Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
AMD Security

Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public (cnet.com) 195

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.
This discussion has been archived. No new comments can be posted.

Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before M

Comments Filter:
  • by Anonymous Coward on Tuesday March 13, 2018 @12:05PM (#56252765)

    ... someone needs to dig (deep) into who registered the amdflaw domain and who is funding this.

    • by sinij ( 911942 ) on Tuesday March 13, 2018 @12:12PM (#56252823)
      Yes, couple days to respond is a hit job and not a responsible disclosure. However, if AMD and Intel get into "flaw disclosure" wars, the only winner will be consumers. This is not a bad thing.
      • by Opportunist ( 166417 ) on Tuesday March 13, 2018 @12:43PM (#56253057)

        Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

        • by Carewolf ( 581105 ) on Tuesday March 13, 2018 @01:15PM (#56253303) Homepage

          Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

          The place this hole is, is the AMD version of IME, a useless piece of malware designed to remote-controlled your computer, which Intel and AMD puts there for enterprise purposes. Get rid of it from or make it default off and these issues goes away...

          I have no fucking clue why they installed those crappy Internet-of-shit operating systems in there by default in the first place.

        • by sinij ( 911942 ) on Tuesday March 13, 2018 @01:27PM (#56253387)

          Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?

          Listing your assumptions: You assume that nobody knew about these flaws before this press release. You assume that release contained sufficient information allowing some quickly reproduce these and move into exploitation. You assume that these could be remotely exploited so your are automatically vulnerable with any kind of system. You assume that these could be successfuly patched resulting in a stable and secure system.

          Some of these assumptions might turn out to be false.

      • by DRJlaw ( 946416 ) on Tuesday March 13, 2018 @12:55PM (#56253177)

        Yes, couple days to respond is a hit job and not a responsible disclosure.

        It's responsible enough for Tavis Ormandy [arstechnica.com]. You can simply make up your own shortened periods [arstechnica.com] rather than sticking to a standard 60-90 period. Just make up an excuse and fire away...

    • by gweihir ( 88907 ) on Tuesday March 13, 2018 @12:28PM (#56252935)

      Pretty clearly Intel-funded, yes. The 24h notification period is so short that it can be classified as a malicious attack. Nobody with any understanding of how this works does this unless there are strong overriding concerns. What these corrupt a******* did makes people a lot less secure.

    • by Lonewolf666 ( 259450 ) on Tuesday March 13, 2018 @12:48PM (#56253109)

      Yes, the combination of publication within a day and registering an AMD-denigrating domain for the purpose stinks. As others have written already, it looks like a PR hit job.

      With a quick Google search (5 minutes) I could also find nothing substantial about CTS Labs. They have a professional looking website with quite a bit of Bullshit Bingo appeal, and a contact e-mail address on it.
      Otherwise not much:
            -no postal address
            -no references from past projects
      One might wonder if this is more than a shell company ;-)

      • by Sir Holo ( 531007 ) on Tuesday March 13, 2018 @01:53PM (#56253567)

        Yes, the combination of publication within a day and registering an AMD-denigrating domain for the purpose stinks. . . a PR hit job. [emphasis mine]
        . . .
        One might wonder if this is more than a shell company ;-)

        How do these tiny, unknown shell companies find zero-day flaws that no one else can?

        Must be super-geniuses -- or maybe just sloppy hacks poorly covering their tracks when attempting defamation.

    • by Burz ( 138833 ) on Tuesday March 13, 2018 @03:17PM (#56254325) Homepage Journal

      Have to agree that the intent behind this super-fast disclosure looks malicious. It follows that the research was probably undertaken with malicious intent as well.

      A very large chunk of Intel's operations are based in Israel, so that is one possible motivation for Israelis to go after AMD, which is based in the EU. Its widely known that the EU fined Intel over a $billion for threatening PC makers to avoid using too many AMD chips in PC products. There is revanchism and monopolist warfare going on here.

  • by e r ( 2847683 ) on Tuesday March 13, 2018 @12:06PM (#56252779)
    These vulnerabilities look like they are almost all problems with the chipset or AMD's equivalent to Intel's Management Engine.
    So these aren't quite on par with Spectre and Meltdown.

    Some firmware updates should fix almost all of this.
    Still, it was sort of an asshole move to only give AMD 24 hours' notice just so they could get their 15 minutes of fame.
    And, yes, it's disgusting to see AMD put out products with lots of weaknesses like this.
    • by sl3xd ( 111641 ) on Tuesday March 13, 2018 @12:41PM (#56253035) Journal

      Saying they aren't on par with Spectre or Meltdown is missing the point - it's an apples to oranges comparison, just like IME's many problems aren't comparable to Spectre or Meltdown.

