should at least have followed some basic security processes to mitigate the damage from such unpredictable 0-day attacks.

Now you have spread the information to a much wider set of kiddies, with no fix in sight. Good job, your full disclosure bullshit has made us less safe.

Re: Open Source betrayal

Kirk did it first, Corbomite Maneuver

Intel gets 6 months and AMD gets a day?

This all smells fishy. Hand me the tin-foil. I need a hat.

Re:Intel gets 6 months and AMD gets a day?

Just like Broadcom got a court order to give 7 days notice of any move back to the US, then 6 days later was charged with violating the court order based on plans that were public since November.

Intel is back on their bullshit

Fool me once, shame on me... fool me twice, you can't get fooled again

No surprise

An Israel-based company favoring Intel over AMD? I'M SHOCKED! Well, not that shocked...

Follow the money

[spaceman375]

In collusion with intel or not, I'd bet these "researchers" have bought a bunch of intel stock over the last few months.

Re:Follow the money

I bet they are shorting AMD stock to fund their 4 person company.

Re:Follow the money

[Zontar_Thing_From_Ve]

In collusion with intel or not, I'd bet these "researchers" have bought a bunch of intel stock over the last few months.

Or they've shorted AMD and really need to knock down the price. For what it's worth as I write this AMD's stock is actually slightly up today despite the news.

Re:Follow the money

[gweihir]

Well, maybe the stock-market is not so easily panicked by what at the moment amounts to hot air.

Re:Follow the money

[Shotgun]

Are you actually implying that fund managers would have any idea what to make of this at all?

Re:Follow the money

[slack_justyb]

They literally spell it out on their disclaimer page.

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

So while these exploits might be real, they just straight up fess to being shady as shit. This is some blackballing level of unethical behavior. They literally hit and run AMD for profit. Whoever these engineers are, this whole episode should be the end of any future career they might have had and it just stops short of what I would think would constitute an outright FTC investigation.

Twenty-four hour notice and then posting publicly the exploits isn't research, that's a willful attack.

Re:Follow the money

[mike.mondy]

They literally spell it out on their disclaimer page.

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

So while these exploits might be real, they just straight up fess to being shady as shit. This is some blackballing level of unethical behavior. They literally hit and run AMD for profit. Whoever these engineers are, this whole episode should be the end of any future career they might have had and it just stops short of what I would think would constitute an outright FTC investigation.

Twenty-four hour notice and then posting publicly the exploits isn't research, that's a willful attack.

The exploits are reported as serious by a few independent researchers who seem to have been given extra info, but do require that you have *already* powned the target.

And, somehow a short-seller named Viceroy saw fit to put out a report advising people to short AMD stock because they claimed to believe that this flaw would drive AMD to bankruptcy!

Definitely a money grab by CTS Labs. (I'll make a guess that Viceroy are dupes and are not intentionally doing something worth a visit from the SEC...)

Re:Follow the money

[DamnOregonian]

It's not hot air. They're have PoCs that are corroborated by research firms.
The company is a pile of shit- these guys are evil- but it's real, and it's a big deal.
I suspect they stand to benefit somehow from the hit against AMD, but the shit they're peddling is legit.

Re:Follow the money

[gweihir]

Nonsense. If somebody can put in their own BIOS or has signed drivers, then there is no need to verify anything. These are not vulnerabilities that can be fixed or are unknown or unexpected by any real expert.

good

[micahraleigh]

They're making sure they get the credit.

And they deserve it.

Place your bets

Who want't to bet Intel helped fund this and got it released outside the normal window.

Intel any thing to win!

[Joe_Dragon]

Intel any thing to win! suck it up as soon you will an raid key and an pci-e lane key to unlock stuff on your cpu.

Requires complete takover first?

So it appears an attacker would have to have gained root/admin access over the OS before they could then install some persistent backdoor?

Attacking the TPM could be bad, but once you have kernel level access you pretty much have anything you need to steal data anyway.

This one seems to have higher barrier to entry and a lot of assumptions versus just drive-by JavaScript executing code or a malicious guest VM breaking out of a hypervisor.

I expect the CVSSv3 score to be medium.

Re:Requires complete takover first?

