AMD's Ryzen CPU's (Ryzen/TR/Epyc) & Vega/Polaris GPU's

Discussion in 'Hardware Components and Aftermarket Upgrades' started by Rage Set, Dec 14, 2016.

  1. Deks

    Deks Notebook Prophet

    Reputations:
    989
    Messages:
    4,095
    Likes Received:
    1,307
    Trophy Points:
    231
    Plus, as it was also mentioned, they gave AMD less than 24 hrs to respond when industry standard is about 90 days. that's a tad odd, is it not?
     
  2. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,264
    Messages:
    5,620
    Likes Received:
    4,234
    Trophy Points:
    431
    Well I've not read the detail of the report, just the Guru3d article that I quoted - but what will be the acid test will be how AMD responds to this, and if they release patches to plug the holes then you for sure can believe that the vulnerabilities are real. I imagine AMD will respond very quickly either way, either to discredit the findings or to patch as soon as possible. For now AMD is just saying this: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,".
     
    Papusan and Donald@HIDevolution like this.
  3. Papusan

    Papusan JOKEBOOKS = That sucks! Dont wast your $$ on FILTH

    Reputations:
    13,430
    Messages:
    19,008
    Likes Received:
    29,168
    Trophy Points:
    931
    Some I won’t name names... Said go for AMD. Intel has only flaws. Oh’well

    I have said this before. It’s tech. Next time it will be the other manufacturer who run into problems.
     
  4. TANWare

    TANWare Just This Side of Senile, I think. Super Moderator

    Reputations:
    2,320
    Messages:
    8,994
    Likes Received:
    4,130
    Trophy Points:
    431
    Last edited: Mar 13, 2018
    Raiderman likes this.
  5. Papusan

    Papusan JOKEBOOKS = That sucks! Dont wast your $$ on FILTH

    Reputations:
    13,430
    Messages:
    19,008
    Likes Received:
    29,168
    Trophy Points:
    931
    amdflaws_whitepaper.pdf

    https://amdflaws.com/


    AMD's Ryzen, Epyc security co-processor and chipset have major flaws, researchers claim-Pcworld.com
    "CTS-Labs is not the only security organization to discover an issue with AMD’s Secure Processor. Last September, Google researchers found and reported a stack overflow vulnerability, which AMD said it patched. AMD’s BIOS now allows users to disable PSP support. PSP, or the Platform Security Processor, is the former name of AMD’s Secure Processor."
     
    tilleroftheearth likes this.
  6. TANWare

    TANWare Just This Side of Senile, I think. Super Moderator

    Reputations:
    2,320
    Messages:
    8,994
    Likes Received:
    4,130
    Trophy Points:
    431
    Last edited: Mar 13, 2018
    Raiderman, hmscott and Deks like this.
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,795
    Messages:
    16,642
    Likes Received:
    20,467
    Trophy Points:
    931
    From the guru3d article:

    "What now?
    It's not known how long it will take to address and fix these issues if some of them can be fixed at all. CTS-Labs said it hasn't heard back from AMD, but considering they gave AMD 24 hours to digest this all, that makes sense. The researchers said it could take several months to fix. Some of the exploits in hardware can't be fixed, they add.

    We say testing & verification is required. Should you be worried? Well, from what we've read, all four levels of vulnerabilities require actual administrative access towards your PC. This means you'd need to hand out full access to your PC, that would read as alleviated privileges. And yeah, anything and anyone you hand out admin rights would be at risk or compromized anyway.

    At the time of writing, I (Hilbert) am looking at the vulnerability announcements with a healthy amount of skepticism, and so should you. I'd advise we all await what AMD has to say about this, once they have had a chance to digest all information and accusations.

    There are many things that bother me:
    • The 24-hour disclosure opposed to the industry standard 90/180 day is just wrong
    • Domain records for "amdflaws.com" has been created on Feb, 22, 2018.
    • Company is listed only since 2017, linked-in shows very poor company info.
    • Domain registered not directly but through "domainsbyproxy.com".
    • Domain is registered at GoDaddy, privately. No contact information of the domain is public.
    • Their official Youtube Channel with that video, was created March this year. That would be the official company YT channel.
    • Video looks marketed, too well produced.
    • Names like Ryzenfall sounds like somebody from marketing made that up?
    • Precisely 13 flaws? An unlucky number?
    • Whitepaper shows no specific technical detail.
    • Earlier today when the news broke and info was released I did some Google searches on CTS-Labs, it revealed very little, for a proclaimed established security agency.
    • Parts of www.cts-labs.com website are copied from public PDF documents
    • As a security firm, cts-labs website does not even have an SSL certificate active? Thus no https available as an option?
    • cts-labs does not disclose address on website.
    All things combined raise so many red flags, now we can also add this:

    Currently, there is speculation that this information release is an attempt to manipulate the stock price of AMD. The short seller Viceroy Research would possibly play a role in this. That company published relatively quickly after CTS the claim that the 'revelations' would be the death blow for AMD.