      It's not clear that firmware updates can fix it -- it depends on whether it's something that can be updated in firmware. Many security-critical hardware designs doesn't allow firmware updates, because at that stage modifiable firmware is a security hole in and of itself.

      At the end of the day, it sounds like AMD's Secure Processor has similar problems as Intel's Management Engine. It's not exactly unexpected, as every remote management 'feature' of the type has historically been riddled with security holes, regardless of vendor.

      I can't help but wonder, though, what the source of "24 hours notice" is; the articles I saw don't explain. I recall in years past, there are cases where researchers tried for months to get Microsoft to take their claims seriously. Microsoft wouldn't even acknowledge them, and when the researchers released it as a zero-day, and Microsoft shrieked they weren't given any notice...

      If AMD really was only given 24 hours notice, it was outrageously unprofessional and unethical behavior by the research company.

      Honestly, I'm more willing to believe corporate America would lie in an attempt to CYA than researchers would act in a way so unethical that nobody will work with them in the future.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday March 13, 2018 @12:06PM (#56252781)
    Comment removed based on user account deletion
  • by Anonymous Coward on Tuesday March 13, 2018 @12:09PM (#56252803)

    This all smells fishy. Hand me the tin-foil. I need a hat.

  • Follow the money (Score:4, Interesting)

    by spaceman375 ( 780812 ) on Tuesday March 13, 2018 @12:14PM (#56252839)

    In collusion with intel or not, I'd bet these "researchers" have bought a bunch of intel stock over the last few months.

    • by Joe_Dragon ( 2206452 ) on Tuesday March 13, 2018 @12:27PM (#56252921)

      if you get caught money laundering your going to fpmitap

    • by Zontar_Thing_From_Ve ( 949321 ) on Tuesday March 13, 2018 @01:11PM (#56253275)

      In collusion with intel or not, I'd bet these "researchers" have bought a bunch of intel stock over the last few months.

      Or they've shorted AMD and really need to knock down the price. For what it's worth as I write this AMD's stock is actually slightly up today despite the news.

    • Re:Follow the money (Score:5, Informative)

      by slack_justyb ( 862874 ) on Tuesday March 13, 2018 @06:27PM (#56255411)

      They literally spell it out on their disclaimer page. [amdflaws.com]

      Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

      So while these exploits might be real, they just straight up fess to being shady as shit. This is some blackballing level of unethical behavior. They literally hit and run AMD for profit. Whoever these engineers are, this whole episode should be the end of any future career they might have had and it just stops short of what I would think would constitute an outright FTC investigation.

      Twenty-four hour notice and then posting publicly the exploits isn't research, that's a willful attack.

      • by mike.mondy ( 524326 ) on Wednesday March 14, 2018 @12:33AM (#56256845)

        They literally spell it out on their disclaimer page. [amdflaws.com]

        Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

        So while these exploits might be real, they just straight up fess to being shady as shit. This is some blackballing level of unethical behavior. They literally hit and run AMD for profit. Whoever these engineers are, this whole episode should be the end of any future career they might have had and it just stops short of what I would think would constitute an outright FTC investigation.

        Twenty-four hour notice and then posting publicly the exploits isn't research, that's a willful attack.

        The exploits are reported as serious by a few independent researchers who seem to have been given extra info, but do require that you have *already* powned the target.

        And, somehow a short-seller named Viceroy saw fit to put out a report advising people to short AMD stock [streetinsider.com] because they claimed to believe that this flaw would drive AMD to bankruptcy!

        Definitely a money grab by CTS Labs. (I'll make a guess that Viceroy are dupes and are not intentionally doing something worth a visit from the SEC...)

  • by Joe_Dragon ( 2206452 ) on Tuesday March 13, 2018 @12:22PM (#56252887)

    Intel any thing to win! suck it up as soon you will an raid key and an pci-e lane key to unlock stuff on your cpu.

  • by Anonymous Coward on Tuesday March 13, 2018 @12:23PM (#56252891)

    So it appears an attacker would have to have gained root/admin access over the OS before they could then install some persistent backdoor?

    Attacking the TPM could be bad, but once you have kernel level access you pretty much have anything you need to steal data anyway.

    This one seems to have higher barrier to entry and a lot of assumptions versus just drive-by JavaScript executing code or a malicious guest VM breaking out of a hypervisor.

    I expect the CVSSv3 score to be medium.

