New SMM Callout Privilege Escalation Vulnerability Affects AMD Platforms

erek

[H]F Junkie
Joined
Dec 19, 2005
Messages
10,786
Opinion? Just vulnerability after vulnerability anymore

"AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.

The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system.

AMD believes this only impacts certain client and embedded APU processors launched between 2016 and 2019. AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches. End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.

We thank Danny Odler for his ongoing security research."


https://www.techpowerup.com/268680/...scalation-vulnerability-affects-amd-platforms
 
If I understand this, it is an issue with what used to be called the BIOS rather then the CPU proper. If so, somewhat ironic that the part of the system that was supposed to allow "Secure Boot" is the part with the vulnerability.

Probably not much of an issue for the average home user but could be an issue for corporate environments.
 
Yeah, if the attacker has access to update/flash the BIOS, they have control to do anything. It's like, "if you give someone full admin rights they can do malicious things"... Mark that in the no brainer category. I mean, yeah, patch it if you can as it doesn't have any performance penalty, but still... Some of these "vulnerabilities" really are only if you're handing out the keys already.
 
Yeah, if the attacker has access to update/flash the BIOS, they have control to do anything. It's like, "if you give someone full admin rights they can do malicious things"... Mark that in the no brainer category. I mean, yeah, patch it if you can as it doesn't have any performance penalty, but still... Some of these "vulnerabilities" really are only if you're handing out the keys already.

As most intel vulnerabilities, it does require a series of complicated steps just to gain root access then the exploit can be done.. for home users there's 0 worries, in the past the focus was intel as it was the big big market leader and hackers had no reason to focus on AMD, but now, AMD it's getting in the radar of hackers and Exploiters..
 
As most intel vulnerabilities, it does require a series of complicated steps just to gain root access then the exploit can be done.. for home users there's 0 worries, in the past the focus was intel as it was the big big market leader and hackers had no reason to focus on AMD, but now, AMD it's getting in the radar of hackers and Exploiters..

Your statement is incorrect sir. Many of the Intel vulns just require code execution, meaning a malicious advertisement on a webpage could run the exploit.

This AMD vuln is not that at all.
 
" potential vulnerability "
" requires privileged physical or administrative access "
big deal why?
 
Your statement is incorrect sir. Many of the Intel vulns just require code execution, meaning a malicious advertisement on a webpage could run the exploit.

This AMD vuln is not that at all.

there are a lot of Vulnerabilities that aren't simply known to common ppl and "just require code execution".. AMD it's vulnerable to SplitSpectre, Portsmash, Foreshadow, Speculative Store bypass, RAMbleed, TAke a way, TRRespass (This is a serious one and can't be patched in any vendor even Smartphones are vulnerable as that's a Rowhammer xploit that also plagged DDR3) and a large list... again, they are not widely known because it's simply AMD, but as long as AMD keep increasing Market share they will be also a target for any kind of exploit.. and again most of this issues are no worries for home users and most sensitive attacks always require administrative privileges or physical access for both intel and AMD
 
As most intel vulnerabilities, it does require a series of complicated steps just to gain root access then the exploit can be done.. for home users there's 0 worries, in the past the focus was intel as it was the big big market leader and hackers had no reason to focus on AMD, but now, AMD it's getting in the radar of hackers and Exploiters..
Some sure, I don't know about most. The reason you hear so much more about Intel vulnerabilities is because a lot of them can be done without root/admin access. AMD has thus far not been as susceptible, but still had to do some patching. My (un?) educated guess is they were more worri d about performance than security back then. Now people are focusing on security and they are finding all the short cuts. So far it hasn't amounted to much (no big lawsuits, etc) so it seems from a business perspective the shortcuts were worth it.
 
there are a lot of Vulnerabilities that aren't simply known to common ppl and "just require code execution".. AMD it's vulnerable to SplitSpectre, Portsmash, Foreshadow, Speculative Store bypass, RAMbleed, TAke a way, TRRespass (This is a serious one and can't be patched in any vendor even Smartphones are vulnerable as that's a Rowhammer xploit that also plagged DDR3) and a large list... again, they are not widely known because it's simply AMD, but as long as AMD keep increasing Market share they will be also a target for any kind of exploit.. and again most of this issues are no worries for home users and most sensitive attacks always require administrative privileges or physical access for both intel and AMD
I mean... If you consider TRRespass really bad, then I guess they ar doing fine. It literally needs to us another exploit or admin rights to be used. By itself it do s nothing. And it's also something the DRAM MFG has control over, not AMD. It's just a method to transfer data... in order to use it they have to gain control via another exploit first. If they are already exploited.... They could just copy the data anyways. As I mentioned above, AMD has had to patch some exploits, but not as many as Intel. A lot of the shortcuts/optimizations Intel put into their chips are the reasons for the vulnerabilities. AMD simply doesn't/didn't have as many of these implemented (whether for security concerns or they just didn't have manpower to come up with them) so tend to be less affected/susceptible.
 
there are a lot of Vulnerabilities that aren't simply known to common ppl and "just require code execution".. AMD it's vulnerable to SplitSpectre, Portsmash, Foreshadow, Speculative Store bypass, RAMbleed, TAke a way, TRRespass (This is a serious one and can't be patched in any vendor even Smartphones are vulnerable as that's a Rowhammer xploit that also plagged DDR3) and a large list... again, they are not widely known because it's simply AMD, but as long as AMD keep increasing Market share they will be also a target for any kind of exploit.. and again most of this issues are no worries for home users and most sensitive attacks always require administrative privileges or physical access for both intel and AMD
Half of those you listed aren't even legit as they require an exploit or admin to run. Some are legit, as I mentioned above. The one you say is really bad is based on the memory MFG not AMD.
"AMD recommends contacting the DRAM or system manufacturer to determine any susceptibility to this issue." Anyways, they do have a few, but they didn't take as many shortcuts/optimizations as Intel so seem to fair better. Whether it was due to lack of resources to even come up with them, they didn't do it for security reasons, or plain dumb luck, who knows. Either way, I'm sure this won't be last thing found from either company.


