Slashdot Mirror
Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com)
Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."
These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
Linus Torvalds be like: Fuck you CTS Labs and Fuck you Nvidia.
whats the point of some exploit if you already have admin? You can do anything you want already
While I agree it is absolutely idiotic, this seems to be pretty much the case for a very large percentage of security advisories issued by a lot of these types. Where either physical access or administrator/root access is required in order to pull off these highly dangerous exploits. So what makes this one so special that it needs singling out?
https://regmedia.co.uk/2015/07...
WORD--;
... some blowhard douche. Nice. Like it. ...
Sadly the fight is so short there's no point in getting popcorn.
Ok, so it *was* some kretin looking for attention. I have that suspicion when I saw the report on some tech blog yesterday.
We suffer more in our imagination than in reality. - Seneca
If you replace the BIOS or microcode with something not expected it wont work as expected.
This doesn't seem any more malicious then issuing a command like
dd if=/dev/random of=/dev/bios count=1024 bs=1024 to overwrite the BIOS with garbage and brick the machine on next boot
Maybe we need to go back to the days of removable BIOS chips where on the cheap end one could snip the write enable pin on the BIOS chip or on the slightly more expensive end there were devices that could sit between the BIOS chip and the socket with a switch on them to physically switch off the WE pin. I actually had a similar device back in the day called the BIOSSaver. It actually contained a second EEPROM on the device that sat between the real BIOS chip and socket. with the flip of a switch you could switch between two different BIOS versions, or have a backup BIOS in the case that a BIOS update went tits up.
Can't find much about the BIOSSaver these days, a few forum posts, here's a german site that still appears to sell them
https://www.com-tra.de/de/zubehoer/
"To everyone who does patch management, inflammatory security reports are annoying distractions from getting real work done."
Torvalds was not the only person this irritated. I was irritated too. Where's my Slashdot post?
You know who actually cares about, and values, TPM chips? Developers who need it for DRM.
Outside of the realm of DRM, this stuff isn't really useful (*). When non-Hollywood types talk about securing things, we accept "if they got physical access and also admin rights, then it's theirs now." Do you really care that your bootloader is signed? Fuck no, because you don't let just anyone write to your bootloader, and if you did, then you'd expect to lose.
But Hollywood wants "even if they have physical access and admin rights, the computer should still [at least partially] belong to Hollywood."
It's a non-story. Unless you're in the DRM snakeoil business. ie. if you make your living through fraud. So Linus wouldn't care. But Microsoft, Google, etc would, because they want their OSes to offer DRM.
(*) Ok, maybe VPSes and "cloud providers" (e.g. AWS) care, a little.
My word, but there are a lot of trolls posting on this story. I do wonder how many are being paid to do so...and who would fund an astroturf campaign, though they don't all seem to have the same playbook.
I think we've pushed this "anyone can grow up to be president" thing too far.
They require a system administrator to be almost criminally negligent to work.
You might want to sit down for this....
I have read through the documents (for work). Once stripped of the hype, I would not be surprised if these "vulnerabilities" are literally correct as described. There is a whole lot of hedging going on down in the details, which gut the document of any really critical vulnerabilities. It would have been so easy to leave out a sentence to make any one of those bugs earth-shaking, but no. This makes me think that the document is carefully written to be as alarming, as scare-mongering, as possible, while not actually giving in to blatant lies that could land someone in prison.
*If* the vulnerabilities are as described, then the real-world impact is that you will no longer be able to really trust a pre-owned computer. Governments and security-conscious companies will no longer be able to take any computer (new or pre-owned), format or replace the disks, and declare the computer secure. Those "bugs" will need to be taken into account. Same thing for computer forensics.
Of course, this was already somewhat the case. You should already reflash the BIOS, and some hard disks and ethernet cards have flashable firmware, but it would seem that the impact of these bugs are that the manufacturer's manual for cleaning the system, more or less unchanged for decades, now has a few holes in it.
To sum it up, I suspect we paranoid people will need a much more hard-core procedure to sanitize hardware. A format/reinstall isn't going to cut it any more.
But let this other famous guy say it:
https://www.youtube.com/watch?v=27eADk7wh2Y
WARNING: Smartphones have side effects--most of them undocumented.
He then suplexed Fox news for disingenuous reporting and triple axle-kicked the those who think 'slams' isn't the most goddamn overused headline verb.
...this airtight hatchway."
"Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality."
Relevant: https://www.google.com/search?q=site%3Ablogs.msdn.com%2Fb%2Foldnewthing%2F+%22airtight+hatchway%22
If there is no privilege escalation, they are not security flaws, just boring ol' bugs.
The following will cause an Intel CPU to fail catastrophically:
* pouring petrol on the Intel CPU and then igniting it.
* smashing the Intel CPU with a hammer
* dousing the Intel CPU in highly concentrated sulphuric acid
* urinating on the motherboard containing the Intel CPU
* increasing the voltage supplied to the Intel CPU to 100 volts.
* installing a computer with an Intel CPU in a cage with an angry Tyrannosaurus Rex
* targetting the Intel CPU with a nuclear bomb
These flaws are so severe that Intel should withdraw all of their CPUs from the market and file for bankruptcy immediately. Nobody should ever use an Intel CPU for anything.