  • by jmdevince ( 1175647 ) on Tuesday March 13, 2018 @12:26PM (#56252915)
    CTS Labs only registered their domain (cts-labs.com) 6 months ago. They registered amdflaws.com 2018-02-22. So they spent time tweaking the marketing material. This is nothing but a new company trying to make a name for themselves and have instead pissed off true security researchers by not following responsible disclosure. From CTS' own site: "Due to the sensitive nature of security vulnerabilities, we usually work under strict mutual NDAs with our customers to ensure maximum safety and privacy". ... Horseshit.
  • by Anonymous Coward on Tuesday March 13, 2018 @12:27PM (#56252925)

    All of those "vulnerabilities" have insane requirements like being able to defeat OEM BIOS flash protections or Windows' driver signing...

    MASTERKEY:

            Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update. This update would contain Secure Processor metadata that exploits one of the vulnerabilities, as well as malware code compiled for ARM Cortex A5 – the processor inside the AMD Secure Processor.

    RYZENFALL:

            Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    FALLOUT:

            Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    CHIMERA:

            Prerequisites for Exploitation: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

  • by jm007 ( 746228 ) on Tuesday March 13, 2018 @12:39PM (#56253023)
    just a guess....

    if the bounty programs were reliable and lucrative enough, then security researchers could justify revealing vulnerabilities on the company's terms, i.e., quietly and when ready

    however, if a company's bounty programs were thought to be low-paying and unreliably given, then the new-found vulnerability could be used from a marketing perspective to give the researchers access to more business opportunities and money.... try to get publicity for it, it might pay off that way instead
  • by xxxLCxxx ( 5220173 ) on Tuesday March 13, 2018 @12:57PM (#56253179)
    Looks like somebody has shortened AMD stocks. This should be under investigation soon.

    From reddit.com: [reddit.com]

    FRANKFURT, March 12 (Reuters) - German financial watchdog Bafin said on Monday that short-seller Viceroy Research breached German securities law with a research report on ProSiebenSat.1 as it did not notify the regulator of its activities.

    Under German law, any entity that is not a securities firm, a fund manager, an EU administrative firm or an investment company that intends to publish recommendations on investments in assets must notify Bafin ahead of time, it said.

    It also said Viceroy’s website did not contain information on where the company was based.

    ProSieben last week rejected a critical report by Viceroy that led to a drop in its share price by as much as 9 percent, saying the allegations of questionable accounting contained in it were“unfounded and distorting reality”. (Reporting by Maria Sheahan Editing by Arno Schuetze)
  • Not a vulnerability (Score:5, Interesting)

    by FeelGood314 ( 2516288 ) on Tuesday March 13, 2018 @01:21PM (#56253339)
    This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity. This happens way to often, just this time it got more publicity than usual. What happens is researchers looking to make a name for themselves finds what they think could sound like exploit, the fact that it might already be public knowledge or hell even the way a device is supposed to work (e.g. exploit needs signed drivers and physical access) doesn't matter. Usually the "researchers" aren't very good. They use automated tools to scan for a vulnerability that they don't really understand and when you respond that "yeah, that 32 bit signed/unsign error might be exploitable if you send me a buffer with 2^31 + 7 bytes of data to a processes on an old 32 bit server but since the process only has 2GB of memory good luck.* The researches intentionally published right away so that the organization they are attacking doesn't have time to respond. The researchers didn't want a response because they knew the response would be "fuck off, this isn't a vulnerability!"

    *yes, I had this conversation.
    • by Sir Holo ( 531007 ) on Tuesday March 13, 2018 @03:55PM (#56254561)

      FOR THE LAZY: (2^31 + 7) Bytes = 2 TB & change.

    • by sl3xd ( 111641 ) on Tuesday March 13, 2018 @07:44PM (#56255699) Journal

      This is both an attack on AMD (and possibly their stock price) and a way for the researchers to get publicity.

      I'll buy publicity, but an attack on AMD... no.

      Saying it's an attack on AMD is about as sensible as saying the (many) flaws published about Intel's products were attacks on Intel.

      If there's a flaw, it doesn't exist because of the researchers. If the researchers were truly malicious, they wouldn't have disclosed anything at all.

      Zero-day exploits give engineering departments heartburn and sleepless nights, but do little to the stock price over the long term. The only way this hurts AMD is if AMD says it isn't a problem and is proven wrong.

  • 24 hours heads up? (Score:2, Interesting)

    by Jonathan P. Bennett ( 2872425 ) on Tuesday March 13, 2018 @01:23PM (#56253353)

    Such a quick turnaround between private and public disclosure means one of two things.

    First possibility: They're not interested in responsible disclosure. Likely. As others have pointed out, they get more noise for their findings this way.

    Second possibility: They know these vulnerabilities are being actively exploited. Not as likely, but a real possibility, and way more worrying.

