13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[bug]

If a BIOS is re-written, I do believe it resets back to default basic settings. It seems I will keep an eye on this if my computer somehow defaults back for no reason. Please correct me if I am wrong here.

It does. I believe the target here is the uninformed user who both runs everything at default settings and couldn't tell their systems were reset to defaults if their life depended on it.

 

[jabbadap]

It does. I believe the target here is the uninformed user who both runs everything at default settings and couldn't tell their systems were reset to defaults if their life depended on it.

Afaik it does not have to revert to default settings. Maker of malicious code might wanted to modify bios settings to i.e. grant remote access.

 

[Veradun]

EDIT: Ok, reading some of the comments, it seems that the veracity of this report may be in some doubt. Let's hope it's fake, but I'm not holding my breath.

It's very likely not fake. The point is it is super-obvious that once you give root access to anyone you are fucked <insert Nicolas Cage meme here>

How do you plan on removing the virus in your BIOS that you don't know about, that your antivirus can not find, that has enabled BIOS write protection since it became active?
Buy a new computer, sell old computer on eBay

So you think people in the industry randomly reinstall operating systems for the sake of it without knowing there is a virus/whatever? The point is you are already fucked when they get root access, no matter what else comes later. If you instead know there is a problem, well, you solve it, no matter what the vulnerability is (i.e. reflash with legit BIOS).

If someone in the manufacturing industry wants to craft a keylogging bios they can do that with or without a "flaw" that enables root users to flash bioses.

The whole thing is laughable and I just registered to this forum to laugh together

 

[W1zzard]

So you think people in the industry randomly reinstall operating systems for the sake of it without knowing there is a virus/whatever?

That's exactly what happens at server hosting companies?

 

[Veradun]

That's exactly what happens at server hosting companies?

So this method lets you get to bios flashing from a windows host on an hypervisor?

 

[W1zzard]

So this method lets you get to bios flashing from a windows host on an hypervisor?

Lots of people are renting full servers, not just virtual machines. Yes I can flash the BIOS of our webservers

 

[qubit]

It's very likely not fake. The point is it is super-obvious that once you give root access to anyone you are fucked <insert Nicolas Cage meme here>

After reading more about it, it's clear that this is clearly a smear campaign against AMD. Of course there's some truth to it, but it's obviously been designed to try and damage AMD. So underhand and in my opinion, I believe Intel is behind it, since AMD are giving them a good kicking now in sales and market share.

 

[laszlo]

Yes I can flash the BIOS of our webservers

this is the main problem ; admin can do whatever they want without a superadmin to check; of course if superadmin is human we're back at the beginning..

 

[Veradun]

Lots of people are renting full servers, not just virtual machines. Yes I can flash the BIOS of our webservers

We are at the beginning:

- you don't want to exploit your own windows server
- if you gift someone with root access you can't blame Intel/AMD/whatever since the flaw is in your policies

Besides people renting full servers usually don't randomly reinstall OSes. They do if they have a BIG problem, and only after investigation on what the problem has been (i.e. a breach that gave someone root access) and what as been done since then.

 

[Caelestis]

 

[delshay]

Afaik it does not have to revert to default settings. Maker of malicious code might wanted to modify bios settings to i.e. grant remote access.

Then how about I set my own overclocking BIOS, then lock the BIOS chip. Any changes I want to do, I will have to insert a new BIOS chip. I can live with this.

Now nobody can write to it.

 

[EarthDog]

since AMD are giving them a good kicking now in sales and market share.

No. Not close actually...articles just came out saying so...

http://www.tomshardware.com/news/amd-cpu-gpu-market-share,36592.html

 

[bug]

I'm know I'm talking to myself here, but would it be possible we wait until somebody looks into these further, before we decide how much of an impact they have under various circumstances?

I mean, ok, it's rather suspicious how these were discovered and announced, but the crux of the matter is if they're real and if yes, who and how should guard against these. Everything else is just noise.

 

[EarthDog]

I'm know I'm talking to myself here, but would it be possible we wait until somebody looks into these further, before we decide how much of an impact they have under various circumstances?

