AMD CPU Attack Vectors and Vulnerabilities

griff30

Supreme [H]ardness
Joined
Jul 15, 2000
Messages
6,675
"The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly."
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/#

Another article covering the topic, if true this to me points to a marketing and smear campaign rather than a legitimate independent security research. In any case, who paid for the research? that is not covered in their legal disclaimer or any information in the white paper.
Surely those security experts that found it work for free and only have AMD owner's best interest at heart.
It was done totally altruistically. ;);)
 

LodeRunner

Weaksauce
Joined
Sep 8, 2006
Messages
121
The way I see it, if you have access to a machine already, gaining elevated rights will be a small cake walk for some. Nothing I can pull off, but many others will.

Actually going through a red team inspection right now.
Trivial with Windows install media. Boot to a recovery command prompt, replace the login screen Ease of Access executable with cmd.exe, reboot. Once booted, open the command prompt, pass 'net user' to list local user accounts, pick one and reset the password. Done. Also any number of free boot disks have utilities that mount NTFS, find the user store, query it for admin level users, and then blank the password (and optionally enable the account if disabled). Some of these methods might be hindered by full disk encryption, Bitlocker, or other measures, I can't claim to have tested any mitigations for this particular attack.

Either method is something that anyone with Google and a boot disk can get done in ~10 minutes or less.
 

Uncle

2[H]4U
Joined
Jun 7, 2004
Messages
2,194
Probably an Intel smear campaign. I believe all these exploits need root access or physical access to hardware.
Not only that, I think Intel is losing market share. Intel doing this is a good way to neutralize AMD, or at least slow down their advance. Fear based marketing still works. I for one won't upgrade my intel chip, until I absolutely have too, til I see a permanent redesigned chip without the flaws. That is one news item I have not read about. It takes yrs to do design work, so Intel give me some good news on a permanent flaw free new chip.
 

ecmaster76

[H]ard|Gawd
Joined
Feb 6, 2007
Messages
1,150
Trivial with Windows install media. Boot to a recovery command prompt, replace the login screen Ease of Access executable with cmd.exe, reboot. Once booted, open the command prompt, pass 'net user' to list local user accounts, pick one and reset the password. Done. Also any number of free boot disks have utilities that mount NTFS, find the user store, query it for admin level users, and then blank the password (and optionally enable the account if disabled). Some of these methods might be hindered by full disk encryption, Bitlocker, or other measures, I can't claim to have tested any mitigations for this particular attack.

Either method is something that anyone with Google and a boot disk can get done in ~10 minutes or less.

Drive encryption is recommended these days for a reason... especially systems where anyone could get physical access. What you describe already compromises the system (unless its employing application control/whitelisting technology) and wouldn't require any further exploit. It would also work with any Intel system
 
  • Like
Reactions: PaulP
like this

BSmith

[H]ard|Gawd
Joined
Nov 9, 2017
Messages
1,323
OK, just for the sake of argument, let's say that everything they claim is true. It could still be a smear campaign. Just highly exaggerate the claims and word them to make things look as grim as possible. Then release the "report" with little or no warning to the victim, and use a website that can't be traced back to original authors. And the icing on the cake is to create a new company in another country to be the front for the effort. Using these techniques I could smear Mother Theresa. When people use highly unethical methods, you must question their "facts". When you look at their claims, you find that they all require a highly compromised system (administrator privileges, relflashing the BIOS with a "custom" version, using a modified and signed device driver) to use any of the exploits identified. Once a system is that compromised, you are screwed anyway, regardless of the underlying hardware.

Well, what I said had a context attached to the meaning of "smear campaign". I suppose I should have included what my understanding of the term is.

Smear Campaign: A plan to discredit a public entity by making false or dubious accusations.

I would call "exaggerations" dubious.

As far as letting a company know about things which may be wrong with its product or service. Ever wrote a review of a product or service? I have. I just wrote a bad review for a product I got at Amazon which was poorly designed and misrepresented in its images. I did not bother contacting the manufacturer first before I detailed all that was wrong in Amazon review section.

Early notification of something wrong can be considered good business practice, but it is not required. It does not impact the information being released, if the information is accurate.

Now I am not supporting any of the information released. It seems to me to be written with a broad brush and I am not gong to be surprised if it is shredded for accuracy alone.

It does not change how I feel. If it is factual, then I am hard pressed to call it a "smear campaign" in the context of my understanding of the term.
 

ole-m

Limp Gawd
Joined
Oct 5, 2015
Messages
452
Think you mean local attacks. Which is exactly what Meltdown is also.

