Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public (cnet.com)

Posted by msmash on from the stranger-things dept.

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

18 of 195 comments (clear)

  1. Sponsored by, Intel! (R) by Anonymous Coward · · Score: 5, Interesting

    ... someone needs to dig (deep) into who registered the amdflaw domain and who is funding this.

    1. Re:Sponsored by, Intel! (R) by sinij · · Score: 5, Interesting

      Yes, couple days to respond is a hit job and not a responsible disclosure. However, if AMD and Intel get into "flaw disclosure" wars, the only winner will be consumers. This is not a bad thing.

    2. Re:Sponsored by, Intel! (R) by Penguinisto · · Score: 4, Insightful

      Devil's Advocate: the disclosure(s) is (are) vague as hell on exploit details, let alone demonstrations or proof-of-concepts, so there is that.

      All said though, still a dick move by CTS-Labs.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    3. Re:Sponsored by, Intel! (R) by Opportunist · · Score: 5, Insightful

      Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Sponsored by, Intel! (R) by Baloroth · · Score: 4, Insightful

      As opposed to Intel, whose chips are perfectly secure. Except Intel had ~5 months to fix the problem before public disclosure (longer than responsible disclosure standards required). AMD is somehow only given 24 hours? That's not just irresponsible disclosure, that's an indirect attack.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    5. Re:Sponsored by, Intel! (R) by Carewolf · · Score: 5, Informative

      Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

      The place this hole is, is the AMD version of IME, a useless piece of malware designed to remote-controlled your computer, which Intel and AMD puts there for enterprise purposes. Get rid of it from or make it default off and these issues goes away...

      I have no fucking clue why they installed those crappy Internet-of-shit operating systems in there by default in the first place.

    6. Re:Sponsored by, Intel! (R) by sinij · · Score: 5, Funny

      You stole my comment!

      It isn't my fault that your speculative execution and prediction thinking leaked your post idea for everyone to see.

  2. Not quite comparable to Intel's snafu by erapert · · Score: 4, Insightful

    These vulnerabilities look like they are almost all problems with the chipset or AMD's equivalent to Intel's Management Engine.
    So these aren't quite on par with Spectre and Meltdown.

    Some firmware updates should fix almost all of this.
    Still, it was sort of an asshole move to only give AMD 24 hours' notice just so they could get their 15 minutes of fame.
    And, yes, it's disgusting to see AMD put out products with lots of weaknesses like this.

  3. pretty lame summary by nimbius · · Score: 5, Insightful

    https://amdflaws.com/ for the actual exploits detailed. the "whitepaper" is mostly fluff, unless you enjoy pretty icons and charts..completely remiss of any technical implementation details outside of how vulnerable Windows is to this flaw. Idiotic green screen video confirms this exploit appears to have more studio production value than actual security value. https://www.youtube.com/watch?...

    --
    Good people go to bed earlier.
  4. Intel gets 6 months and AMD gets a day? by Anonymous Coward · · Score: 5, Insightful

    This all smells fishy. Hand me the tin-foil. I need a hat.

  5. trying to make a name for themselves... by jmdevince · · Score: 5, Informative

    CTS Labs only registered their domain (cts-labs.com) 6 months ago. They registered amdflaws.com 2018-02-22. So they spent time tweaking the marketing material. This is nothing but a new company trying to make a name for themselves and have instead pissed off true security researchers by not following responsible disclosure. From CTS' own site: "Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy". ... Horseshit.

    1. Re:trying to make a name for themselves... by MachineShedFred · · Score: 4, Interesting

      The sentence on the web site was probably edited from:

      "Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy. If you would like to become one of our customers by handing over a signed NDA and a fat bag of money, you can contact us at the following email address. Should we find a flaw in a product that is not produced by one of our NDA partners, we'll first ask them for a fat bag of money, and if they don't immediately capitulate, we'll be publishing their dirty laundry as "full disclosure with previous notification".

