AMD CPU Attack Vectors and Vulnerabilities

"The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly."
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/#

Another article covering the topic, if true this to me points to a marketing and smear campaign rather than a legitimate independent security research. In any case, who paid for the research? that is not covered in their legal disclaimer or any information in the white paper.
Surely those security experts that found it work for free and only have AMD owner's best interest at heart.
It was done totally altruistically. ;);)
 
The way I see it, if you have access to a machine already, gaining elevated rights will be a small cake walk for some. Nothing I can pull off, but many others will.

Actually going through a red team inspection right now.
Trivial with Windows install media. Boot to a recovery command prompt, replace the login screen Ease of Access executable with cmd.exe, reboot. Once booted, open the command prompt, pass 'net user' to list local user accounts, pick one and reset the password. Done. Also any number of free boot disks have utilities that mount NTFS, find the user store, query it for admin level users, and then blank the password (and optionally enable the account if disabled). Some of these methods might be hindered by full disk encryption, Bitlocker, or other measures, I can't claim to have tested any mitigations for this particular attack.

Either method is something that anyone with Google and a boot disk can get done in ~10 minutes or less.
 
Probably an Intel smear campaign. I believe all these exploits need root access or physical access to hardware.
Not only that, I think Intel is losing market share. Intel doing this is a good way to neutralize AMD, or at least slow down their advance. Fear based marketing still works. I for one won't upgrade my intel chip, until I absolutely have too, til I see a permanent redesigned chip without the flaws. That is one news item I have not read about. It takes yrs to do design work, so Intel give me some good news on a permanent flaw free new chip.
 
Trivial with Windows install media. Boot to a recovery command prompt, replace the login screen Ease of Access executable with cmd.exe, reboot. Once booted, open the command prompt, pass 'net user' to list local user accounts, pick one and reset the password. Done. Also any number of free boot disks have utilities that mount NTFS, find the user store, query it for admin level users, and then blank the password (and optionally enable the account if disabled). Some of these methods might be hindered by full disk encryption, Bitlocker, or other measures, I can't claim to have tested any mitigations for this particular attack.

Either method is something that anyone with Google and a boot disk can get done in ~10 minutes or less.

Drive encryption is recommended these days for a reason... especially systems where anyone could get physical access. What you describe already compromises the system (unless its employing application control/whitelisting technology) and wouldn't require any further exploit. It would also work with any Intel system
 
  • Like
Reactions: PaulP
like this
OK, just for the sake of argument, let's say that everything they claim is true. It could still be a smear campaign. Just highly exaggerate the claims and word them to make things look as grim as possible. Then release the "report" with little or no warning to the victim, and use a website that can't be traced back to original authors. And the icing on the cake is to create a new company in another country to be the front for the effort. Using these techniques I could smear Mother Theresa. When people use highly unethical methods, you must question their "facts". When you look at their claims, you find that they all require a highly compromised system (administrator privileges, relflashing the BIOS with a "custom" version, using a modified and signed device driver) to use any of the exploits identified. Once a system is that compromised, you are screwed anyway, regardless of the underlying hardware.

Well, what I said had a context attached to the meaning of "smear campaign". I suppose I should have included what my understanding of the term is.

Smear Campaign: A plan to discredit a public entity by making false or dubious accusations.

I would call "exaggerations" dubious.

As far as letting a company know about things which may be wrong with its product or service. Ever wrote a review of a product or service? I have. I just wrote a bad review for a product I got at Amazon which was poorly designed and misrepresented in its images. I did not bother contacting the manufacturer first before I detailed all that was wrong in Amazon review section.

Early notification of something wrong can be considered good business practice, but it is not required. It does not impact the information being released, if the information is accurate.

Now I am not supporting any of the information released. It seems to me to be written with a broad brush and I am not gong to be surprised if it is shredded for accuracy alone.

It does not change how I feel. If it is factual, then I am hard pressed to call it a "smear campaign" in the context of my understanding of the term.
 
Think you mean local attacks. Which is exactly what Meltdown is also.