[gweihir]

Indeed. If you have root on the machine, you can basically do anything anyways.

Re:Requires complete takover first?

[viperidaenz]

Plug a usb drive in to a machine, load your own OS, insert persistent undetectable malware, profit?

Re:Requires complete takover first?

[DamnOregonian]

The underlying concept of secure enclaves/trust zones/secure coprocessors and such are that root does *not* own them. That they are a safe place to put data even in the case of root misbehaving/having been owned.
Now, the chipset... that's more of a gray area... but still unsigned code execution and *installation* after a simple root exploit is pretty fucking terrible.

Re:Requires complete takover first?

[DamnOregonian]

Exactly. That's why it's a big deal. Not just persistent malware, but persistent and undetectable malware. It could be installed at any point in the physical delivery of the device to whatever mission critical application ("AMD- It's in your plane!") you have in mind for it.
I'm wondering if the people screaming "it takes root, this is a nothingburger" are shills or... not using their entire intellectual faculties.

Re:Requires complete takover first?

[gweihir]

That is bullshit for those weak of mind. You can always manipulate critical components of a system. The "locked down" TPM and so are primarily to prevent people from installing non-Windows OSes. Just refer to all those TPMs from Infinion that were recently found to be insecure.

Re:Requires complete takover first?

[bongey]

Shit for brains, if you have local access and root is basically how ALL computer systems update their firmware. There aren't magically firmware update fairies.

Re:Requires complete takover first?

[DamnOregonian]

You're barking up the wrong tree, friend.
I have multiple CVEs under my name in the NVD.
Getting root is not the hard part about altering firmware. I'll leave it as an exercise for your apparently godlike knowledge to figure out what is.

Re:Requires complete takover first?

[DamnOregonian]

... That's not an argument. Reading your posts in the pasts, I had really thought you were more intelligent than that. Are you somehow emotionally invested in AMD not looking bad?

Re:Requires complete takover first?

[gweihir]

Just read up on the subject and then try again. My statement is (of course) dramatically shorter than a full explanation. But just to give another example, an attacker with root and/or physical access can install a blue-pill rootkit and simply emulate the hardware or control what it is used for. Except for very expensive real HSMs (typically > 50k per box or so), secure hardware is a myth. The primary security factor for HSMs is that competent hackers usually cannot afford the 10 or so boxes they would need to burn in order to figure out how to break in and that they would have trouble buying them in the first place.

Re:Requires complete takover first?

[DamnOregonian]

Here's the part you're missing. This is a real-life blue pill. And a perfect, and do-able version.
There is no successful blue pill- because a perfect hypervisor would be an epic amount of work, and things like trusted booting would make it infeasible to trap the machine early enough.

This is your blue pill. They don't need to write a hypervisor- they can run code that runs *above* root, and at the chipset.
What's uglier, is this blue pill is so deep, that it can effectively prevent itself from ever being removed.

I have several published linux kernel and android CVEs, and have been head hunted by major security firms as a senior analyst. I'm not making shit up. This may not be a big deal to you, but it is a big deal regardless.

trying to make a name for themselves...

[jmdevince]

CTS Labs only registered their domain (cts-labs.com) 6 months ago. They registered amdflaws.com 2018-02-22. So they spent time tweaking the marketing material. This is nothing but a new company trying to make a name for themselves and have instead pissed off true security researchers by not following responsible disclosure. From CTS' own site: "Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy". ... Horseshit.

Re:trying to make a name for themselves...

[bluefoxlucid]

I used to be a full disclosure guy.

I grew up.

Re:trying to make a name for themselves...

[MachineShedFred]

The sentence on the web site was probably edited from:

"Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy. If you would like to become one of our customers by handing over a signed NDA and a fat bag of money, you can contact us at the following email address. Should we find a flaw in a product that is not produced by one of our NDA partners, we'll first ask them for a fat bag of money, and if they don't immediately capitulate, we'll be publishing their dirty laundry as "full disclosure with previous notification".

Somehow I have a feeling that the "disclosure" to AMD included the offer of a mutual NDA and business-to-business financial arrangement, with AMD telling them to pound it.

Re:trying to make a name for themselves...