I mean, ok, it's rather suspicious how these were discovered and announced, but the crux of the matter is if they're real and if yes, who and how should guard against these. Everything else is just noise.

And there is a shit ton of noise here... so many experts, so little knowledge.

 

[qubit]

No. Not close actually...articles just came out saying so...

http://www.tomshardware.com/news/amd-cpu-gpu-market-share,36592.html

It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.

 

[Jism]

It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.

I call this bullshit. Intels owns 90% of the market, if not 85%, worldwide. They dont need to.

There are very much start-ups all over the world looking for PR / Branding. Attacking AMD on CPU Security flaws is one of them.

Country israel poops out geniuses once in a while, remember the company who was able to hack a iphone where FBI failed?

 

[EarthDog]

It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.

If that is what you meant, consider actually writing that next time instead.

I really doubt Intel has anything to do with this... they wouldn't orchestrate such a debacle of a smear campaign is my reasoning. It stinks soooooooo bad there is no way they can be behind this. I could be wrong, but, I simply don't imagine Intel to be this sloppy trying to smear AMD... no way. Now, I believe Intel would smear AMD, I am not saying otherwise, but the way this happened doesn't scream multi-billion dollar corporation smear campaign with how it all transpired.

I fully believe these problems exist. I fully believe the severity of these are blown out of proportion and the notification process by CTS was abhorrent. Anything else is just lemming adding fuel to the fire, one post and jump off the cliff at a time.

 

[bug]

It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.

So at some point you've decided the flaws aren't real and it's all a smearing campaign. Neat.

 

[EarthDog]

No.. he believes some of it.

Of course there's some truth to it, but it's obviously been designed to try and damage AMD.

 

[qubit]

So at some point you've decided the flaws aren't real and it's all a smearing campaign. Neat.

No, I didn't say that. Have you actually read the articles and seen the videos surrounding this or do you just like spouting off?
@EarthDog you really should know better than to join in.
@Jism No, you're talking bullshit. AMD is doing remarkably better and has become a competitive threat to them, so even with a market share ratio of 85-90% they are still gonna feel threatened.

 

[bug]

It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.

So at some point you've decided the flaws aren't real and it's all a smearing campaign. Neat.

No, I didn't say that. Have you actually read the articles and seen the videos surrounding this or do you just like spouting off?

 

[Jism]

No, I didn't say that. Have you actually read the articles and seen the videos surrounding this or do you just like spouting off?
@EarthDog you really should know better than to join in.
@Jism No, you're talking bullshit. AMD is doing remarkably better and has become a competitive threat to them, so even with a market share ratio of 85-90% they are still gonna feel threatened.

Oh so it's automaticly intel by your standards and without any confirmation?

 

[EarthDog]

Know better than to join in............WTH are you talking about @qubit ? I just asked that you type what you mean man. If you are talking about bug, I supported you and quoted you believed "some of it" was true. Get your head on straight man!

I simply disagree that intel had a part in this due to the terrible terrible execution of these findings. I could be wrong though!!! But so far, after all the digging, its just forum lemmings jumping on this bandwagon for the most part... that and sensationalist headlines. You don't see any publication worth a salt actually believing intel had anything to do with this..

 

[Xuper]

one of guy explained this :

Let me address the bios flashing...you just can't do it.


I know for a fact flashing any type of modded bios on the Ryzen motherboards is not an easy feat and requires a UEFI boot disk with powershell and a ton of switches plus 2 different flashing programs one written for just this purpose over at overclock net. Also the USB stick has to be created a certain way via UEFI boot for any of this to work.


Afuefix64 name_bios.cap /P /B /N /K /X /CLRCFG


(this action we clean all parameters from old bios and update the bios itself and is require otherwise it will fail to program everything correctly)


Then you have to flash Afugan name_bios_mod.rom /GAN


With all this said, you cannot modify the .cap bios and flash it by any means. And no the old flashback methods just do not work either where we could do that on 990FX motherboards. We just do not have all the crypto keys you must have and bios signing abilities.


