|
|
Log in / Subscribe / Register

Numerous vulnerabilities in AMD processors

[Posted March 13, 2018 by corbet]

A company called CTS has disclosed a long series of vulnerabilities in AMD processors. "The chipset is a central component on Ryzen and Ryzen Pro workstations: it links the processor with hardware devices such as WiFi and network cards, making it an ideal target for malicious actors. The Ryzen chipset is currently being shipped with exploitable backdoors that could let attackers inject malicious code into the chip, providing them with a safe haven to operate from." See the associated white paper [PDF] for more details.

Update: there are a lot of questions circulating about the actual severity of these vulnerabilities and the motivations of the people reporting them. It may not be time to panic quite yet.

to post comments

Numerous vulnerabilities in AMD processors

Posted Mar 13, 2018 18:42 UTC (Tue) by CodeAsm (guest, #101413) [Link] (4 responses)

My twitter feed and /g/ (srry ppl) is claiming that they (CTS Labs) are trying to get people to sell AMD stock. Jake Williams on twitter: "Are you kidding me? Okay, this is the overhype statement of the year. @viceroyresearch is making statements that are completely over the top."

and Arrigo Triulzi @cynicalsecurity posted a nice list of whats potencialy wrong with their paper here: https://twitter.com/cynicalsecurity/status/97359569790270...

1) MASTERKEY: if you allow unauthorised BIOS updates you are screwed. Threat level: No shit, Sherlock! 2) RYZENFALL: again, loading unauthorised code on the Secure Processor as admin. Threat level: No shit, Sherlock!

So I wonder, how far do we need to spread these before AMD can respond? within 24 hours? I hope ... im right, and not wrong. for AMD users and AMD.

Numerous vulnerabilities in AMD processors

Posted Mar 13, 2018 19:06 UTC (Tue) by CodeAsm (guest, #101413) [Link]

http://ir.amd.com/news-releases/news-release-details/view...
Looks like they had no idea? ofcourse they will investigate it, but ... no warning before releasing? A very slick website, interviews and animations and AMD had no idea? WE had no idea?

Numerous vulnerabilities in AMD processors

Posted Mar 13, 2018 20:47 UTC (Tue) by Sesse (subscriber, #53779) [Link]

Loading unauthorized code on the SP as admin is actually a big deal. It means you can defeat things like Secure Boot, and by extension, BitLocker.

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 4:54 UTC (Wed) by luto (subscriber, #39314) [Link]

> 1) MASTERKEY: if you allow unauthorised BIOS updates you are screwed.

Depending on whether whatever AMD's equivalent of Boot Guard is enabled, write access to the BIOS chip shouldn't be exploitable for anything other than a secure boot bypass and control over CPL0 and up. MASTERKEY (if the vulnerability is for real) gives SMM privilege. The degree to which this is a problem is admittedly rather dubious.

> 2) RYZENFALL: again, loading unauthorised code on the Secure Processor as admin. Threat level: No shit, Sherlock!

I disagree. The whole point of the PSP is that it should *not* be tamperable with as admin. This allows whatever TPM-like features it emulates to be compromised, SEV to be compromised, etc. OTOH, SEV is thoroughly insecure be design anyway, at least in current revisions.

I personally have no idea why MS and other users consider an emulated TPM to be a TPM at all for purposes of MS/Windows logo requirements, etc.

Numerous vulnerabilities in AMD processors

Posted Mar 15, 2018 0:25 UTC (Thu) by flussence (guest, #85566) [Link]

This smear attack is already backfiring spectacularly. The news that someone's defeated the PSP only makes me *more* interested in buying a Ryzen now.

Previously, and paradoxically, you had to buy an *Intel* if you wanted an x86 that's so pitifully insecure that there were trivial automated white-hat tools to remove its known backdoors (me-cleaner etc.). The AMD PSP was considered airtight enough to be an actual threat to security (no user serviceable parts, but still IoT-on-a-chip garbage) but now the cat's been let out of the bag, there'll likely be enough eyeballs on the hardware to fix the problem.

Numerous vulnerabilities in AMD processors

Posted Mar 13, 2018 18:59 UTC (Tue) by eSyr (guest, #112051) [Link]

AnandTech has provided some overview of the situation: https://www.anandtech.com/show/12525/security-researchers...

Numerous vulnerabilities in AMD processors

Posted Mar 13, 2018 23:57 UTC (Tue) by rahvin (guest, #16953) [Link] (8 responses)

The scary stuff to me is that Intel has development facilities in Israel where this originated. The company in question has zero contact information and came into being 6 months ago (it looks like a shell company), the vulnerability domain was purchased just a few days ago. And above all they gave AMD 24 hours notice.

This looks like an Intel hit job to me. Maybe I'm paranoid but the people behind this should step into the light and prove they aren't affiliated with Intel and that this researched wasn't paid for by Intel.

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 0:42 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

There are a *lot* of tech companies in Israel. You might as well worry that some security companies are on the US west coast so therefore anything coming from them *obviously* must be a hit job from (insert name of random big tech company here).

Numerous vulnerabilities in AMD processors

Posted Mar 16, 2018 0:32 UTC (Fri) by rahvin (guest, #16953) [Link] (1 responses)

Focusing on the statement about Israel is foolish. I brought it up because unlike Tech in General Intel only has a handful of offices engaged in x86 processor design and outside their main office Israel houses the second largest site for this design. But it's not this factor alone.