    In the end, this all could be a hoax or plot to damage AMD or for self-benefit (manipulating stock exchange), and as more time passes it seems to be the case that all this is just that, a hoax to create some sort of effect. We'll have to wait and see what AMD makes of this and what their actions will be.

    Initial AMD Statement
    We've reached out to AMD for a statement, here is the latest updated reaction:

    "We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops,"."

    This is apparently a well funded and coordinated attempt to torpedo AMD set up to appear to be orchestrated from Israel - Intel is the #1 technology employer in Israel.

    How Intel came to be Israel’s best tech friend
    A newly found cache of photographs shows the development of one of the country's most important ongoing business relationships
    By DAVID SHAMAH, 23 April 2015, 12:09 pm
    https://www.timesofisrael.com/how-intel-came-to-be-israels-best-tech-friend/

    https://www.google.com/search?q=intel+israel

    This is a sad day both for Intel and Israel, they are both being smeared by whoever is perpetrating this effort, and both need to get on top of the perpetrators, stop it, and disclose the cleanup.

    AMD is on the right path, and more attacks are likely forthcoming.
     
    Last edited: Mar 14, 2018
    Raiderman and Dennismungai like this.
  8. TANWare

    TANWare Just This Side of Senile, I think. Super Moderator

    Reputations:
    2,320
    Messages:
    8,994
    Likes Received:
    4,130
    Trophy Points:
    431
    One issue could be a short seller betting a lot on AMD having a crash and burn. While Zen 12 nm may not be the companies save grace making the CPU's highly competitive Zen2 at 7nm most likely will. This is exactly the opposite of what a short seller wants to see. As it stands the stocks look to at least be holding their own somewhat, again a short sellers nightmare.
     
    hmscott likes this.
  9. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,795
    Messages:
    16,642
    Likes Received:
    20,467
    Trophy Points:
    931
    OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws
    Holes useful for malware on completely pwned PCs, servers
    By Thomas Claburn in San Francisco 13 Mar 2018 at 22:47
    https://www.theregister.co.uk/2018/03/13/amd_flaws_analysis/

    "Analysis
    CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors."

    Tuesday's glitzy advisory disclosed no technical details – but described 13 "critical" security vulnerabilities that span four bug classes in AMD chips. The biz apparently gave AMD only one day of advance notice it was going public, an amount of time that precludes addressing the flaws prior to publication and deviates from security industry norms of responsible disclosure. Typically, organizations are given up to 30 to 90 days to fix their products.

    The report describes the four classes of vulnerability, each of which has several variations. They all require local administrator access – or in one case, physical access – to exploit, which limits them as vulnerabilities useful for miscreants.

    Essentially, the security holes can be exploited by malware already present in a computer to bury deep into its machinations to ensure it can't be easily detected and removed – not even by wiping hard drives and reinstalling everything from scratch. The malware can inject itself into motherboard firmware to stay out of sight, all while meddling with or siphoning off files and other personal information, and interfering with system hardware.

    But it's important to note that a software nasty has to have superuser powers to abuse the programming cockups found by CTS-Labs. At which point, the malware already can spy on its victim, steal their data, hold their files to ransom, and so on.

    The flaws do not open AMD-powered PCs and servers to remote hijacking over the internet, nor allow malicious apps to commandeer systems. Instead, they can be leveraged to ensure that once malware is present, it's more difficult to find and remove.

    Also, no code exploiting the security shortcomings has been made public, nor is any circulating right now in malware. The holes are also not necessarily unfixable.
    What are the bug classes?
    RYZENFALL allows malicious code to take over the AMD Secure Processor in Ryzen, Ryzen Pro, and Ryzen Mobile chips. Exploitation requires being able to run a program locally with administrator privileges. CTS-Labs claims there's no mitigation, despite AMD's recent released BIOS update that is supposed to disable the Secure Processor, thus killing off the whole thing.

    The Secure Processor – aka the Platform Security Processor or PSP – is a coprocessor that ships with modern AMD chips that ensures a valid, untampered operating system is booted, among other tasks.

    The RYZENFALL vulnerability may be related to a security issue in AMD's Secure Processor reported by Google security researcher Cfir Cohen in January. RYZENFALL requires root-level access to attack. It can be used to commandeer the Secure Processor, boot backdoored operating systems, and extract, say, protected Bitlocker crypto-keys from the firmware to decrypt drives in seized Windows 10 machines.

