13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

Discussion in 'AMD Processors' started by ir0nw0lf, Mar 13, 2018.

  1. vick1000

    vick1000 [H]ard|Gawd

    Messages:
    1,922
    Joined:
    Sep 15, 2007
    The chances of anything happening is 0%, until it does, then it's 100%. Probability is a construct of the human psyche, it does not exist in reality. To associate it with the deliberate act of an individual is nonsense.
     
  2. DuronBurgerMan

    DuronBurgerMan [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Mar 13, 2017
    Yeah, the sky is falling! Everybody throw your computers into the garbage and put on a tinfoil hat, they are gonna hack your brain!

    *sigh* this was seriously overblown. But I do agree that this sort of thing will probably discovered in other chipsets and platforms soon enough - if it hasn't already. Patch, and move on. If patch is timely, and doesn't cause a performance hit, I really don't give a shit.
     
  3. juanrga

    juanrga Pro-Intel / Anti-AMD Just FYI

    Messages:
    2,550
    Joined:
    Feb 22, 2017
    Writing this as resume for future reference and also to correct some repetitive misunderstandings about this spreading in the Internet.

    1) There are 13 security flaws confirmed on AMD Platform Security Processor (PSP) and AMD Promontory chipset.

    2) RyzenFall, Masterkey, and Fallout are exclusive to AMD. Chimera is not exclusive.

    3) Chimera-like attacks could happen in some old mobos for Intel processors. Mobos with affected ASmedia chips used for USB controller. This is not Intel fault, this is the motherboard company fault. E.g. if Asus has affected mobos it is Asusflaw. In the other hand all Promontory chipsets from AMD are affected by Chimera. CTS-labs tested Chimera on Intel-based hardware and the result was negative: "We've looked into quite a few computers made by HP, Dell, Lenovo, etc. and they were not affected".

    4) Administrative access being a requirement for the attacks has been known since the first minute that CTS-labs made public the flaws. Administrative access doesn't grant users complete access to the system. Precisely AMD designed the PSP to restrict certain accesses. As AMD’s security architect David Kaplan explained in a talk about security, a feature of the PSP called Secure Encrypted Virtualization (SEV) was specifically designed to prevent rogue cloud administrators, obviously in possession of administrative privileges, from being able to access customer data. CTS-labs discovered that the PSP is broken and the attacks bypass the SEV. AMD has to fix this. Similar claims about installing compromised firmware. Contrary to misunderstandings repeated in the Internet, administrative access doesn't grant users the option of installing any firmware. The PSP has built-in protocols to test the firmware and reject infected firmware, but the PSP is broken and flaws as Masterkey bypass the PSP signature checks to update the PSP with the attacker’s firmware. AMD has to fix this as well.

    5) This is not only related to administrators or attackers that got administrative access. There are other possible scenarios; one of them is a company building/installing new computers for costumers and the builder (which obviously has administrative access) installing backdoors. The final administrator/user of the new computers got infected hardware.

    6) Additional elements are persistence and undetectability. Those vulnerabilities are outside the reach of most security products, making difficult the detection of infected hardware. Even in those cases where considerable effort is made on detection, infection persists even after reboots, OS re-installation and BIOS updates. The only possible way to eliminate an already compromised systems consists on replacing the hardware by new hardware without infection.

    7) So current AMD hardware/software is broken and allows attackers to make things that they wouldn't be able to do such as
    • Execute code in the PSP and SMM (no visibility to typical security products)
    • Block or infect further BIOS updates, or brick the device
    • Bypass Windows Credential Guard
    • Bypass SEV
    • Bypass Secure Boot
    • Bypass or attack security features implemented on top of the PSP (e.g., fTPM)
    8) CTS-labs claims RyzenFall, Masterkey, and Fallout could be fixed within "months". AMD claims will be fixed within "weeks". Time will say. CTS-labs claims that Chimera cannot be really fixed, only mitigated. AMD didn't mention any time estimate for Chimera.
     
    Last edited: Mar 27, 2018
  4. FearTheCow

    FearTheCow [H]ardness Supreme

    Messages:
    4,736
    Joined:
    May 2, 2006
    Keep grasping at straws.
     
    griff30, {NG}Fidel and thebufenator like this.
  5. Pieter3dnow

    Pieter3dnow [H]ardness Supreme

    Messages:
    6,789
    Joined:
    Jul 29, 2009
    I'm just saying that the act you describe is as improbable to happen and within the next few weeks not possible...
     
  6. Pieter3dnow

    Pieter3dnow [H]ardness Supreme

    Messages:
    6,789
    Joined:
    Jul 29, 2009
    From the disclaimer in the whitepaper: "The report and all statements contained herein are opinions of CTS and are not statements of fact"
    "Although we strive for accuracy and completeness to support our opinions, and we have a goodfaith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this White Paper and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this White Paper even as it becomes outdated or inaccurate."

    from the webpage: "Do these vulnerabilities require physical access?
    No.