I have cross flashed my C6H Wifi to the update C6H 6001 official bios and then the modded to show hidden bios options. There is no other way to accomplish this bios flash without doing these steps. So there.


Also the PSP chip cannot be updated other then bios flashing..unlike the MEI on Intel.


Full disclosure I have both a Ryzen 1700X system and Intel Skylake 6600k system as well as my older 990FX system.

One Asked :

On motherboards where re-flashing is not possible because it has been blocked, or because BIOS updates must be encapsulated and digitally signed by an OEM-specific digital signature, we suspect an attacker could occasionally still succeed in re-flashing the BIOS. This could be done by first exploiting RYZENFALL or FALLOUT and breaking into System Management Mode (SMM). SMM privileges could then be used to write to system flash, assuming the latter has not been permanently write-locked.

According to them, the re-flashing is typically done after compromising the SMM. However, I doubt a compromised (or "compromised") SMM will affect the integrity check of .CAP files anyway.


As for the BIOS modding, I thought you could just use the BIOS flashback button (since you are on C6H) to deliver the mod in? That's how I got the modded BIOS with Spectre V2 mitigated microcodes into my X79 motherboard. The modified BIOS was in .CAP format as well.

then he replied :

Can't do it on the Ryzen family without all those steps I outlined. Yeah flashback would work on earlier AMD and Intel motherboards and bypass the security checks but not on Ryzen.

So in order to accomplished this you need to be physically at the system to flash it.

As far as the possible PSP exploits you would need all the crypto keys from AMD and they are not released to anyone not OEM not anyone.

Then you would need to rewrite the bios, then have the bios crypto key and lastly AMD signing abilities. This is a lot to accomplish.

You would have to mod the bios to inject any of this. Once you mod the bios you will not be able to flash ryzen via windows flash, bio flash tool or even in dos.

You would need the .cap and do the first line with a UEFI USB boot stick and then second step with the .rom file in order to get any modded bios onto a Ryzen series motherboard. I am not even sure we could actually injust new code into the bios...the only bios mods on ryzen has been just flipping existing switches from hidden to show. All the important ones are in the CBS which that in and of itself takes many steps. And I am pretty sure we cannot change anything in the PSP chip only AMD has that ability so that nullifies the other exploits.

The way you describe and more as I said is possible on AMD 990FX and Intel platforms but not any Ryzen Series. AMD locked this down already. So yes for this new AMD exploit you will have to be physically at the computer and have the know how.

another Asked :

They bring this up in the "paper" though:

On motherboards where re-flashing is not possible because it has been blocked, or because BIOS updates must be encapsulated and digitally signed by an OEM-specific digital signature, we suspect an attacker could occasionally still succeed in re-flashing the BIOS. This could be done by first exploiting RYZENFALL or FALLOUT and breaking into System Management Mode (SMM). SMM privileges could then be used to write to system flash, assuming the latter has not been permanently write-locked.​

I wonder if these are real vulnerabilities with the least professional disclosure ever, or if this is just pure fake news.

For ryzen...once you modify the bios .cap you cannot flash it without going though the steps I outlined. For previous (990FX and Intel) you can do it through other methods.

The switches and steps are mandatory on the Ryzen family platform. There is no other way at this time...you have to start with a .cap file flash and then flash with .rom using all the switches. The .rom will be the modified and there are still some security checks that goes on hence why you have to do the first flash with the .cap with all the switches to make it work.

Now someday, someone might figure a different way...oh and don't forget we are using a special flasher designed by a member over at overclock.net to get the first flash we need.

So they would need physical access to your system to even flash the bios with the "modified bios with malicious code injected"

Personally I think, if someone has this intent and already has physical access to my systems, them I really have much bigger things to worry about.

Source : https://www.reddit.com/r/Amd/comments/845w8e/_/dvmzymy

If you want do flashing modded bios on Ryzen , atm It's impossible to do it inside Windows

 

[CrAsHnBuRnXp]

Made me think of the POS WinChip |, not sure if thats what you were getting at.

Was actually making a Game of Thrones reference on Winterfell.