This is false, Meltdown is demonstrated remotely in javascript.
Spectre too, Spectre was never demonstrated to work on amd chips, but in theory they should be able to work.
In theory white holes (opposite of black holes) do exist but we don't see something bright pushing out material at amazing rates but they might exist.

But spectre and meltdown does not require local attack vector.
 
First "reasearch scientist" in the video seriously needs to use Visine after hitting the bong.

Can't help but laugh that they say they are "deeply concerned" yet spend more time setting up actors, lighting, sound crew and video design, than they give AMD in time to respond.(24 hours)
Looks like an Onion article.

Extremely sceptical.
 
Trivial with Windows install media. Boot to a recovery command prompt, replace the login screen Ease of Access executable with cmd.exe, reboot. Once booted, open the command prompt, pass 'net user' to list local user accounts, pick one and reset the password. Done. Also any number of free boot disks have utilities that mount NTFS, find the user store, query it for admin level users, and then blank the password (and optionally enable the account if disabled). Some of these methods might be hindered by full disk encryption, Bitlocker, or other measures, I can't claim to have tested any mitigations for this particular attack.

Either method is something that anyone with Google and a boot disk can get done in ~10 minutes or less.

I'm thinking more from AD domain, not so much just getting local admin rights on a machine. An MS Dart disc can get me local admin access, so long as I have physical access.


This is false, Meltdown is demonstrated remotely in javascript.
Spectre too, Spectre was never demonstrated to work on amd chips, but in theory they should be able to work.
In theory white holes (opposite of black holes) do exist but we don't see something bright pushing out material at amazing rates but they might exist.

But spectre and meltdown does not require local attack vector.

Meltdown is demonstrated remotely in javascript using a local attack. As in, someone locally, on the machine, executes it. That's what local attack means. It's not some hacker on the net, using the Meltdown vulnerability to gain access to the box.
 
This is false, Meltdown is demonstrated remotely in javascript.
Spectre too, Spectre was never demonstrated to work on amd chips, but in theory they should be able to work.
In theory white holes (opposite of black holes) do exist but we don't see something bright pushing out material at amazing rates but they might exist.

But spectre and meltdown does not require local attack vector.
Local execution.

_________________________________________________________________________________

As far as this whitepaper, it looks like total trash. Every exploit listed requires at least one of the following:
1. Physical Access
2. A modified BIOS with injected malware to be flashed
3. Administrator-level user access

MasterKey
If someone has physical access, what is the point of flashing a modified BIOS, unless said person does not have valid administrator credentials? The likelihood of this happening on your home PC is zero, unless someone broke into your house just to flash your BIOS.

Even in a workplace or datacenter, a malicious employee would have to shut down a workstation to perform these actions and 99.99% of the time, BIOSes are protected from flashing or modification with an admin password. That password can be reset easily in most OEM machines, but still requires a machine to be physically opened. How likely is that scenario, when a malicious employee 99.99% of the time could just install malware from a user account on a running machine? Yeah, the employee taking his whole workstation to the restroom or janitor's closet for an hour seems a little suspicious! <--- Very ironic, seems like a huge security flaw to let your users use their computers!

RyzenFall
Requires elevated administrator credentials. At this point, why are you wasting your time trying to exploit security flaws? Copy the whole disk or whatever you want, you're an administrator!

Fallout
Requires elevated administrator credentials. At this point, why are you wasting your time trying to exploit security flaws? Copy the whole disk or whatever you want, you're an administrator!

Chimera
Requires elevated administrator credentials. At this point, why are you wasting your time trying to exploit security flaws? Copy the whole disk or whatever you want, you're an administrator!



This is some of the biggest BS I've ever seen. If you're worried about the memory access capabilities of these "vulnerabilities" across VMs, you shouldn't have been so f'ing stupid to let the attacker get that far.
 
Lmao, apparently their videos are all green screened from readily available stocks as shown on reddit.

