AMD Says Patches Coming Soon For Chip Vulnerabilities

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

Re:

[Fly Swatter]

Nice try, but these don't look related to meltdown or spectre at all. It's a problem with their 'secure' management layer, intel already fixed theirs a while back - what took AMD so long :P

Re:Response Intel vs AMD

[mark-t]

First of all, this story has nothing to do with Meltdown or Spectre. It is about a set of AMD-specific bugs. Secondly, AMD wasn't affected by Meltdown. Nobody pretended it wasn't affected by Spectre other than people who didn't understand that when it was mentioned that "AMD was not affected", it was in reference to Meltdown only. The apparent disinformation is not acceptable, but is at least understandable because the news of both was publicly released essentially simultaneously and it would have been easy to misinterpret that AMD was unaffected as applying to both. This should have been more clearly worded in the initial release that made the statement. Nonetheless, a clarification was made when it became apparent that this is what people were believing.

Finally, AMD's response to this is vastly more consumer-friendly than Intel's with respect to their own issues, because it only requires applying patches to existing hardware instead of having to go out and buy new hardware.

Re:Response Intel vs AMD

[Khyber]

"It is about a set of AMD-specific bugs"

No, no it is not. It's about a set of bugs in a specific range of ASMedia chipsets that AMD uses in their products, which are also in use on plenty of Intel motherboards, which means they're likely just as vulnerable.

Re:Response Intel vs AMD

[alvinrod]

It's even a little bit more constrained than that. It's about a set of bugs that require admin rights to exploit in a specific range of ASMedia chipsets that AMD uses in their products.

For these to be a problem for you, you've probably already got a bigger set of problems. That doesn't mean that they shouldn't be patched, but that a far bigger deal has been made over this than necessary.

Re:

[DamnOregonian]

You're wrong on a lot of levels.
First, this does absolutely affect the AMD CPUs (as well as the ASMedia chipset controllers)
Second, an exploited administrator account is not a bigger deal than an owned chipset or system management controller.
You are free to run any code you want on your main CPU. The SMU requires signed code for a very good reason- because it can transparently prevent you from actually updating its code, and transparently do... well, whatever the fuck it wants, up to and including preven

Re:

[DamnOregonian]

That's partially true. The flaws affect both the ASMedia chips, and the embedded ARM system management processor in the CPU. Parent was not wrong.

Re:

[postbigbang]

It would be good to read about the problem to understand to have a context to the answer: https://amdflaws.com/#TABLE-vu... [amdflaws.com]

Re:

[postbigbang]

Good grief.

What if there are actual facts inside? Would that interest you?

Re:

[postbigbang]

Go to: https://blog.trailofbits.com/2... [trailofbits.com] then here: https://community.centminmod.c... [centminmod.com]

Enjoy.

Re:

[Anonymous Coward]

BIOS rootkits aren't new. In fact, they're extremely old. They're also trivially mitigated by disabling BIOS flashing from within your BIOS, and only turning the feature on when you intend to flash. This is basic hardening that I dearly hope most sysadmins do.

Re:

[postbigbang]

Read about the architecture of the vulnerability. It's a hidden rootkit. You can't checksum it, or really even probe it: https://amdflaws.com/#TABLE-vu... [amdflaws.com]

Re:

[postbigbang]

Did you read the vulnerability, and how it is instantiated? Of do you just play a geek on TV?

Re: Response Intel vs AMD

[Brockmire]

I just updated a mobo's bios last updated in 2012. It doesn't support downgrading after installing a bios from a certain point. That wasn't the first mobo with downgrade prevention I've seen, either. I don't think you know wtf you're talking about.

Re:

[postbigbang]

Did it have an onboard PSP? Did it need auth to that PSP? Did it use any security co-processor? That's the point. Right now you can bypass the auth. Anything could be there, and you would have NO way of finding it. Go ahead and install a new BIOS. The new BIOS still can't see what's on that PSP. Downgrade prevention isn't the problem. It's that you can't audit what's there, and code in the PSP prior to the BIOS install *will still be executed* unless you cut off the PSP entirely, and that's not gonna happen

Re: Response Intel vs AMD

[Brockmire]

What are you, in fucking sales or something? You're fucking stupid. This is a tech site. We just about all have multiple, beefy computers and do actual fucking work with them. Fuck off.