[gweihir]

Well, I doubt they will get many real customers. They have already demonstrated that they are willing to screw a lot of people for a bit if publicity. Will be interesting to see whether their claims actually can hold water. At the moment that looks more than doubtful.

Re:trying to make a name for themselves...

There's a balance. Full disclosure zero day vs. complete secrecy ever?

I don't know where the balance should be. I know it shouldn't be at either extreme.

Re:trying to make a name for themselves...

[drinkypoo]

I smell a conspiracy. You know who else is based in Israel? THE JEWS!!! No, just kidding. But seriously folks, who know who there's a lot of in Israel? Jews, that's who. No, no no, actually there's a lot of Intel employees and facilities in Israel. Intel is desperate for anything that makes them look good right now, and the next best thing is anything that makes the competition look bad. There may be Jews involved, but I suspect what's most relevant is that if there are, they're connected to Intel somehow. Nobody ever heard of CTS Labs before now...

Re:trying to make a name for themselves...

[viperidaenz]

They haven't released any details on how to execute the vulnerability.

How is this not responsible disclosure?
Perhaps AMD refused to sign an NDA?

Re:trying to make a name for themselves...

[Bing+Tsher+E]

You know who Intel couldn't care less about?

A bunch of nerds who fret and fester and postulate about their every move.

Re:trying to make a name for themselves...

[drinkypoo]

You know who Intel couldn't care less about?
A bunch of nerds who fret and fester and postulate about their every move.

You mean, people who make and/or influence purchasing decisions? OK there, sport.

Re:trying to make a name for themselves...

[Bing+Tsher+E]

You're one of those guys who tells management they should buy servers with AMD processors in them?

Ooookay....

Re:trying to make a name for themselves...

[drinkypoo]

You're one of those guys who tells management they should buy servers with AMD processors in them?

Not until recently, when it came out that Intel either doesn't care about security, or is totally incapable when it comes to security. Either one is a complete show-stopper for anyone doing serious business.

if you get caught money laundering

[Joe_Dragon]

if you get caught money laundering your going to fpmitap

Re:if you get caught money laundering

not in israël

They all have insane requirements

All of those "vulnerabilities" have insane requirements like being able to defeat OEM BIOS flash protections or Windows' driver signing...

MASTERKEY:

        Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update. This update would contain Secure Processor metadata that exploits one of the vulnerabilities, as well as malware code compiled for ARM Cortex A5 – the processor inside the AMD Secure Processor.

RYZENFALL:

        Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

FALLOUT:

        Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

CHIMERA:

        Prerequisites for Exploitation: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

Re:They all have insane requirements

[93+Escort+Wagon]

You're missing the point.

The point is - they came up with really cool names for each exploit.

Re:They all have insane requirements

I just checked my system and discovered I have a BIOS and signed drivers! Have I been hacked already!?

Re:They all have insane requirements

[foxalopex]

Wow this sounds like a no brainer, so if a thief already has the keys to your house then you might get some stuff stolen, or they might saw the lock off the door. It doesn't sound like a security problem to me at all. Someone with local machine administrator privileges pretty much already owns your machine.

Re:They all have insane requirements

[sinij]

I just checked my system and discovered I have a BIOS and signed drivers! Have I been hacked already!?

If you are running a modern, UEFI-based system I would be concerned.

Re:They all have insane requirements

[MachineShedFred]

OMG so if you gain root access to the system, you can do anything with the hardware that the drivers allow? Or if you replace the software that the thing is running with your own software, it does stuff that you tell it to?

How is this an "exploit" exactly? Sounds like it's working as intended.

Re:They all have insane requirements

[kav2k]

Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

I think this implies that there is an existing AMD driver that allows the attack.

Re:They all have insane requirements

[Sir+Holo]

If the quoted AC is correct, then this item is not news.

. . . Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.

. . . RYZENFALL Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.

. . . FALLOUT Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.

. . . CHIMERA: Prerequisites for Exploitation: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

If physical access is required to exploit a 'security flaw', then it's not really much of an exploit; now, is it?

ANY OF THESE CATCHILY NAMED VULNERABILITIES require you to be p0wn3d by the exploiter before they can begin, as well.