I am releasing this vital information now without prior notice to Intel because I believe that they have no hope of fixing this flaw in any reasonable time frame.
Disclaimer (hidden deep within the near-impenetrable legalese on an obscure URL of my web site, just like CTS's disclaimer): the reader should assume that I may have a position on the stocks of any company mentioned in this press release.
He's generally a pretty bright guy, but I almost pissed myself at the claim of a requirement of criminal negligence from an administrator.
I've made a living finding privilege escalations in *his* goddamn operating system.
I've never before been able to say, with this root escalation, I can now render this machine forever owned. Now I can.
I just really hope it drives home the silliness of allowing any kind of code to run on the goddamn chipsets, and special security domains running at ring -1.
It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.
Not necessarily. Imagine this scenario: You have a secured machine, it is using SecureBoot to verify the bootloader and kernel image, signed using your org's keys. When it boots, the user must enter a pass phrase, which is used to decrypt the keys stored in the TPM to decrypt the hard disk. Without the correct pass phrase, entered into the verified boot loads, you have no way of accessing any of the confidential data on the disk. I'm pretty sure Windows supports this configuration out of the box and I believe that you can do the same with Linux / GRUB.
This setup is incredibly hard to bypass. Except with a vulnerability like this, because no if you have 2 minutes of physical access to the machine, you can reboot into an OS from a USB disk and install persistent malware that can fake the boot attestation, extract the keys when the TPM unlocks them, and access all of the data on the disk. The malware can also establish network connections without the OS being aware of them, so it can exfiltrate the data if there isn't a decent IDS on the network (or it can just let the attacker dump the entire disk contents to a USB drive the next day, or the attacker can take the encrypted disk image the first time and then the malware just needs to transmit the key, which can be hidden as a single HTTPS request and probably not blocked by anything).
How much confidential data is stored on your organisation's computers? How sure are you that your cleaners would say no if someone offered them $100,000 to stick a USB drive in each of the desktops in an office, reboot, and then remove it a couple of minutes later?
I am TheRaven on Soylent News
It looks like Intel has hired some PR mitigation experts. They've come up with this bogus attack vector*, and we see stories of how this claimed vector could be used to attack stock markets etc.
It all smells of a stinky 800lb Gorilla.
Yeh, this looks like it's all about Intel's Meltdown problem. I don't need to upgrade right now, but I suddenly feel like I want to go upgrade to a thread ripper box.
* It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.
Yeah, this company was formed just shortly after Intel was informed of their own security holes 6 months ago, before they even started dumbing their own stocks.
If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem,
It's a serious problem that require flashing the UEFI/BIOS firmware.
If you have the capacity to flash firmware, you *already at that point* have the capability to do a ton of awful and persisting damages.
The fact that these peculiar variants happen to attack the AMD PSP is just a small foot note detail.
To put it into perspective, this has nothing to do with the numerous bugs and exploit that have plagued IntelAMT and IPMI (those were more of the type "the lights-out remote management system is so buggy and fucked up, that you can basically use it as a backdoor"). Here, it's more "if you upgrade and put a buggy lights-out remote management tool, you'd be openning a backdoor" - Well no shit.
(Except that the AMD PSP isn't used for Light-out-management. But for handling stuff like DRM, TPM, boot firmware signing, etc.
But still, if you install a crappy one, yes, the system will be hosed.
And if have the capability of installing a one, then you have tons of possibility to hose the system. Including possibility that have nothing to do with AMD PSP).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Oh... so you don't need root...... you just need the even higher access privilege of PHYSICAL ACCESS.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
You can do it with root, but it doesn't need to be root on the OS the has access to the sensitive data. The entire point of these features is to protect you from an attacker with either physical access or the ability to insert malware into your OS. That they can be bypassed by someone with either physical access or the ability to insert malware into your OS means that they are useless.
I am TheRaven on Soylent News
Yeah, there is some sort of lojack for computers that would reinstall itself at least two or three years ago. It did only work on Windows, if I remember correctly, but that had more to do with the software design.
Cheap storage VM.
if you have 2 minutes of physical access to the machine
Meh... if you have less than 30 seconds of physical access to the machine, you can plug the keyboard into a tiny hardware keylogger that plugs into the back of the machine. Those are cheap, readily available, don't require any assumptions about what's under the hood, and a cleaner reaching into the dusty area behind a PC will look a helluva lot less suspicious than a cleaner booting from USB (which, BTW, would be disabled by any remotely competent admin working in a high-security environment).
The point being not so much this specific attack vector, but the fact that that an adversary with physical access has nearly infinite ways to compromise a machine. If your organisation handles info that is that confidential, you'd better screen your cleaning personnel, or lock them out of certain rooms.
You're then leaving a physical device behind, which someone might notice. With this kind of attack, you need a few seconds / minutes of access and then the only thing you leave behind is untraceable software. That said, my favourite attack along these lines involved a vulnerability in some of the early Apple USB keyboards, combined with their overengineering, which meant that you could replace the firmware with something that included a keylogger and you had a few tens of KBs of spare flash to write the keys into, so you could record a day's worth of typical use in a buffer in the keyboard's flash and dump it via the USB ports each night.
I am TheRaven on Soylent News