    Re: today's AMD flaw hype.
    There was a very similar AMD PSP firmware hole uncovered (and patched) in January, but I guess it just didn't have a fancy bug name nor a website https://t.co/GBtGTf22zn
    — Chris Williams (@diodesign) March 13, 2018

    FALLOUT, a flaw in the boot loader component of Epyc's Secure Processor, allows attackers to read and write sensitive and protected memory areas, such as SMRAM and Windows Credential Guard isolated memory (VTL-1). As with RYZENFALL, local administrative access is necessary to exploit the issue.

    CHIMERA is described as a pair of manufacturer backdoors, one in firmware and one in hardware (specifically in an ASIC), that allow code to be injected into AMD Ryzen chipsets. Again, you need root privileges to do this. This means the underlying motherboard firmware can be programmed to become a keylogger, send keypresses for passwords over the network, and so on.

    The advisory claims the backdoors were introduced, accidentally or otherwise, by Taiwanese chip manufacturer ASMedia, owned by ASUSTeK, which used its own insecure integrated circuits in AMD's Promontory chip, found in AMD's Ryzen and Ryzen Pro lines.

    MASTERKEY, allows the installation of persistent malware inside the Secure Processor, running in kernel-mode with administrative permissions. It requires the ability re-flash the motherboard BIOS with a malicious software update. This typically requires admin-level or physical access to a box, but CTS-Labs contends this could be done remotely through a command-line utility, again with the appropriate permissions.

    The key thing with, er, MASTERKEY is that the system accepts modified BIOS images – when really, it ought to reject them, regardless of who is flashing them.

    Eypc server chipsets are, we're told, affected by FALLOUT and MASTERKEY. Ryzen workstation has CHIMERA, MASTERKEY and RYZENFALL. Ryzen Pro has CHIMERA and RYZENFALL. Ryzen mobile has RYZENFALL.

    Questions of motivation
    Some members of the online security community are characterizing the research as a hit piece designed to manipulate AMD's stock price, presumably to benefit those intending to short company stock.

    Dan Guido, CEO of security firm Trail of Bits, meanwhile contends the findings are valid. He said he was contacted by CTS-Labs ahead of today's disclosures to check over the vulnerability discoveries to evaluate their impact, and said the blunders can be exploited.

    "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public AFAIK), and their exploit code works," he said via Twitter.

    In a video published in conjunction with the research, Ido Li On, CEO of CTS-Labs, claimed many of Taiwanese chipmaker ASMedia's products contain backdoors that could be used by hackers to inject malicious code.Fined by the FTC in 2016 for ignoring security flaws, ASMedia has helped build some AMD chipsets.

    "When we looked at Ryzen computers, we saw that the very same backdoors that have existed on ASMedia chips for over six years are now on every Ryzen PC in the market," Li On said. "This was deeply concerning to use and it got us to look at AMD security as a whole."

    Response
    AMD in a statement issued a few hours ago said it was looking into the claims:

    We have just received a report from a company called CTS-Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.

    In keeping with the practice cemented by the Spectre and Meltdown vulnerabilities in January, CTS-Labs is promoting the disclosure on a dedicated website, amdflaws.com – complete with logos, codenames, claims of public safety risks, and media briefings to create a big splash.

    The website, and the white paper that accompanies it, includes a lengthy disclaimer advising not to use the research as investment advice. "The report and all statements contained herein are opinions of CTS and are not statements of fact," the dot-com declared. "Organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents."

    It also, curiously, acknowledges the possibility that those involved may have a financial interest in AMD stock:

    Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

    A separate website published under the name Viceroy Research meanwhile has cited CTS-Labs' work to claim, rather sensationally, "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries." Viceroy's blog post and CTS' findings went live today within a couple of hours of each other.

    Reached by phone, John Fraser Perring, founder of Viceroy Research, which describes itself as "a group of individuals that see the world differently," confirmed to The Register that his firm has a short position in AMD stock and that he intends to increase that position in light of support for CTS-Labs' findings.

    He said that technical experts he corresponded with who have verified the findings, specifically Dan Guido, have left him convinced that these flaws pose a serious risk to AMD customers.

    Perring said he received a copy of report from an anonymous source and found the findings credible after consultation with internal and external technical experts.

    Not everyone believes the flaws are quite so dire – certainly not enough to warrant a media blitz with claims of doom and death.

    If you're already that pwned...
    Jake Williams, founder and president of Rendition Infosec, commented on the above quoted disclaimer via Twitter, saying, "I'm pretty well convinced that this is designed to manipulate stock prices. That doesn't make the vulnerabilities fake or any less dangerous (though you need admin access to exploit most)."