If someone has physical control of your computer; you have far bigger problems than these pipsqueaks from 'whatever that hit-job company is named."

Re:They all have insane requirements

The entire point (ostensibly) of the "secure processor" is to have an area safe from even an attacker with full local privileges. It's like having a large heavy-duty concealed safe build into the walls, which requires a specific combination known only to the owner and a unique key possessed by the owner in order to open, but the keyhole is behind another secure panel which can only be opened by a rep from a specific security company so that thieves can't simply force the owner to open it. Then, one day you come home to see that someone's broken into the house and cleaned out your safe, but the company says "you can't expect a safe to protect things from somebody who's already in the house!"

Re:They all have insane requirements

If physical access is required to exploit a 'security flaw', then it's not really much of an exploit; now, is it?

It is if it means your "secure" processor isn't so secure...

Re: They all have insane requirements

Yes it implied that. The vendor supplied driver is available at freepronforu.ru

Re:They all have insane requirements

[aberglas]

+1

Re:They all have insane requirements

So the safe is worthless. Who the fuck cares? The home owner didn't order a safe and didn't know it was installed. It wasn't even there for the homeowner's benefit, but rather to subvert the owner's will at the behest of government and corporate interests.

Re:They all have insane requirements

The problem here is that with those vulnerabilities when someone gains administrator access to your PC it's no longer a case of "format & reinstall" but "buy a new CPU and format the HDD using a different machine" since all of those exploits allow the attacker to put malware not in the OS, but in the CPU itself (or rather the extra CPU that's on the same silicon, is invisible to the OS and can access EVERYTHING).

All Security Co Processors

Are back door vulnerabilities disguised as security features. Simple as that. Don't know if these exploits target these management co processors or not and simply, I do not care. Why fix a tiny hole in the wall when everyone that wants in already has the key to your back door.

Warning : URL links to a site with auto-play audio

Auto-play video adverts with sound.

I blacklist sites which do that.

That's because these vulns are horseshit

Most of them require administrator access, i.e. local root. Which is a position from which keyloggers etc. can already be installed.

It's like a marketing campaign by you-know-who, and it wouldn't work if AMD had been given more than 24h of notice.

Re:That's because these vulns are horseshit

Yep. Intel laid out a lot of shekels for nothing... OY!

Sounds sketchy

[ReneR]

However, I'm among those who does not even want to have this pseudo security, but vendor backdoor management engine / system processor thing in my box to start with.

Re:Sounds sketchy

[sl3xd]

Agreed; six months ago when Intel's competitor (Intel Management Engine) was withering in the spotlight, I was disappointed to see that AMD had their "Secure Processor" that did the same thing.

In a past job, I wrote software that was used to manage large numbers of systems using remote management (such as IME or AMD's SP). They are all comically buggy, regardless of vendor. Where there are bugs, there are exploits, and I'm not at all surprised to see the two biggest implementations fell within six months of each other.

I totally understand the goal - it's very useful for corporate IT.

The problem is everybody who's implemented similar remote management thus far has been unable to get it to work reliably. Security is an afterthought 'achieved' by bolting on an SSL library and expecting it to magically secure everything.

business angle

[jm007]

just a guess....

if the bounty programs were reliable and lucrative enough, then security researchers could justify revealing vulnerabilities on the company's terms, i.e., quietly and when ready

however, if a company's bounty programs were thought to be low-paying and unreliably given, then the new-found vulnerability could be used from a marketing perspective to give the researchers access to more business opportunities and money.... try to get publicity for it, it might pay off that way instead

Re:business angle

[Lonewolf666]

And who would be the customers?

A third company who wants it's product secured? For them a researcher that goes public without giving them time to produce a fix would be a liability rather than an asset. A strong "Do Not Hire" in my opinion.
In that scenario, it would still be better for the researcher to go with responsible disclosure.

A competitor of above company who wants to make them look bad? Sure, at the risk of that going public. I could imagine it anyway...

A hacker group that likes to see companies with their metaphorical pants down might do it just for fun, but the website of CTS Labs suggests they are more interested in appearing as a reputable company. Which they probably have blown by now. If they attempted to be a reputable company in the first place.