This is false, Meltdown is demonstrated remotely in javascript.
Spectre too, Spectre was never demonstrated to work on amd chips, but in theory they should be able to work.
In theory white holes (opposite of black holes) do exist but we don't see something bright pushing out material at amazing rates but they might exist.

But spectre and meltdown does not require local attack vector.
 

griff30

Supreme [H]ardness
Joined
Jul 15, 2000
Messages
6,675
First "reasearch scientist" in the video seriously needs to use Visine after hitting the bong.

Can't help but laugh that they say they are "deeply concerned" yet spend more time setting up actors, lighting, sound crew and video design, than they give AMD in time to respond.(24 hours)
Looks like an Onion article.

Extremely sceptical.
 

krotch

Supreme [H]ardness
Joined
Aug 12, 2004
Messages
4,509
Trivial with Windows install media. Boot to a recovery command prompt, replace the login screen Ease of Access executable with cmd.exe, reboot. Once booted, open the command prompt, pass 'net user' to list local user accounts, pick one and reset the password. Done. Also any number of free boot disks have utilities that mount NTFS, find the user store, query it for admin level users, and then blank the password (and optionally enable the account if disabled). Some of these methods might be hindered by full disk encryption, Bitlocker, or other measures, I can't claim to have tested any mitigations for this particular attack.

Either method is something that anyone with Google and a boot disk can get done in ~10 minutes or less.

I'm thinking more from AD domain, not so much just getting local admin rights on a machine. An MS Dart disc can get me local admin access, so long as I have physical access.


This is false, Meltdown is demonstrated remotely in javascript.
Spectre too, Spectre was never demonstrated to work on amd chips, but in theory they should be able to work.
In theory white holes (opposite of black holes) do exist but we don't see something bright pushing out material at amazing rates but they might exist.

But spectre and meltdown does not require local attack vector.

Meltdown is demonstrated remotely in javascript using a local attack. As in, someone locally, on the machine, executes it. That's what local attack means. It's not some hacker on the net, using the Meltdown vulnerability to gain access to the box.
 

BeepBeep2

n00b
Joined
Dec 19, 2016
Messages
9
This is false, Meltdown is demonstrated remotely in javascript.
Spectre too, Spectre was never demonstrated to work on amd chips, but in theory they should be able to work.
In theory white holes (opposite of black holes) do exist but we don't see something bright pushing out material at amazing rates but they might exist.

But spectre and meltdown does not require local attack vector.
Local execution.

_________________________________________________________________________________

As far as this whitepaper, it looks like total trash. Every exploit listed requires at least one of the following:
1. Physical Access
2. A modified BIOS with injected malware to be flashed
3. Administrator-level user access

MasterKey
If someone has physical access, what is the point of flashing a modified BIOS, unless said person does not have valid administrator credentials? The likelihood of this happening on your home PC is zero, unless someone broke into your house just to flash your BIOS.

Even in a workplace or datacenter, a malicious employee would have to shut down a workstation to perform these actions and 99.99% of the time, BIOSes are protected from flashing or modification with an admin password. That password can be reset easily in most OEM machines, but still requires a machine to be physically opened. How likely is that scenario, when a malicious employee 99.99% of the time could just install malware from a user account on a running machine? Yeah, the employee taking his whole workstation to the restroom or janitor's closet for an hour seems a little suspicious! <--- Very ironic, seems like a huge security flaw to let your users use their computers!

RyzenFall
Requires elevated administrator credentials. At this point, why are you wasting your time trying to exploit security flaws? Copy the whole disk or whatever you want, you're an administrator!

Fallout
Requires elevated administrator credentials. At this point, why are you wasting your time trying to exploit security flaws? Copy the whole disk or whatever you want, you're an administrator!

Chimera
Requires elevated administrator credentials. At this point, why are you wasting your time trying to exploit security flaws? Copy the whole disk or whatever you want, you're an administrator!



This is some of the biggest BS I've ever seen. If you're worried about the memory access capabilities of these "vulnerabilities" across VMs, you shouldn't have been so f'ing stupid to let the attacker get that far.
 

thesmokingman

Supreme [H]ardness
Joined
Nov 22, 2008
Messages
6,617
Lmao, apparently their videos are all green screened from readily available stocks as shown on reddit.