A5E4ACFE-84CC-4997-94AE-460A5C7C918F.jpeg
 
No one with 3 bits of knowledge reads pc world. I wonder if these clowns were serious. If they are than, they need to stop smoking whatever it is they are on...lol
 
The chaotic nature of today's disclosure has led to many questions about the source and motivations of the firms behind this research. Astute social-media users have noted that Viceroy Research, a financial-analysis group that reportedly engages in short selling of various companies' securities, appears to have coordinated the release of a report provocatively titled "The Obituary" alongside the CTS Labs whitepaper. Viceroy posits that AMD will have no choice but to file for Chapter 11 bankruptcy as a result of the news and that its stock is ultimately worthless, claims that seem vastly out of proportion with the magnitude of the purported vulnerabilities that CTS Labs has discovered.

It's getting real in here... from TR.

https://techreport.com/news/33368/s...of-ryzen-epyc-and-amd-chipset-vulnerabilities
 
Local access required to run the code.

So is your wife really "cheating" on you, if you paid someone to screw her and drugged your wife?

Yeah that's a real "exploit" alright.

Thanks Intel(cucks). I am DEFINITELY buying AMD this time around.
 
I'm thinking more from AD domain, not so much just getting local admin rights on a machine. An MS Dart disc can get me local admin access, so long as I have physical access.




Meltdown is demonstrated remotely in javascript using a local attack. As in, someone locally, on the machine, executes it. That's what local attack means. It's not some hacker on the net, using the Meltdown vulnerability to gain access to the box.

anything executing is local if you wanna put it like that.
If you have an SQL injection it executes locally so it's a local exploit as well.
Javascript can be called in numerous ways, on an Amazon shared VM server to gain access to other machines and get outside the sandbox, none of these issues can
 
intel most immoral company + israel most immoral country = a match made in heaven.
the research lab is probably so young and so small that it wouldn't be worth sueing for defamation.
AMD can't do anything but watch intel hiring thugs to slander them.
 
  • Like
Reactions: N4CR
like this
All AMD has to do is claim registered trademark of their brand and contact godaddy to take down the domain as using a registered company name in ANYTHING without permission is a big NoNo.

This will take AMD lawyers 10min and 2 phone calls to accomplish.
 
Wired has a good article on this - Overblown to say the least.

"four attacks require administrative privileges means that to execute them, a hacker would already need extraordinary access to a device—and could presumably already create all kind of havoc even without Ryzenfall, Masterkey, Fallout, or Chimera."

https://www.wired.com/story/amd-backdoor-cts-labs-backlash/


I wonder if WIRED knew that CTS Labs paid Guido of Trail of Bits...?

While CTS hasn't publicly released any of the details of how its attacks work, it did share them privately with New York-based security firm Trail of Bits, which essentially confirmed the central findings. "Regardless of hype, they found vulnerabilities that work as described," says Dan Guido, Trail of Bits' founder. "If you’ve already taken over a computer to a certain extent, they'll allow you to expand that access, or to hide in parts of the processors where you didn’t think malware could be."

 
I am positive the release of these exploits was done by a person who wears a pair of beats, by dre.
 
Apparently CTS is paying for news?


https://motherboard.vice.com/en_us/...ssor-ryzen-epyc-vulnerabilities-and-backdoors

tldr: The bugs are real (at least according to the 3rd party CTS paid for confirmation), but the way everything was presented and done is sketchy as hell to say the least. (24 hr disclosure, the report from a stock company saying AMD is worth nothing, and a website describing the bugs in a outrageous manner) I'm calling it a overhyped problem, probably designed to make AMD look bad or do some other shady stock market stuff.
 
https://motherboard.vice.com/en_us/...ssor-ryzen-epyc-vulnerabilities-and-backdoors

tldr: The bugs are real (at least according to the 3rd party CTS paid for confirmation), but the way everything was presented and done is sketchy as hell to say the least. (24 hr disclosure, the report from a stock company saying AMD is worth nothing, and a website describing the bugs in a outrageous manner) I'm calling it a overhyped problem, probably designed to make AMD look bad or do some other shady stock market stuff.

Your link is basically a paid advert, ie. the guy that got paid wrote that.
 
Back
Top