 

Stock manipulation by a NY hedge fund

Thanks for playing!

need to be already root

"Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update."

To flash BIOS I already need to be root. Yes, I understand it's still a security issue, since any admin can now install a rootkit that will persist even if you completely wipe the computer, but in practice this is not really useful.

They shortened AMD stocks

[xxxLCxxx]

Looks like somebody has shortened AMD stocks. This should be under investigation soon.

From reddit.com:

FRANKFURT, March 12 (Reuters) - German financial watchdog Bafin said on Monday that short-seller Viceroy Research breached German securities law with a research report on ProSiebenSat.1 as it did not notify the regulator of its activities.

Under German law, any entity that is not a securities firm, a fund manager, an EU administrative firm or an investment company that intends to publish recommendations on investments in assets must notify Bafin ahead of time, it said.

It also said Viceroy’s website did not contain information on where the company was based.

ProSieben last week rejected a critical report by Viceroy that led to a drop in its share price by as much as 9 percent, saying the allegations of questionable accounting contained in it were“unfounded and distorting reality”. (Reporting by Maria Sheahan Editing by Arno Schuetze)

in a vm need to get to the base os to flash

[Joe_Dragon]

in a vm need to get to the base os to flash unless some how that hardware was mapped to the VM

Not a vulnerability

[FeelGood314]

This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity. This happens way to often, just this time it got more publicity than usual. What happens is researchers looking to make a name for themselves finds what they think could sound like exploit, the fact that it might already be public knowledge or hell even the way a device is supposed to work (e.g. exploit needs signed drivers and physical access) doesn't matter. Usually the "researchers" aren't very good. They use automated tools to scan for a vulnerability that they don't really understand and when you respond that "yeah, that 32 bit signed/unsign error might be exploitable if you send me a buffer with 2^31 + 7 bytes of data to a processes on an old 32 bit server but since the process only has 2GB of memory good luck.* The researches intentionally published right away so that the organization they are attacking doesn't have time to respond. The researchers didn't want a response because they knew the response would be "fuck off, this isn't a vulnerability!"

*yes, I had this conversation.

Re:Not a vulnerability

[Sir+Holo]

FOR THE LAZY: (2^31 + 7) Bytes = 2 TB & change.

Re:Not a vulnerability

I think you're confused.

(2^31 + 7) Bytes = 2,147,483,655 Bytes = 2 GiB + 7 Bytes.
2^(31 + 7) Bytes = 2^38 Bytes = 274,877,906,944 Bytes = 256 GiB.
2^41 Bytes = 2,199,023,255,552 Bytes = 2 TiB.

Re:Not a vulnerability

[sl3xd]

This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity.

I'll buy publicity, but an attack on AMD... no.

Saying it's an attack on AMD is about as sensible as saying the (many) flaws published about Intel's products were attacks on Intel.

If there's a flaw, it doesn't exist because of the researchers. If the researchers were truly malicious, they wouldn't have disclosed anything at all.

Zero-day exploits give engineering departments heartburn and sleepless nights, but do little to the stock price over the long term. The only way this hurts AMD is if AMD says it isn't a problem and is proven wrong.

Re:Not a vulnerability

[Sir+Holo]

I think you're confused.

(2^31 + 7) Bytes = 2,147,483,655 Bytes = 2 GiB + 7 Bytes.
2^(31 + 7) Bytes = 2^38 Bytes = 274,877,906,944 Bytes = 256 GiB.
2^41 Bytes = 2,199,023,255,552 Bytes = 2 TiB.

. . . I was off in counting the commas. . .

24 hours heads up?

[JonathanP.Bennett]

Such a quick turnaround between private and public disclosure means one of two things.

First possibility: They're not interested in responsible disclosure. Likely. As others have pointed out, they get more noise for their findings this way.

Second possibility: They know these vulnerabilities are being actively exploited. Not as likely, but a real possibility, and way more worrying.

Re:24 hours heads up?

[hajile]

Have you read about the vulnerability requirements? You have to already control the machine before you can use these. If these are a problem, you already have a much bigger problem.

Re:24 hours heads up?

[gweihir]

Third: This is a stock-scam and they need the short turnaround time, otherwise AMD could have stated (after analysis) that this actually has no substance.