    RYZENFALL, FALLOUT and CHIMERA do not require physical access to exploit.

    MASTERKEY requires BIOS re-flashing, but that is often possible by just having local admin on the machine and running an EXE. We've confirmed this works on motherboards by Tyan, ASUS, ASRock, Gigabyte, Biostar, and others.
    "
    "
    What is required to exploit the vulnerabilities?
    Local machine admin privileges. The vulnerabilities are most harmful in APT situations on enterprise networks.
    "
     
  7. vick1000

    vick1000 [H]ard|Gawd

    Messages:
    1,922
    Joined:
    Sep 15, 2007
    I'm sorry, but how do you know this?
     
  8. Pieter3dnow

    Pieter3dnow [H]ardness Supreme

    Messages:
    6,789
    Joined:
    Jul 29, 2009
  9. DuronBurgerMan

    DuronBurgerMan [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Mar 13, 2017
    Crazy thing about this is, juanrga is a smart guy. That's very clear. But somehow he's missing the obvious: this was a scam to short the stock and make a quick buck. The security issues aren't end of the world type stuff. Par for the course, these days, to have security shit pop up, get squashed, and everybody moves on. This should have been done in the industry-accepted manner, with sufficient lead time for the manufacturer to address before public release. CTS's 'reasons' for not doing this are beyond bogus. Hit AMD, short the stock, make a quick buck. End of story.

    If AMD doesn't release fixes in the next few weeks, THEN we can start to point fingers and take a dump on AMD for failing to take it seriously. Until then... business as usual, mang.
     
  10. juanrga

    juanrga Pro-Intel / Anti-AMD Just FYI

    Messages:
    2,550
    Joined:
    Feb 22, 2017
    As I said since my first posts about this, not only I don't mix the technical flaws with the financial stuff, but I don't care about Viceroy and accusations of stock manipulation. My interest is on technical stuff.

    The security flaws are real, because AMD hardware is broken and security layers can be bypassed, allowing attackers to do just the kind of stuff that, for instance, the AMD Secure Processor was supposedly impeding. The security holes are serious (if they weren't serious AMD had not designed the Secure processor) and that is the reason why AMD is working in patches and mitigations of the flaws in the AMD Secure Processor.
     
  11. DuronBurgerMan

    DuronBurgerMan [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Mar 13, 2017
    I don't even know why I'm arguing this with you. Habit, maybe?

    1. Flaws are real, but *blown out of proportion*. AMD should fix them. AMD said they are fixing them. So long as AMD delivers, case closed in my mind. Juanrga, you know as well as anybody else here that every fucking thing ever made has security holes in it, pretty much. They will come up. The way the holes are released and the way the company(s) involved respond matters... a lot.

    2. Motivations *are* important. If the entity releasing the information has a malicious motive (hint: they did) that calls into question the interpretation of the whole thing. I.e. the marketing spin on it as some grand, terrible, zOMG AMD is fucked forever bullshit.

    Now look, I know you have a rage boner for AMD. I understand. Sometimes we just don't like something - I hate GM vehicles, and I could go into long winded rants about my reasons for this - many of them technical. And every time there is a GM recall, I give my Camaro buddies a lot of shit for them, and they do the same to me.

    But truth is, recalls are a fact of life in the car business. They will happen - to every manufacturer. Just like security holes will happen to every manufacturer in this business. The response, frequency, and severity all matter. In the case of recalls, if somebody died, that's real bad. In security holes, if somebody big fell victim the attack, that's real bad. Otherwise, it's academic, and give AMD the time to fix and respond.

    If a month from now, they've sat on their asses and done nothing THEN I will bitch. Otherwise... lolol. "Somebody found a security hole!" Lol. Somebody found water in the ocean!
     
    {NG}Fidel likes this.
  12. vick1000

    vick1000 [H]ard|Gawd

    Messages:
    1,922
    Joined:
    Sep 15, 2007
  13. vick1000

    vick1000 [H]ard|Gawd

    Messages:
    1,922
    Joined:
    Sep 15, 2007
    A hole that can be used to inject persistent code into the base hardware of the system, bad analogy. But interesting, what if some really toxic water was in the ocean that was killing lots of wildlife, and you could never find it to get rid of it.
     
    juanrga likes this.
  14. bb_forrest

    bb_forrest n00b

    Messages:
    38
    Joined:
    Mar 1, 2017

    I'm waiting for him to appear on the BranchScope thread showing the same kind of reasoning but I'm sure that he won't.

