AMD Security Issues

TR’s follow-up:

https://techreport.com/news/33374/report-cts-labs-has-proof-of-concept-code-for-amd-vulnerabilities

Good summary, we still basically know nothing.

Fav comment:

Great, let’s turn this **** loose into the wild. I give it another 15-20 minutes before the first leak of this garbage winds up on a tor site.

And not only that the company was created at about the same time Google told Intel their shit was fucked.

I can’t say that it is what it says but I can confirm that this is a setting in my laptop.

The plot thickens!

1 Like

Might have to pick one up to dig deeper.

If you have a linux way for me to verify if it is on or off, I could try that. PM me if you come up with something.

Definitely. I’m not quite there yet. I’ve got a 1700, so I’ve been doing a little bit of digging, but I can’t risk anything intrusive as this is my work machine. :stuck_out_tongue:

Had a thought: What model is the laptop, if there is firmware out there for it, I might be able to glean some info from it.

It is the Lenovo 720s-13ARR, running the Ryzen5 2500u.
If you mean BIOS download, there is the one that is already installed. And it looks like Lenovo is one of those bunch of cunts that gives out UEFI updates only in windows .exe files.

… … … cunts.

https://pcsupport.lenovo.com/us/en/products/LAPTOPS-AND-NETBOOKS/700-SERIES/720S-13ARR/downloads/DS502075

1 Like

That’s okay. I can disassemble the exe. Not too difficult.

Thanks for the link.

There is no proof in the POC part though.

I see what you did there :smile: the Proof is not actually proof, because the Cake is in fact; a lie

2 Likes

How though? They don’t have a really good CPU out right now. Delidding is necessary for their 8000-series if you want to overclock at all and on the server parts, TR4 is simply the stronger platform (cheaper, more energy efficient, scalable, very many pcie lanes, etc.).

Intel could offer to buy AMD but AMD is flying high right now. With their Zen+ refresh coming out in a month, they will most likely gain some marketshare (or at least make lots of turnover) and if they actually put out a 7nm Zen2 in 2019, Intel will have a really hard time in the CPU market. I doubt they can have a competitive product out by 2019 as they need a new uarch to do so and that takes an incredible amount of time.

Gee what could go wrong if all Desktop and Server processors came from one manufacturer?

1 Like

CTS Labs Digs Itself a Deeper Hole

dumpster-fire

It turns out the same Chipsets are to be found on tons of Intel boards.

The Letter

6 Likes

If the facts are true this essentially just got a whole lot worse for anyone with ASMedia USB 3 controllers.

3 Likes

I’m calling it, none of this is true and that company is full of shit.

1 Like

Thats hilarious how they demand immediate fixes… lets go way back to Intel’s “immediate” Meltdown code fixes. Thats right… it was a giant fuck up on top of the Mwltdown fuckup, ad thats with months of allowed working time. If a behemoth like Intel cant do immediate fixes properly how can AMD?

Sounds like it is an ASMedia problem, not an AMD problem.

1 Like

So, this is entirely my opinion and I haven’t read up on it or anything. But I think Intel’s monopoly came from the “CPU in consumer electronics” viewpoint, which they don’t hold anymore, because of ARM. The last time when this was an issue, smartphones and tablets weren’t that big.

True. But Intel might be unsure if they’d be considered a monopoly, which would probably lead to a lawsuit. Letting AMD persist might just be cheaper :smiley:

3 Likes

Blog post from the guys who has said they’ve seen proof of concept code:

Our review of the vulnerabilities was based on documentation and proof-of-concept code provided by CTS. We confirmed that the proof-of-concept code worked as described on the hardware we tested, but we will defer to AMD for a final determination of their full impact, patches, and remediation recommendations.

Most of the discussion after the public announcement of the vulnerabilities has been focused on the way they were disclosed rather than their technical impact. In this post, we have tried to extract the relevant technical details from the CTS whitepaper so they can be of use to the security community without the distraction of the surrounding disclosure issues.

This is what I’ve been waiting for, yay :smile:

Edit: Soo confirmation that all vulnerabilities require root access, and that MASTERKY in addition requires a BIOS update and reboot.

While those flaws are concerning I agree with their conclusion at the end (emphasis mine):

There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers.

Also that these are run-of-the-mill vulnerabilities. Not like Meltdown and Spectre that was something completely unexpected and new.