Re:24 hours heads up?

[sl3xd]

If it's a stock scam, it's an amazingly ignorant one. The average day trader doesn't know about or really care about AMD. Even Intel is yesterday's news. They just don't have Apple's name recognition.

If they were shorting AMD stock they would have only made 4.5% if they were prescient and both bought and sold their stock perfectly. If they weren't so lucky, they would have been seriously in the hole (down to -7%) and likely would have given up before 2PM EST.

Coupled with the (expected) blocking of the Qualcomm sale to Broadcom today, and its corresponding gains to Intel & AMD's stock prices, it was just a really, really poor day to make that move.

Re:24 hours heads up?

[Bing+Tsher+E]

How long do you need to control the machine?

Can it be just long enough to get the USB key plugged in and the system booted off of it? During that time do you install persistent undetectable malware?

Can it be done right on the loading dock, or when the hardware is in a shipping container, using a portable UPS to power the system long enough to perform the installation?

Do you need to 'have root' on the machine for longer than that?

Re:24 hours heads up?

[gweihir]

Look at their logo and the youtube video: Cheap background and cheap logo bought from the same site. The "vulnerabilities" are mostly irrelevant, if physical access is given, the attacker can do anything. Then the very short "disclosure" period that makes absolutely no sense, except as an ingredient in stock-fraud.

So yes, "amazingly ignorant" is pretty much right on the mark.

So I guess chips the new avenue for exploits

It could be that up until Meltdown and Spectre many felt that hardware was not a good way to attack a system. Now that we are seeing proof of concepts you know that there is others focusing on this new found potential. Let's see how AMD deals with this, and indeed its very unfortunate for all using AMD Ryzan chips that more time was not given before releasing the findings.

Snake Oil.

[Tsolias]

the funniest part of this is that I saw some purch media shites to mention that both amd PSP and intel IME run some proprietary linux...
something smells fishy and I don't even have a girlfriend.

^^^Jackass^^^

That looked like fun, I thought I'd play too. I chose the caret ^ symbol because it looks a bit like a dunce cap, which you are probably familiar with.

Apple

[DontBeAMoran]

Well, here's hoping that Apple's new low-cost entry-level MacBook uses one of their own A12 or whatever. Lower price and better security, maybe?

Re:Apple

[Bing+Tsher+E]

Why mess around being owned by some unknown outside hacker, when you can be owned by a well known public entity like Apple?

Re:Apple

[DontBeAMoran]

Do you trust Intel or AMD more than Apple?

Israel

Why are all the shady security companies in Israel, is there a specific technical reason, or are they just assholes?

Re:Israel

[Sun]

Actually, there is a good technical reasons:

There are a lot of security companies in Israel. Probably in the thousands, if not more. It should come as no surprise, therefor, that some of them would be shady.

Shachar

Now this is suspicious

[Megol]

Look at how the information is delivered. "This site is to inform the public about the vulnerabilities and call upon AMD and the security community to fix the vulnerable products." - but doesn't actually give AMD the time to fix the problem(s).

Look at the website: amdflaws.com
Nice name.

"MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update"
So this is a low impact problem. Yes they try to hype it but the fact is if anyone have access to a computer one should always assume they can gain control.
For just a few years ago people wouldn't even try to portrait it as a problem.

The rest are similar things - bypassing security while still needing physical and/or elevated privileges. Yes there may be problems caused by this, no the problems aren't really bad.

I wouldn't be surprised if Intel spent some $$$ to encourage the group behind this to select the website name, the naming of the exploits (or "exploits" in some cases), how they are presented on the website and the white paper, and lastly to not giving AMD any chance to patch the problems. Add to this the quote above that show an exceptional level of dishonesty.

And if Intel didn't give them anything the group missed out - Intel have dedicated resources for these kind of operations as anyone that have been into computers for a while should know.

Disgusting.