For quote above:
https://www.amd.com/en/corporate/pr...n DRAM,vendor, technology and system settings.
 
It's funny to me how when a somewhat esoteric, not that easy to exploit, not that easy for a normal user to understand, CPU based vulnerability comes to light, the reactions seem to be entirely based on who made the CPU:

Intel? God what morons, they are so bad and so insecure. They should just make a new CPU that has no problems, and they'd do that if they cared at all, which they don't. What jerks.

AMD? Guys, really this is totally not a big deal! I mean you already have to have X access and Y privileges to exploit is to who cares? Total non-issue!

It feels a it like some... Zealotry :)

So for those wondering why this matters, or how much here's the deal: The problem with an SMM exploit is that it allows you to install malware that is totally invisible to the OS or any tools. If you want more technical details about that kind of thing and seeing it in operation you can see Chris Domas's talk about one he found on Intel CPUs back some years ago. But the issue is the invisibility. With a normal rootkit on a system, you can find it, it can't be completely invisible. It can play cat-and-mouse with your detection software, but an offline analysis will always see it. SMM is lower level than that though. It is lower level than Ring 0, the kernel mode, even lower level than the VM hypervisor. It is the lower level of system execution, invisible to everything else. So detecting and ridding yourself of such an exploit is REALLY hard.

However for all that it isn't that serious over all, because it does already require you to be able to exploit the system, and most adversaries won't bother. Most would just go for a normal hack/rootkit if they can get in, this is extra steps not needed. Particularly since such a thing gets much more platform specific, and has other limits that a generic software rootkit doesn't. So it is the kind of thing only likely to be developed and deployed by a sophisticated, well funded, highly motivated adversary which is something 99% of organizations don't face and basically 0.00% of normal users face. Thus not a big deal, the kind of thing that while you want to patch, there's no specific need to look out for or worry about, as has been the case with most CPU based vulnerabilities.
 
sooo . would just reflashing the BIOS take care of compromised system?
 
Intel? God what morons, they are so bad and so insecure.

It feels a it like some... Zealotry :)
That has nothing to do with it.
Since January 2018, AMD has had around 3 CPU hardware exploits (all requiring physical and/or root access on the system), and in comparison, Intel has had over 60 CPU hardware exploits (many can be installed from a compromised website).

Also, the patching said exploits on Intel CPUs from Sandy Bridge to Kaby Lake have decreased performance, depending on the workload, from 10-60% - that is a massive loss in value, almost overnight.
So, getting only 40% of the performance of a $350 Intel CPU, with no refund from Intel, is quite the shit show on their part.

Oh, and since Intel has refused to patch anything earlier than Sandy Bridge (2011), that means everything from 2010 back to 1995 are virtually dead platforms now due to the massive decrease in security for the patches that can't be applied at the OS-level.
I guarantee you, if AMD were doing this same type of garbage, we would be giving them equal hell for it, and rightfully so.

Intel stagnated the market for the entirety of the 2010s, and it has been proven that all of their performance gains up to Kaby Lake were from cutting massive corners in their CPU permissions and security, lying about it to their customers, and then only patching back so far.
Many OEMs are to blame as well, since many of them never released said patches for their motherboards - credit to Dell for actually doing this all the way back to Sandy Bridge.

Not to mention, continuously patching a zillion systems in enterprise over and over again and again as more and more hardware exploits on Intel x86-64 CPUs are discovered is quite the pain in the ass.
Yes, Intel has a lot to answer to, and I'm still amazed all of this hasn't resulted in multiple class-action lawsuits against them.

AMD was called out for not having "real cores" in their CMT architectures via class-action, yet Intel gets away with this year after year?
Might want to re-think your statements...
 
Intel has some 90% of the market, that means a lot of eyes looking for a lot of bugs. Now AMD is the shining star and making the big sales so those eyes are going to turn their attention to the Red team for a while. It’s just how it goes, I look forward to learning about what they find when they do. I can’t protect myself about something I don’t know exists.
 
Intel has some 90% of the market, that means a lot of eyes looking for a lot of bugs. Now AMD is the shining star and making the big sales so those eyes are going to turn their attention to the Red team for a while. It’s just how it goes, I look forward to learning about what they find when they do. I can’t protect myself about something I don’t know exists.

The problem with that line of thought(and I see it a lot) is that many of the vulnerabilities including some of the more serious ones were conceptualized without any particular architecture or brand in mind but simply based on the way that speculative execution works. When these conceptual vulnerabilities have been tested on real systems Intel has been vulnerable much more often than AMD.
 
https://www.google.com/amp/s/www.tomshardware.com/amp/features/intel-amd-most-secure-processors

This is from 7 months ago and nothing much have changed, the proportion is still roughly 15:1 Intel exploits to AMD, also when a software mitigation is required Intel takes a bigger performance loss than AMD, add to it the difficulty in most "dangerous" AMD exploits requiring either physical access or administrative privileges to start with and then you can see how it isn't like the Stans are portraying it that the poor 800 pounds gorilla is mistreated, it's treated exactly how it should be. They have absurdly more resources for R&D, they just didn't seem to consider security an actual important enough thing to invest in until called out.
 
Back
Top