    I have no problem with the fact that he hates AMD, seems a little strange unless he's being paid or there was a personal trauma involving them in the past but everyone is entitled to their quirks.

    What I detest however is blind reasoing and a complete lack of objectivity - you either look at the technical viewpoint of things from the same position regarding of who it is, anything else just makes you a hypocrite.

    My next system will be a Ryzen 5, I've too many other things to spend money on to buy top of line (unless I suddenly win a S1000RR).
     
  15. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    11,659
    Joined:
    Jun 13, 2003
    Look, I'll be the first to admit juarnga has bias- he's pretty much locked on to pro-Intel/Nvidia.

    I will also say that screaming 'nuh uh your wrong!' at him isn't useful to anyone; it just exposes your own lack of reasoning skills. If he is trolling, you should be able to substantially refute him directly.

    I have yet to see proof that the flaws exposed are not real, that they have been patched, that they are not as insidious as presented, or that stock manipulation actually resulted in a loss/gain. I have also not seen proof of an exploit in the wild, which is great!, but until patches are released and confirmed to mitigate the vulnerabilities, Ryzen systems are vulnerable at the deepest levels.

    [and I'd personally still buy one if I had a use case]
     
  16. Dermac

    Dermac Limp Gawd

    Messages:
    152
    Joined:
    May 6, 2005
    I hope Juan is paid by Intel because then it would explain a lot. Either way, partly because of Juan, Intel has made me a lifelong purchaser of AMD products. Thanks Juan, keep doing your job.
     
  17. DuronBurgerMan

    DuronBurgerMan [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Mar 13, 2017
    Yup.

    Don't think you were talking to me, but I'll take it anyway. The fascinating thing about Juanrga's posts is that he isn't wrong (often) on the technical aspects. I generally agree with his technical descriptions, even here. And he's proven many times that his math is better than most here. It's his spin and interpretation of the findings that is an issue for me. CTS did the same kind of thing. I mean, just look at the names they came up with for these things. "Ryzenfall" Lol. And then CTS used this language in the report: "AMD must cease the sale of Ryzen and EPYC chips in the interest of public safety."

    That's spinning the hell out of all this. I wouldn't even argue that for Meltdown and Spectre with respect to Intel. It's "the sky is falling" kind of chicken little language.

    The flaws are real. I don't know that anyone is saying they don't exist. They haven't been patched, but AMD issued a statement saying patches were expected within "weeks" (we'll see if they deliver). And so far as I know, the technical descriptions of them are accurate. But so insidious as to require all Ryzen and EPYC CPUs to be immediately pulled off the market? That's extreme. If Viceroy got a gain off shorting the stock (highly likely, but we'll need more evidence to confirm) we'll probably eventually see a court case about it. The connection between Viceroy (known for doing this kind of thing) and CTS is pretty well demonstrated, however. Viceroy even posted "AMD: The Obituary."

    See what I mean by spin? THAT is the problem I have with all this.
     
  18. Pieter3dnow

    Pieter3dnow [H]ardness Supreme

    Messages:
    6,789
    Joined:
    Jul 29, 2009
    You don't mix your "facts" with links either. Nor do you tell the whole story and only post what suits your narrative. The only thing that is real is that you need username/password or access to a physical computer for any of these flaws to work.
     
    {NG}Fidel and pendragon1 like this.
  19. vick1000

    vick1000 [H]ard|Gawd

    Messages:
    1,922
    Joined:
    Sep 15, 2007
    Have these been patched yet, I can't find anything about it? AMD said "weeks" didn't they?
     
  20. Nobu

    Nobu 2[H]4U

    Messages:
    3,233
    Joined:
    Jun 7, 2007
  21. FrgMstr

    FrgMstr Just Plain Mean Staff Member

    Messages:
    48,346
    Joined:
    May 18, 1997
    If you have issue with another community member here, I highly suggest you use the IGNORE FEATURE and the REPORT POST feature, in that order.
     
    NKD likes this.
  22. vick1000

    vick1000 [H]ard|Gawd

    Messages:
    1,922
    Joined:
    Sep 15, 2007
  23. Nobu

    Nobu 2[H]4U

    Messages:
    3,233
    Joined:
    Jun 7, 2007
    Yeah, right now it's "all vulnerabilities patched on epyc" and "patches mitigating chimera on all amd platforms" (paraphrasing AMD). AMD's partners are the only ones who have the patches for now, so probably wont know about performance for a while. Being as these are mostly vulnerabilities in what is essentially a coprocessor, though, I doubt performance will be effected much (except for very specific workloads).

    Edit: if anything, chimera's patches might cause the most noticeable performance difference, but if it's as simple as turning off some features on the chip, then that may also be negligible.
     
    Last edited: May 4, 2018