Re:Now this is suspicious

[dbeachy1]

Even worse, check out the WHOIS info on that shiny new "amdflaws.com" domain:

Domain Name: amdflaws.com
Registry Domain ID: 2230797110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com/
Updated Date: 2018-02-22T13:52:36Z
Creation Date: 2018-02-22T13:52:35Z
...
Registrant Contact
Name: Registration Private
Organization: Domains By Proxy, LLC
Mailing Address: DomainsByProxy.com, Scottsdale Arizona 85260 US
Phone: +1.4806242599
Ext:
Fax: +1.4806242598
Fax Ext:
Email:amdflaws.com@domainsbyproxy.com
...

So the new "amdflaws.com" domain was created 20 days ago by some unknown group that hides the domain owner via a proxy. Yeah, that's a totally legitimate research firm...not. It's just another FUD site. "Exploits" that require either 1) physical access to your machine and a "specially crafted BIOS update" or 2) administrative access to the system? Big deal...once you give admin access to malicious software, your system can be compromised a thousand different ways anyway.

No need to look... Israelis did it.

Look into how Intel ME is now wholly designed and developed in Israel. Someone who was part of the former Portland management engine kernel development group commented on the politics of this in one of the earlier Intel ME stories. Combined with the change in architecture from the ARC series processors to a triple 486 derived design, starting the analysis process over for at least another 5 years. Combine that with the signing keys for Intel ME plus full control over the development staff in Israel and it isn't hard to put two and two together. Israel, Mossad and their allies are in full control of ME enabled Intel hardware, which is why the NSA required the ME disable flag with the latest versions.

Whether that means the NSA, GCHQ, FSB, or Chinese intelligence have access as well depends on how many of them are either on friendly terms with Israel, or have double agents in the proper chain of trust to have access to those keys or documentation. The people who don't have it are the physical owners of the computer hardware, the ones who most need it for their own security.

While AMD is slowly following the same path, they make a good sacrificial lamb at this point to keep Intel dominant, so that further exploitation of Intel backdoors can remain for the foreseeable future, lest all the exploit code currently in the wild needs to be reworked for a different hardware ecosystem and possible operating system (Windows 10 instead of 7 for corporate environments.)

Yep, this happened so many times, it’s a gua

... that it's Intel.

That's what happens when Intel has spare budget from not having to innovate due to previously using the budget for bullshit like this.
They just keep doing what they did, to keep that monopoly.

Ever since 3 out of 4 of the manufacturers died, that dared to make mainboards for the original Athlon (Thunderbird), shortly after Intel threatened all mainboard manufacturers that if they would make a single Athlon board, they would withhold chipsets so they'd go bankrupt, I'm boycotting those Intel motherfuckers.
I had bought my board from a nice company. They went bankrupt because Intel murdered them!
If corporations are people, I want Intel in prison. ALL of them. The entire fucking company, from the shareholders, board and management, down to the last "only following orders" cunt. That excuse didn’t work at the Nürnberg trials, and it will not work now! THAT would be "corporations are people"!

Nah, it is much more: Intel.

People simply can't believe how far the manipulation of public opinion goes with big organizations nowadays.

Just look up the Mont Perelin Society.
A Swiss organization of 500 (!!) think tanks that casually did spread the ideology of neocon fascism (Mussolini's original definition of the word, nowadays also called "privatization", among many other terms, or even "freedom", in the sense of "freedom from your freedom from our harm") since right after WWII. It's not even a conspiracy theory or anything. It's pretty much public knowledge; merely presented under a friendly light of "freedom" and "rights" and "the market", etc.
(Although I bet it already has become a conspiracy theory. The trend nowadays goes towards *creating* conspiracy theories, by merging the facts with bullshit, until the facts are so tainted, that anyone who mentions them, gets laughed at, for the bullshit they are no associated with. Even the NSA leaks had nice presentations, where they were bragging about this tactic.)

Intel's little bitches - in every sense

Looks at these guys - all ex-Israeli intelligence desk-jockeys. Intel (the corporation) has a long and deep presence in Israel too, (it's the birthplace of their ass-saving "core" architecture - hence all the Hebrew codenames, Banias, Yonah, Merom, Carmel, Nehalem, etc.)
A chunk of AMD and all of GlobalFoundries are owned Mubadala Development Company a national wealth fund of the United Arab Emirates. For these CTS louts, there's no issue of responsible disclosure here, they get to kick AMD in the stomach for Intel and give the Arabs a slap as an added bonus.
Geopolitics, bigotry and nationalism all wrapped-up in one tidy, multi-core package.