A5E4ACFE-84CC-4997-94AE-460A5C7C918F.jpeg
 

Imhotep

Gawd
Joined
Feb 12, 2014
Messages
816
No one with 3 bits of knowledge reads pc world. I wonder if these clowns were serious. If they are than, they need to stop smoking whatever it is they are on...lol
 

thesmokingman

Supreme [H]ardness
Joined
Nov 22, 2008
Messages
6,617
The chaotic nature of today's disclosure has led to many questions about the source and motivations of the firms behind this research. Astute social-media users have noted that Viceroy Research, a financial-analysis group that reportedly engages in short selling of various companies' securities, appears to have coordinated the release of a report provocatively titled "The Obituary" alongside the CTS Labs whitepaper. Viceroy posits that AMD will have no choice but to file for Chapter 11 bankruptcy as a result of the news and that its stock is ultimately worthless, claims that seem vastly out of proportion with the magnitude of the purported vulnerabilities that CTS Labs has discovered.

It's getting real in here... from TR.

https://techreport.com/news/33368/s...of-ryzen-epyc-and-amd-chipset-vulnerabilities
 

griff30

Supreme [H]ardness
Joined
Jul 15, 2000
Messages
6,675
Local access required to run the code.

So is your wife really "cheating" on you, if you paid someone to screw her and drugged your wife?

Yeah that's a real "exploit" alright.

Thanks Intel(cucks). I am DEFINITELY buying AMD this time around.
 

ole-m

Limp Gawd
Joined
Oct 5, 2015
Messages
452
I'm thinking more from AD domain, not so much just getting local admin rights on a machine. An MS Dart disc can get me local admin access, so long as I have physical access.




Meltdown is demonstrated remotely in javascript using a local attack. As in, someone locally, on the machine, executes it. That's what local attack means. It's not some hacker on the net, using the Meltdown vulnerability to gain access to the box.

anything executing is local if you wanna put it like that.
If you have an SQL injection it executes locally so it's a local exploit as well.
Javascript can be called in numerous ways, on an Amazon shared VM server to gain access to other machines and get outside the sandbox, none of these issues can
 

alamox

Gawd
Joined
Jun 6, 2014
Messages
596
intel most immoral company + israel most immoral country = a match made in heaven.
the research lab is probably so young and so small that it wouldn't be worth sueing for defamation.
AMD can't do anything but watch intel hiring thugs to slander them.
 
  • Like
Reactions: N4CR
like this

Bigdady92

Supreme [H]ardness
Joined
Jun 20, 2001
Messages
5,767
All AMD has to do is claim registered trademark of their brand and contact godaddy to take down the domain as using a registered company name in ANYTHING without permission is a big NoNo.

This will take AMD lawyers 10min and 2 phone calls to accomplish.
 

thesmokingman

Supreme [H]ardness
Joined
Nov 22, 2008
Messages
6,617
Wired has a good article on this - Overblown to say the least.

"four attacks require administrative privileges means that to execute them, a hacker would already need extraordinary access to a device—and could presumably already create all kind of havoc even without Ryzenfall, Masterkey, Fallout, or Chimera."

https://www.wired.com/story/amd-backdoor-cts-labs-backlash/


I wonder if WIRED knew that CTS Labs paid Guido of Trail of Bits...?

While CTS hasn't publicly released any of the details of how its attacks work, it did share them privately with New York-based security firm Trail of Bits, which essentially confirmed the central findings. "Regardless of hype, they found vulnerabilities that work as described," says Dan Guido, Trail of Bits' founder. "If you’ve already taken over a computer to a certain extent, they'll allow you to expand that access, or to hide in parts of the processors where you didn’t think malware could be."

 
D

Deleted member 133315

Guest
I am positive the release of these exploits was done by a person who wears a pair of beats, by dre.
 

SighTurtle

[H]ard|Gawd
Joined
Jul 29, 2016
Messages
1,410
Apparently CTS is paying for news?


https://motherboard.vice.com/en_us/...ssor-ryzen-epyc-vulnerabilities-and-backdoors

tldr: The bugs are real (at least according to the 3rd party CTS paid for confirmation), but the way everything was presented and done is sketchy as hell to say the least. (24 hr disclosure, the report from a stock company saying AMD is worth nothing, and a website describing the bugs in a outrageous manner) I'm calling it a overhyped problem, probably designed to make AMD look bad or do some other shady stock market stuff.
 

thesmokingman

Supreme [H]ardness
Joined
Nov 22, 2008
Messages
6,617
https://motherboard.vice.com/en_us/...ssor-ryzen-epyc-vulnerabilities-and-backdoors

tldr: The bugs are real (at least according to the 3rd party CTS paid for confirmation), but the way everything was presented and done is sketchy as hell to say the least. (24 hr disclosure, the report from a stock company saying AMD is worth nothing, and a website describing the bugs in a outrageous manner) I'm calling it a overhyped problem, probably designed to make AMD look bad or do some other shady stock market stuff.

Your link is basically a paid advert, ie. the guy that got paid wrote that.
 
Top