AMD just needs to force MB makers to push out

[Joe_Dragon]

AMD just needs to force MB makers to push out updates?? And down the road what about cpu bios updates that work on ANY MB?

Re:

[F.Ultra]

They can also push out new microcode updates to the OS vendors, you can get microcode updates via BIOS and via the OS. If you'r on i.g Debian/Ubuntu you can install "amd64-microcode or intel-microcode" depending on if you use an AMD or Intel CPU. Microsoft and Apple probably include them in an update as well.

Re:

[F.Ultra]

However looking at this particular issue this is not a microcode update so it must be done via a BIOS update, sorry for the confusion.

Re:

[DamnOregonian]

And if someone has already owned the SMU, they can make you think you installed the BIOS, but replace the little blurb of SMU code in it transparently, allowing you to think you've fixed the problem, without actually having done so!
But no, this isn't a problem.

Re: AMD just needs to force MB makers to push out

[Brockmire]

So you think mythical malware that takes advantage of this already has such countermeasures tested and working? You're trying hard.

Re:

[DamnOregonian]

No, I don't...
But it's not a difficult target if you've got control of the ARM on the AMD CPU.
I'm not trying hard at all. On the contrary- people are trying really hard to defend this as "not a big deal" and I'm saying it IS. And I'm qualified to say so.

"Vulnerabilities"

[TimothyHollins]

This was nothing more than a poorly sourced hitpiece.

The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability. There was nothing "disastrous" to report, and the claim by CTS Labs that it would "take 2 years to fix" the reported flaws was nothing short of outright lying. I wouldn't be surprised if Intel recently funded independent Israeli security researchers for goodwill.

http://www.tomshardware.com/ne... [tomshardware.com]

Re:

[Anonymous Coward]

The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability.

It's a vulnerability, it's just not one that warrants much concern. This [xkcd.com] comic comes to mind, though the caption should be "they can install drivers, replace the entire system, read any file they want, sniff all my packets, login to my facebook, my email, etc.. but at least they can't replace my BIOS, or read super-secret areas of the CPU!"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheRaven64]

Think about supply-chain trojans: Someone who has access to your computer before you unpack it can (fairly easily) install malware that is not detectable and is not erased when you re-image the machine. That's probably not a concern for individuals, but for anyone worried about corporate espionage or nation state adversaries, it's a problem.

Re:

[thegarbz]

A vulnerability is a vulnerability

You've never heard of the concept of "risk" have you.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

the foam dripping from your mouth

Not foam, just a TL;LD.

I don't really get worked up about much, not even enough to read to the end of most sentences.

Re:

[Upd Late]

The real problem is that if someone were to get admin access, they could plant the malware where there was no way of finding it.

Still though, this was clearly a hit piece by CTS Labs in hopes of capitalizing on the fall out. The shorts must be crapping themselves. With how quickly AMD responded with fixes, my bet is that they already knew about it. For something this serious, you not only want to fix the problem, but test the living hell out of it to make sure you're not inadvertently breaking something

Re:

[DamnOregonian]

Right on all accounts. This article dearly needs you modded up.
The only thing I would change is, "they could also plant malware where there was no way of finding it, or removing it."

Re:

[MachineShedFred]

Pull power cable. Plug USB boot drive in. Boot from USB. Flash malicious code to hardware because I'm root on my boot stick.

No, these vulnerabilities are just fine, according to you.

Re:

[Anonymous Coward]

Pull power cord.

Discover that the computer isn't allowing to boot from anything but the HDD.

Discover that the BIOS is password protected.

Put USB boot media back in pocket.

Put on your most disappointed face.

Don't assume the people trying to keep you out are total idiots.

Re:

[Anonymous Coward]

Who's the idiot? You. No doubt. "OMG OMG THE SKY IS FALLING!!! UNKNOWN LITTLE MEN ARE GOING TO SHOW UP EVERYWHERE AND PWN EVERYTHING!"