Low tech solutions to high tech failures

1. Stop embedding management processors or at the very least provide users with a way to physically disable them.

2. NEVER distribute hardware with persistent storage that is physically capable of being modified in the field without physical access via button/jumper. All necessary firmware updates should be applied dynamically when the computer is booting up and completely disappear once the system is turned off. This includes BIOS.

From their own Disclaimer

[iCEBaLM]

https://amdflaws.com/disclaime...

"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

24 hours notice. "Researchers" who seem to spring up out of nowhere. Creating a website and videos for maximum publicity. All the security flaws seem overblown (require actual flashing of firmware or bypassing driver signing), and.. wait, what's this?

https://www.reddit.com/r/AMD_S...

A huge number of put option (a bet that share price will fall dramatically) volume 5 days ago?

Nah, this is totally legit!

Re:From their own Disclaimer

[sl3xd]

A huge number of put option (a bet that share price will fall dramatically) volume 5 days ago?

To play devil's advocate: Put options like that are an everyday occurrence. They're not unusual in any way.

There's even a solid reason for the bet: Much like Intel, AMD missed the boat for mobile processors. Neither Intel nor AMD have processors in the iOS world, nor do they have a serious competitor to Qualcomm's SnapDragon or NVIDIA's Tegra on Android. Most of the arguments that the Broadcom+Qualcomm merger being an "existential threat" to Intel also applies to AMD, because they both missed the fastest-growing market in the industry.

Five days ago, it wasn't unreasonable to say that the Broadcom+Qualcomm merger, if approved, could cause AMD's stock price to suffer.

Unsurprisingly, when news came out that President Trump would block the Broadcom purchase of Qualcomm for national security reasons, AMD's stock jumped.

AMD hijacking this thread?

Reading over the replies thus far I'm a bit confused. OK I get they released something claiming to be exploits against AMD CPUS and did so with little to no notification. So what? Sounds like people are more butthurt over that then addressing their actual claims which are more damning -- IF TRUE.

Make no mistake, AMD lawyers will _destroy_ this little company if there is ANY chance of defamation. Reading over the "exploits", it's _NOT_ clear however what privilege escalation is actually happening. If AMD claimed the SP was secure against local admin/root compromise for example, then it's absolutely an exploit.

It's called zero day exploits and again, if true, are absolutely a "fuck you" to vendors who insist on releasing unproven, untrusted and unverified code. That's the POINT.

I trust AMD to have a hell of a lot better response then INTEL did regardless.

Re:AMD hijacking this thread?

[sl3xd]

Sounds like people are more butthurt over that then addressing their actual claims which are more damning

We saw the same thing happen when Spectre was announced - a lot of butthurt AC's were adamant that the only "real" problem was the Intel-only meltdown bug, and anyone who disagreed were "shills" for Intel; that Spectre was invented to smear AMD.

It seems there is a growing percentage of the population who instantly fall back on conspiracy theories whenever reality reveals something they don't like.

The proper reaction to a bug to curse, fix it, and move on.

Re:AMD hijacking this thread?

[bongey]

Because Spectre was a joke exploit compared to Meltdown. Even Linus Torvalds called out Intel for the bullshit of trying to mix the two together.

NOTHING IS SECURE IF IT IS "PLUGGED IN"

I just don't get it. Why are people. let along people on this site, so surprised about these "vulnerabilities".

Bottom line is that if you use anything that you did not develop and control, at all levels, yourself you cannot consider it secure.

Every system is exploitable.

Who cares who sponsored it?

[jd]

Violating KISS principles got Intel and AMD into this mess. There's plenty of room on the die and they're quite capable of making SMP cheap and affordable. SMP is better than multicore because each core gets more cache and more bus. They deserve what they get and I have no sympathy.

Tools to verify the hardware description language exist, they can use simulators to test the hardware, if they are skimping on QA in order to cut costs, then they have no-one to blame but themselves.

Known issue

[Lava+VPS]

The case is known and need to state that our users are safe. This CPU case will not affected our infrastructure and customers data.