    Arrigo Triulzi, a security consultant based in Switzerland, described the paper as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an insult."

    Google security researcher Tavis Ormandy, responding to Triulzi wrote, "Nothing in this paper matters until the attacker has already won so hard it's game over. Not something I'm too interested in, but maybe DFIR [Digital Forensics and Incident Response] people are?"

    Ormandy is referring to the fact that exploiting these supposed flaws require local administrative access, making them significantly less dangerous than vulnerabilities that can be exploited by a remote, unprivileged user.

    Linux kernel contributor and expert Matthew Garrett also broke down the four bug classes thus:

    The argument is that if you can replace the firmware then of course you win, except the whole point of having the CPU validate the firmware is that replacing the firmware means the machine doesn't boot. It's not a real threat for most people, but it still matters.

    — Matthew Garrett (@mjg59) March 13, 2018
    RYZENFALL: OS-level admin can gain access to the Secure Processor. This means root can extract any secrets stored in the fTPM. Use Bitlocker? Attacker can boot their own OS image, break into the fTPM, extract the key, decrypt your drive.

    — Matthew Garrett (@mjg59) March 13, 2018
    FALLOUT: Different attack path to Ryzenfall, looks like it gives the same kind of outcomes - any protections mediated by the Secure Processor are broken

    — Matthew Garrett (@mjg59) March 13, 2018
    CHIMERA: Someone with root can potentially turn your motherboard chipset into a hardware keylogger that sends anything that looks like a password over the network and you can never fix it look this is kind of a big deal

    — Matthew Garrett (@mjg59) March 13, 2018
    But there are many other people who don't want to make that assumption - root shouldn't be able to replace your system firmware with malware, root shouldn't be able to extract secrets from your credential VM, root shouldn't be able to trojan your chipset

    — Matthew Garrett (@mjg59) March 13, 2018
    In an email to The Register, Yuriy Bulygin, CEO and cofounder of firmware security firm Eclypsium, said that while the white paper offered little in the way of technical details, it nonetheless describes what look to be an important set of vulnerabilities affecting the Platform Security Processor, a critical security component on AMD systems.

    "Assuming these vulnerabilities are confirmed, they would seem to lead to a bypass of fundamental platform protections like hardware based secure boot, Windows 10 Virtualization Based Security (with Credential and Device Guard), firmware based Trusted Platform Module, secure encrypted virtualization," said Bulygin.

    "This would also allow malicious code to persist in PSP’s firmware and other firmware like UEFI and runtime SMM. If we navigate beyond marketing language and disclosure discussions, this is important research into the platform security of AMD-based systems. The next step is to evaluate technical details when they are released to confirm the issues."
    Impact
    Jake Williams told The Register that the lack of details in the report made gauging the impact of the vulnerabilities difficult, but the flaws could be a major issue - depending on who you think is likely to go after your networks.

    "If nation state attackers top your threat model, then yeah this is bad. The vulnerabilities will allow attackers to bypass Trusted Boot (allowing them to bypass device driver signing and other rootkit mitigations) and Credential Guard (allowing them to bypass Windows 10 credential hardening mitigations)," he explained.

    "The most concerning are the two chipset vulnerabilities. These have the potential to more widely exploited. The hardware vulnerability that involves direct memory access (DMA) is particularly concerning since it will difficult to impossible to patch through software."

    AMD stock closed up about one per cent on Tuesday. If the plan was to short the stock, well, that backfired somewhat.

    El Reg asked the US Department of Homeland Security whether it was aware of the CTS-Labs report, and whether it had any comment on the findings. A spokesperson in an email said: “DHS is aware of the report” but has nothing further to add at this time.

    The Register also asked an Intel spokesperson whether the company had any financial or logistical ties to CTS-Labs. We have yet to hear back. ®

    Bootnote
    Linux kernel chief Linus Torvalds is not amused. "It looks like the IT security world has hit a new low," he stormed.

    "At what point will security people admit they have an attention-whoring problem?""
     
    Last edited: Mar 13, 2018
    Raiderman and jclausius like this.
  10. TANWare

    TANWare Just This Side of Senile, I think. Super Moderator

    Reputations:
    2,320
    Messages:
    8,994
    Likes Received:
    4,130
    Trophy Points:
    431
    If you have admin level access there is al kinds of things that can be done to any system. This includes software/malware/bios hacks that can be devastating. I would be willing to bet if you gave the same access to an Intel system quite a bit of devastation can be done there as well.

    My bet is the reason for no allowed response time is exactly this. AMD not just coming back and saying beware who you give admin access too. what a bad malicious joke.
     
Loading...

Share This Page