      Somehow I have a feeling that the "disclosure" to AMD included the offer of a mutual NDA and business-to-business financial arrangement, with AMD telling them to pound it.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  6. They all have insane requirements by Anonymous Coward · · Score: 5, Informative

    All of those "vulnerabilities" have insane requirements like being able to defeat OEM BIOS flash protections or Windows' driver signing...

    MASTERKEY:

            Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update. This update would contain Secure Processor metadata that exploits one of the vulnerabilities, as well as malware code compiled for ARM Cortex A5 – the processor inside the AMD Secure Processor.

    RYZENFALL:

            Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    FALLOUT:

            Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    CHIMERA:

            Prerequisites for Exploitation: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

    1. Re:They all have insane requirements by 93+Escort+Wagon · · Score: 5, Funny

      You're missing the point.

      The point is - they came up with really cool names for each exploit.

      --
      #DeleteChrome
  7. Not a vulnerability by FeelGood314 · · Score: 5, Interesting

    This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity. This happens way to often, just this time it got more publicity than usual. What happens is researchers looking to make a name for themselves finds what they think could sound like exploit, the fact that it might already be public knowledge or hell even the way a device is supposed to work (e.g. exploit needs signed drivers and physical access) doesn't matter. Usually the "researchers" aren't very good. They use automated tools to scan for a vulnerability that they don't really understand and when you respond that "yeah, that 32 bit signed/unsign error might be exploitable if you send me a buffer with 2^31 + 7 bytes of data to a processes on an old 32 bit server but since the process only has 2GB of memory good luck.* The researches intentionally published right away so that the organization they are attacking doesn't have time to respond. The researchers didn't want a response because they knew the response would be "fuck off, this isn't a vulnerability!"

    *yes, I had this conversation.

  8. Now this is suspicious by Megol · · Score: 4, Insightful

    Look at how the information is delivered. "This site is to inform the public about the vulnerabilities and call upon AMD and the security community to fix the vulnerable products." - but doesn't actually give AMD the time to fix the problem(s).

    Look at the website: amdflaws.com
    Nice name.

    "MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update"
    So this is a low impact problem. Yes they try to hype it but the fact is if anyone have access to a computer one should always assume they can gain control.
    For just a few years ago people wouldn't even try to portrait it as a problem.

    The rest are similar things - bypassing security while still needing physical and/or elevated privileges. Yes there may be problems caused by this, no the problems aren't really bad.

    I wouldn't be surprised if Intel spent some $$$ to encourage the group behind this to select the website name, the naming of the exploits (or "exploits" in some cases), how they are presented on the website and the white paper, and lastly to not giving AMD any chance to patch the problems. Add to this the quote above that show an exceptional level of dishonesty.

    And if Intel didn't give them anything the group missed out - Intel have dedicated resources for these kind of operations as anyone that have been into computers for a while should know.

    Disgusting.

  9. From their own Disclaimer by iCEBaLM · · Score: 4, Interesting

    https://amdflaws.com/disclaime...

    "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

    24 hours notice. "Researchers" who seem to spring up out of nowhere. Creating a website and videos for maximum publicity. All the security flaws seem overblown (require actual flashing of firmware or bypassing driver signing), and.. wait, what's this?

    https://www.reddit.com/r/AMD_S...

    A huge number of put option (a bet that share price will fall dramatically) volume 5 days ago?

    Nah, this is totally legit!

  10. Re:Follow the money by slack_justyb · · Score: 5, Informative

    They literally spell it out on their disclaimer page.

    Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

    So while these exploits might be real, they just straight up fess to being shady as shit. This is some blackballing level of unethical behavior. They literally hit and run AMD for profit. Whoever these engineers are, this whole episode should be the end of any future career they might have had and it just stops short of what I would think would constitute an outright FTC investigation.

    Twenty-four hour notice and then posting publicly the exploits isn't research, that's a willful attack.