    • by hajile ( 2457040 ) on Tuesday March 13, 2018 @01:54PM (#56253585)
      Have you read about the vulnerability requirements? You have to already control the machine before you can use these. If these are a problem, you already have a much bigger problem.
    • by gweihir ( 88907 ) on Tuesday March 13, 2018 @02:00PM (#56253647)

      Third: This is a stock-scam and they need the short turnaround time, otherwise AMD could have stated (after analysis) that this actually has no substance.

      • by sl3xd ( 111641 ) on Tuesday March 13, 2018 @08:13PM (#56255827) Journal

        If it's a stock scam, it's an amazingly ignorant one. The average day trader doesn't know about or really care about AMD. Even Intel is yesterday's news. They just don't have Apple's name recognition.

        If they were shorting AMD stock they would have only made 4.5% if they were prescient and both bought and sold their stock perfectly. If they weren't so lucky, they would have been seriously in the hole (down to -7%) and likely would have given up before 2PM EST.

        Coupled with the (expected) blocking of the Qualcomm sale to Broadcom today, and its corresponding gains to Intel & AMD's stock prices, it was just a really, really poor day to make that move.

        • by gweihir ( 88907 ) on Wednesday March 14, 2018 @12:05PM (#56259549)

          Look at their logo and the youtube video: Cheap background and cheap logo bought from the same site. The "vulnerabilities" are mostly irrelevant, if physical access is given, the attacker can do anything. Then the very short "disclosure" period that makes absolutely no sense, except as an ingredient in stock-fraud.

          So yes, "amazingly ignorant" is pretty much right on the mark.

  • by DontBeAMoran ( 4843879 ) on Tuesday March 13, 2018 @01:57PM (#56253615)

    Well, here's hoping that Apple's new low-cost entry-level MacBook uses one of their own A12 or whatever. Lower price and better security, maybe?

  • by Megol ( 3135005 ) on Tuesday March 13, 2018 @02:00PM (#56253641)

    Look at how the information is delivered. "This site is to inform the public about the vulnerabilities and call upon AMD and the security community to fix the vulnerable products." - but doesn't actually give AMD the time to fix the problem(s).

    Look at the website: amdflaws.com
    Nice name.

    "MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update"
    So this is a low impact problem. Yes they try to hype it but the fact is if anyone have access to a computer one should always assume they can gain control.
    For just a few years ago people wouldn't even try to portrait it as a problem.

    The rest are similar things - bypassing security while still needing physical and/or elevated privileges. Yes there may be problems caused by this, no the problems aren't really bad.

    I wouldn't be surprised if Intel spent some $$$ to encourage the group behind this to select the website name, the naming of the exploits (or "exploits" in some cases), how they are presented on the website and the white paper, and lastly to not giving AMD any chance to patch the problems. Add to this the quote above that show an exceptional level of dishonesty.

    And if Intel didn't give them anything the group missed out - Intel have dedicated resources for these kind of operations as anyone that have been into computers for a while should know.

    Disgusting.

  • by iCEBaLM ( 34905 ) on Tuesday March 13, 2018 @03:38PM (#56254453)

    https://amdflaws.com/disclaime... [amdflaws.com]

    "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

    24 hours notice. "Researchers" who seem to spring up out of nowhere. Creating a website and videos for maximum publicity. All the security flaws seem overblown (require actual flashing of firmware or bypassing driver signing), and.. wait, what's this?

    https://www.reddit.com/r/AMD_S... [reddit.com]

    A huge number of put option (a bet that share price will fall dramatically) volume 5 days ago?

    Nah, this is totally legit!

    • by sl3xd ( 111641 ) on Wednesday March 14, 2018 @12:46PM (#56259849) Journal

      A huge number of put option (a bet that share price will fall dramatically) volume 5 days ago?

      To play devil's advocate: Put options like that are an everyday occurrence. They're not unusual in any way.

      There's even a solid reason for the bet: Much like Intel [slashdot.org], AMD missed the boat for mobile processors. Neither Intel nor AMD have processors in the iOS world, nor do they have a serious competitor to Qualcomm's SnapDragon or NVIDIA's Tegra on Android. Most of the arguments that the Broadcom+Qualcomm merger being an "existential threat" to Intel also applies to AMD, because they both missed the fastest-growing market in the industry.

      Five days ago, it wasn't unreasonable to say that the Broadcom+Qualcomm merger, if approved, could cause AMD's stock price to suffer.

      Unsurprisingly, when news came out that President Trump would block the Broadcom purchase of Qualcomm for national security reasons, AMD's stock jumped.

Is knowledge knowable? If not, how do we know that?

Working...