Jesus Christ. If major companies doesn't use BIOS passwords, that's on them, for starters. Exactly how you're going to get onto their premises and why you think they'd leave you alone to fiddle with their computers, I leave for you to explain further.

Finally, yes, I suppose if you infiltrated the supply line you'd get a free reign, but you still have utterly failed, every tim

Re:

[Bert64]

If you have physical access you could also:

clone the drive
backdoor the existing install
install a hardware keylogger
modify the hardware

and all manner of other things. As many people have said, yes it's a bug but it's nowhere near as serious as people have been claiming.

Re:

[DamnOregonian]

I doubt real security researchers

Hi. Real security researcher here. You have no idea what you're talking about. These days, systems that run "higher" than root on the main CPU are ubiquitous from the embedded to desktop range. Getting root/administrator access is only the first step. This presents a single easy target for above-root access to a machine. This is a big deal. Quit shilling.

Re:

[Anonymous Coward]

Hi,

Real security researcher, software developer, and system administrator here with 20+ years experience. In the "real world" we call an attacker getting admin access "you're screwed", and gaining access to replace the BIOS or some super-secret part of the chip isn't really much more of a compromise. I'm sure there's _some_ systems out there where this is a "big deal", but for the vast majority of computer owners, system administrators, and corporations, this is a non-event.

It _is_ a vulnerability, but it

Re:

[DamnOregonian]

You're completely full of shit, or grossly ignorant. I suspect the latter- you're simply out of your league, here.
I suspect you don't really know much about secure zones in processors.
To start, replacing the BIOS in a virus isn't really feasible. The possible variations the virus must contend with (BIOS/EFI variations) in order to put in a custom owned BIOS really only leaves room for very custom jobs.
The PSP however is fixed. If you have an AMD processor, the PSP can be owned with a simple root exploit,

Re:

[account_deleted]

Comment removed based on user account deletion

Intel

[110010001000]

What about Intel's Meltdown flaw? Fixed yet?

Re:

[account_deleted]

Comment removed based on user account deletion

Sure

[ArchieBunker]

You just have to buy a new CPU, motherboard, and RAM.

Re:

[DamnOregonian]

That is the most transparent whataboutism I have ever seen.... I suppose at least you're honest.
Can you help me understand why the blatent defensive shilling for AMD? It's cancerous here.

Re:

[Highdude702]

It's almost like trump owns AMD as much hate as they get online..

Re:

[DamnOregonian]

The rabid AMD defenders who amazingly shit all over Intel when they had the same fucking problem in their IME, but try to act like this isn't an issue definitely remind of Trump Trolls.

AMD, please remove the PSP

[emil]

I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

I would like the option to destroy the PSP on any CPU that I own.

If you refuse to manufacture CPUs lacking this component, then give customers the ability to request an unlock code that forever physically disables a component that is both dangerous and (to them) irrelevant. The request could work similarly to cell phone programs that unlock bootloaders.

AMD, make no mistake - home users emphatically do not want the PSP.

Re:AMD, please remove the PSP

[DamnOregonian]

This is what I wish people would take away from this :(
Instead, they're too busy trying to ravenously defend AMD's misstep.
We have got to get these closed ring -1 black box processors out of our fucking equipment. It's horse shit.

Re:

[DamnOregonian]

I have multiple published CVEs in the NVD. One is a root escalation in Android/Linux.
I'm not mischaracterizing this. People are trying to downplay it, because they've either got an agenda, or they're simply ignorant fanchildren.

Linus isn't ignorant... I'd say he's more in-line with a delusional fanchild.
The premise for his argument as to whether this is a big deal or not hinges on the vileness of the lab that found the problems (which who can argue with? those guys are slime) and the fact that an admini

Re:

[Bert64]

Or provide a PSP that users can control and load their own software onto, or disable if they wish.

Home users may not want it, but large vendors absolutely do want it to enforce drm and other user-hostile "features".

Re:

[sl3xd]

I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

Mass production means we get features we don't need. CPU's and motherboards are designed to suit all buyers. It's cheaper to include the feature everywhere than it is to support an additional model.

Even in the 1990's, manufacturers were including features the customer didn't want (like integrated sound and video hardware), because it was cheaper to standar