The company is 6 months old, according to the information out there they provide vulnerability testing for "clients". The claimed AMD can't fix these vulnerabilities. And there is a dozen other things about this that are just plain suspicious not to mention how underwhelming the "vulnerabilities" are. They didn't disclose the vulnerabilities to AMD, but they sent full code and details to Microsoft, HP, DELL and other OEM's. (AMD that I'm aware of still doesn't have the full details). Take a look at the "vulnerability" website amdflaws.com and tell me that doesn't look like someone spent a week and a bunch of money developing that site and overplaying how bad the vulnerabilities are. And the kicker is CTS paid an outside company $26,000 to validate their findings. How on earth can a company founded 6 months ago with 6 employees afford something like that without a client covering an expense like that?

Anandtech did a interview with CTS (the company behind the release) :
https://www.anandtech.com/show/12536/our-interesting-call...

Tech Crunch lays out some of the things that are very suspicious about this:
https://techcrunch.com/2018/03/13/security-researchers-fi...

This screams paid hit job to me, and given Intel has done stuff like this in the past and AMD appears to be doing quite well with both Ryzen and Epyc sales and market uptakes. Given what Meltdown did to the PC marketplace it wouldn't surprise me in the least if Intel hired some people and setup a shell company to do a hit piece on this. This doesn't even cover the huge purchase of put options that occured a few days before and the stock advisor in Germany that declared AMD was going bankrupt.

Numerous vulnerabilities in AMD processors

Posted Mar 16, 2018 5:42 UTC (Fri) by marcH (subscriber, #57642) [Link]

Hey, considering the state of quality and security in the industry, whatever has the tiniest chance of finally scaring a bit clueless (program) managers telling you to "pull in the schedule"and to "ship it" is a Good Thing. I hope consumers will trust computers less and less which should create a gap to fill with decent engineering at last.

The stock market doesn't need that story to be a joke in the first place, this would be at worst a drop in the ocean.

Nice to see some people still have ideals about big business though :-)

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 1:30 UTC (Wed) by atai (subscriber, #10977) [Link]

Israel must have been a small place no one heard of before...

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 13:41 UTC (Wed) by mgk (guest, #74833) [Link] (3 responses)

AMD really isn't much of a competitor for Intel, anymore. An acquisition target, maybe. And, ditto previous comments that a LOT of tech is in Israel. A lot of Intelligence Tech too.

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 19:31 UTC (Wed) by xtifr (guest, #143) [Link] (1 responses)

Intel is unlikely to acquire AMD for the same reason Microsoft never really tried to acquire Apple--the existence of a plausible (but only moderately effective) competitor helps divert anti-trust claims. AMD isn't a threat, but can be painted as one for PR purposes.

At the same time, the recent revelation of a severe Intel-only vulnerability (Meltdown) may have started to drive a few more sales towards AMD. It's not *completely* implausible to suggest that Intel may be trying to herd people back by trying to highlight (and possibly exaggerate) some AMD-specific problems in turn.

I'm not much of one for conspiracy theories in general, but there's enough oddness around the way this is being handled to raise questions.

Numerous vulnerabilities in AMD processors

Posted Mar 18, 2018 16:42 UTC (Sun) by marcH (subscriber, #57642) [Link]

> It's not *completely* implausible to suggest that Intel may be trying to herd people back by trying to highlight (and possibly exaggerate) some AMD-specific problems in turn.

While this type of "competitive marketing analysis" has existed since forever for performance and others, it didn't seem to happen for security until recently. One can imagine many possible explanations but for sure users and consumers didn't benefit from that lack of competition.

Short of liability, "name and shame" is the only way that stands some chance to make some difference. Yes there will be more "fake news" now but I still prefer that to no security news at all. For the moment I trust the tech press more than the mainstream one.

Numerous vulnerabilities in AMD processors

Posted Mar 18, 2018 16:27 UTC (Sun) by marcH (subscriber, #57642) [Link]

> A lot of Intelligence Tech too.

What a surprise for a country in that type of situation (not).

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 7:41 UTC (Wed) by garloff (subscriber, #319) [Link] (4 responses)

I'm not convinced that the whitepaper does describe anything new nor do does it contain anywhere near enough details to show how a security boundary that should be protected can be crossed.
Reading the "whitepaper", whenever I thought that the interesting section should come now, explaining how a security boundary can be overcome, the paper jumped to conclusions how this would endanger windoze...

Can I trust a computer after I flash untrusted BIOS? Hell, no. But I never expected that either...

I disregard this along with the "research" company behind it.

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 10:12 UTC (Wed) by ballombe (subscriber, #9523) [Link] (3 responses)

> Can I trust a computer after I flash untrusted BIOS? Hell, no. But I never expected that either...

I expect you pickup your servers straight from the factory, then.

Numerous vulnerabilities in AMD processors

Posted Mar 14, 2018 13:54 UTC (Wed) by oldtomas (guest, #72579) [Link]

Actually, that makes sense (yeah, just one of many results of a search "NSA intercept hardware", FWIW. This one had pics, so it did happen ;-).

Since Snowden we know that the NSA does manipulate hardware on its way to the customer.

Numerous vulnerabilities in AMD processors

Posted Mar 15, 2018 0:21 UTC (Thu) by lsl (subscriber, #86508) [Link]

If someone malicious and determined gets a hold of your computer on the way between the factory and your datacenter, I don't think you stand a chance anyway.

Numerous vulnerabilities in AMD processors

Posted Mar 23, 2018 15:01 UTC (Fri) by walex (guest, #69836) [Link]

«I expect you pickup your servers straight from the factory, then.»

Well, I know even mildly security-minded people who build their own computers only from parts bought in random physical shops. In this way any adversary has to use either a "generic" backdoor (and risk losing it) or implant a target-specific device or backdoor one by burglarizing their office or home, without taking the cheap and easy option to install a target-specific device or backdoor before delivery.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds