• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

bug

Joined
May 22, 2015
Messages
9,518 (3.99/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
If a BIOS is re-written, I do believe it resets back to default basic settings. It seems I will keep an eye on this if my computer somehow defaults back for no reason. Please correct me if I am wrong here.
It does. I believe the target here is the uninformed user who both runs everything at default settings and couldn't tell their systems were reset to defaults if their life depended on it.
 
Joined
Mar 10, 2014
Messages
1,786 (0.63/day)
It does. I believe the target here is the uninformed user who both runs everything at default settings and couldn't tell their systems were reset to defaults if their life depended on it.

Afaik it does not have to revert to default settings. Maker of malicious code might wanted to modify bios settings to i.e. grant remote access.
 

Veradun

New Member
Joined
Mar 13, 2018
Messages
19 (0.01/day)
EDIT: Ok, reading some of the comments, it seems that the veracity of this report may be in some doubt. Let's hope it's fake, but I'm not holding my breath.

It's very likely not fake. The point is it is super-obvious that once you give root access to anyone you are fucked <insert Nicolas Cage meme here>

How do you plan on removing the virus in your BIOS that you don't know about, that your antivirus can not find, that has enabled BIOS write protection since it became active?
Buy a new computer, sell old computer on eBay

So you think people in the industry randomly reinstall operating systems for the sake of it without knowing there is a virus/whatever? The point is you are already fucked when they get root access, no matter what else comes later. If you instead know there is a problem, well, you solve it, no matter what the vulnerability is (i.e. reflash with legit BIOS).

If someone in the manufacturing industry wants to craft a keylogging bios they can do that with or without a "flaw" that enables root users to flash bioses.

The whole thing is laughable and I just registered to this forum to laugh together :D
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
23,254 (3.63/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
So you think people in the industry randomly reinstall operating systems for the sake of it without knowing there is a virus/whatever?
That's exactly what happens at server hosting companies?
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
23,254 (3.63/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
So this method lets you get to bios flashing from a windows host on an hypervisor?
Lots of people are renting full servers, not just virtual machines. Yes I can flash the BIOS of our webservers
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
16,872 (3.30/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) BenQ XL2720Z (144Hz, 3D Vision 2, 1080p) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
It's very likely not fake. The point is it is super-obvious that once you give root access to anyone you are fucked <insert Nicolas Cage meme here>
After reading more about it, it's clear that this is clearly a smear campaign against AMD. Of course there's some truth to it, but it's obviously been designed to try and damage AMD. So underhand and in my opinion, I believe Intel is behind it, since AMD are giving them a good kicking now in sales and market share.
 
Joined
Jan 11, 2005
Messages
1,470 (0.24/day)
Location
66 feet from the ground
System Name 2nd AMD puppy
Processor FX-8350 vishera
Motherboard Gigabyte GA-970A-UD3
Cooling Cooler Master Hyper TX2
Memory 16 Gb DDR3:8GB Kingston HyperX Beast + 8Gb G.Skill Sniper(by courtesy of tabascosauz &TPU)
Video Card(s) Sapphire RX 580 Nitro+;1450/2000 Mhz
Storage SSD :840 pro 128 Gb;Iridium pro 240Gb ; HDD 2xWD-1Tb
Display(s) Benq XL2730Z 144 Hz freesync
Case NZXT 820 PHANTOM
Audio Device(s) Audigy SE with Logitech Z-5500
Power Supply Riotoro Enigma G2 850W
Mouse Razer copperhead / Gamdias zeus (by courtesy of sneekypeet & TPU)
Keyboard MS Sidewinder x4
Software win10 64bit ltsc
Benchmark Scores irrelevant for me
Yes I can flash the BIOS of our webservers

this is the main problem ; admin can do whatever they want without a superadmin to check; of course if superadmin is human we're back at the beginning..
 

Veradun

New Member
Joined
Mar 13, 2018
Messages
19 (0.01/day)
Lots of people are renting full servers, not just virtual machines. Yes I can flash the BIOS of our webservers

We are at the beginning:

- you don't want to exploit your own windows server
- if you gift someone with root access you can't blame Intel/AMD/whatever since the flaw is in your policies

Besides people renting full servers usually don't randomly reinstall OSes. They do if they have a BIG problem, and only after investigation on what the problem has been (i.e. a breach that gave someone root access) and what as been done since then.
 
Joined
Jun 8, 2017
Messages
101 (0.06/day)
Location
Germany
Processor AMD Ryzen 5 1600
Motherboard ASRock AB350 Pro4
Cooling Cryorig H7 via Noctua NF-F12
Memory Crucial Ballistix Sport LT white 2x8GB, DDR4-2400
Video Card(s) Gigabyte R9 390 G1 Gaming via Arctic Accelero Xtreme III
Storage Samsung 840 250GB (OS), Crucial MX300 750GB
Display(s) Samsung 40" LED 1080p TV
Case Fractal Design Define S - Front: 3x Noctua NF-P14s redux-1500, Back: Noctua NF-P14s redux-1500
Audio Device(s) onboard
Power Supply Corsair Vengeance 650M
Software Windows 10 Home
 
Joined
May 12, 2017
Messages
1,569 (0.94/day)
Afaik it does not have to revert to default settings. Maker of malicious code might wanted to modify bios settings to i.e. grant remote access.

Then how about I set my own overclocking BIOS, then lock the BIOS chip. Any changes I want to do, I will have to insert a new BIOS chip. I can live with this.

Now nobody can write to it.
 

bug

Joined
May 22, 2015
Messages
9,518 (3.99/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
I'm know I'm talking to myself here, but would it be possible we wait until somebody looks into these further, before we decide how much of an impact they have under various circumstances?

I mean, ok, it's rather suspicious how these were discovered and announced, but the crux of the matter is if they're real and if yes, who and how should guard against these. Everything else is just noise.
 
Joined
Dec 31, 2009
Messages
19,323 (4.44/day)
Benchmark Scores Faster than yours... I'd bet on it. :)
I'm know I'm talking to myself here, but would it be possible we wait until somebody looks into these further, before we decide how much of an impact they have under various circumstances?

I mean, ok, it's rather suspicious how these were discovered and announced, but the crux of the matter is if they're real and if yes, who and how should guard against these. Everything else is just noise.
And there is a shit ton of noise here... so many experts, so little knowledge. :)
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
16,872 (3.30/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) BenQ XL2720Z (144Hz, 3D Vision 2, 1080p) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Joined
Dec 30, 2010
Messages
1,351 (0.34/day)
It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.

I call this bullshit. Intels owns 90% of the market, if not 85%, worldwide. They dont need to.

There are very much start-ups all over the world looking for PR / Branding. Attacking AMD on CPU Security flaws is one of them.

Country israel poops out geniuses once in a while, remember the company who was able to hack a iphone where FBI failed?
 
Joined
Dec 31, 2009
Messages
19,323 (4.44/day)
Benchmark Scores Faster than yours... I'd bet on it. :)
It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.
If that is what you meant, consider actually writing that next time instead. ;)

I really doubt Intel has anything to do with this... they wouldn't orchestrate such a debacle of a smear campaign is my reasoning. It stinks soooooooo bad there is no way they can be behind this. I could be wrong, but, I simply don't imagine Intel to be this sloppy trying to smear AMD... no way. Now, I believe Intel would smear AMD, I am not saying otherwise, but the way this happened doesn't scream multi-billion dollar corporation smear campaign with how it all transpired.

I fully believe these problems exist. I fully believe the severity of these are blown out of proportion and the notification process by CTS was abhorrent. Anything else is just lemming adding fuel to the fire, one post and jump off the cliff at a time.
 
Last edited:

bug

Joined
May 22, 2015
Messages
9,518 (3.99/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.
So at some point you've decided the flaws aren't real and it's all a smearing campaign. Neat.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
16,872 (3.30/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) BenQ XL2720Z (144Hz, 3D Vision 2, 1080p) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
So at some point you've decided the flaws aren't real and it's all a smearing campaign. Neat.
No, I didn't say that. Have you actually read the articles and seen the videos surrounding this or do you just like spouting off?
@EarthDog you really should know better than to join in.
@Jism No, you're talking bullshit. AMD is doing remarkably better and has become a competitive threat to them, so even with a market share ratio of 85-90% they are still gonna feel threatened.
 

bug

Joined
May 22, 2015
Messages
9,518 (3.99/day)
Processor Intel i5-6600k (AMD Ryzen5 3600 in a box, waiting for a mobo)
Motherboard ASRock Z170 Extreme7+
Cooling Arctic Cooling Freezer i11
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V (@3200)
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 3TB Seagate
Display(s) HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
It's getting on for it, especially with Ryzen 2, that's my point. Clearly Intel feels under threat from this and therefore may have orchestrated this smear campaign against AMD.
So at some point you've decided the flaws aren't real and it's all a smearing campaign. Neat.
No, I didn't say that. Have you actually read the articles and seen the videos surrounding this or do you just like spouting off?
 
Joined
Dec 30, 2010
Messages
1,351 (0.34/day)
No, I didn't say that. Have you actually read the articles and seen the videos surrounding this or do you just like spouting off?
@EarthDog you really should know better than to join in.
@Jism No, you're talking bullshit. AMD is doing remarkably better and has become a competitive threat to them, so even with a market share ratio of 85-90% they are still gonna feel threatened.

Oh so it's automaticly intel by your standards and without any confirmation?
 
Joined
Dec 31, 2009
Messages
19,323 (4.44/day)
Benchmark Scores Faster than yours... I'd bet on it. :)
Know better than to join in............WTH are you talking about @qubit ? I just asked that you type what you mean man. If you are talking about bug, I supported you and quoted you believed "some of it" was true. Get your head on straight man!

I simply disagree that intel had a part in this due to the terrible terrible execution of these findings. I could be wrong though!!! But so far, after all the digging, its just forum lemmings jumping on this bandwagon for the most part... that and sensationalist headlines. You don't see any publication worth a salt actually believing intel had anything to do with this..
 
  • Like
Reactions: bug
Joined
Apr 21, 2010
Messages
445 (0.10/day)
System Name Home PC
Processor Ryzen 1600X
Motherboard Asus Prime X370 Pro
Cooling Thermaltake Contac Silent 12
Memory Dual channel G skill F4-3200C16-8GVKB
Video Card(s) XFX RX480 GTR - XFX Double Dissipation R9 290
Storage Samsung SSD Evo 120 - Adata SU80 256 - Adata SX6000 Lite 512 GB
Display(s) AoC 931wx (19in, 1680x1050)
Case Green Magnum Evo
Power Supply Green 650UK Plus
Mouse Trash A4tech OP-620D
Keyboard Old 12 years FOCUS FK-8100
one of guy explained this :

mtrai said:
Let me address the bios flashing...you just can't do it.


I know for a fact flashing any type of modded bios on the Ryzen motherboards is not an easy feat and requires a UEFI boot disk with powershell and a ton of switches plus 2 different flashing programs one written for just this purpose over at overclock net. Also the USB stick has to be created a certain way via UEFI boot for any of this to work.


Afuefix64 name_bios.cap /P /B /N /K /X /CLRCFG


(this action we clean all parameters from old bios and update the bios itself and is require otherwise it will fail to program everything correctly)


Then you have to flash Afugan name_bios_mod.rom /GAN


With all this said, you cannot modify the .cap bios and flash it by any means. And no the old flashback methods just do not work either where we could do that on 990FX motherboards. We just do not have all the crypto keys you must have and bios signing abilities.


I have cross flashed my C6H Wifi to the update C6H 6001 official bios and then the modded to show hidden bios options. There is no other way to accomplish this bios flash without doing these steps. So there. :cool:


Also the PSP chip cannot be updated other then bios flashing..unlike the MEI on Intel.


Full disclosure I have both a Ryzen 1700X system and Intel Skylake 6600k system as well as my older 990FX system.

One Asked :

weareanomalous said:
On motherboards where re-flashing is not possible because it has been blocked, or because BIOS updates must be encapsulated and digitally signed by an OEM-specific digital signature, we suspect an attacker could occasionally still succeed in re-flashing the BIOS. This could be done by first exploiting RYZENFALL or FALLOUT and breaking into System Management Mode (SMM). SMM privileges could then be used to write to system flash, assuming the latter has not been permanently write-locked.

According to them, the re-flashing is typically done after compromising the SMM. However, I doubt a compromised (or "compromised") SMM will affect the integrity check of .CAP files anyway.


As for the BIOS modding, I thought you could just use the BIOS flashback button (since you are on C6H) to deliver the mod in? That's how I got the modded BIOS with Spectre V2 mitigated microcodes into my X79 motherboard. The modified BIOS was in .CAP format as well.

then he replied :

mtrai said:
Can't do it on the Ryzen family without all those steps I outlined. Yeah flashback would work on earlier AMD and Intel motherboards and bypass the security checks but not on Ryzen.

So in order to accomplished this you need to be physically at the system to flash it.

As far as the possible PSP exploits you would need all the crypto keys from AMD and they are not released to anyone not OEM not anyone.

Then you would need to rewrite the bios, then have the bios crypto key and lastly AMD signing abilities. This is a lot to accomplish.

You would have to mod the bios to inject any of this. Once you mod the bios you will not be able to flash ryzen via windows flash, bio flash tool or even in dos.

You would need the .cap and do the first line with a UEFI USB boot stick and then second step with the .rom file in order to get any modded bios onto a Ryzen series motherboard. I am not even sure we could actually injust new code into the bios...the only bios mods on ryzen has been just flipping existing switches from hidden to show. All the important ones are in the CBS which that in and of itself takes many steps. And I am pretty sure we cannot change anything in the PSP chip only AMD has that ability so that nullifies the other exploits.

The way you describe and more as I said is possible on AMD 990FX and Intel platforms but not any Ryzen Series. AMD locked this down already. So yes for this new AMD exploit you will have to be physically at the computer and have the know how.

another Asked :

exscape said:
They bring this up in the "paper" though:
On motherboards where re-flashing is not possible because it has been blocked, or because BIOS updates must be encapsulated and digitally signed by an OEM-specific digital signature, we suspect an attacker could occasionally still succeed in re-flashing the BIOS. This could be done by first exploiting RYZENFALL or FALLOUT and breaking into System Management Mode (SMM). SMM privileges could then be used to write to system flash, assuming the latter has not been permanently write-locked.​
I wonder if these are real vulnerabilities with the least professional disclosure ever, or if this is just pure fake news.

mtrai said:
For ryzen...once you modify the bios .cap you cannot flash it without going though the steps I outlined. For previous (990FX and Intel) you can do it through other methods.

The switches and steps are mandatory on the Ryzen family platform. There is no other way at this time...you have to start with a .cap file flash and then flash with .rom using all the switches. The .rom will be the modified and there are still some security checks that goes on hence why you have to do the first flash with the .cap with all the switches to make it work.

Now someday, someone might figure a different way...oh and don't forget we are using a special flasher designed by a member over at overclock.net to get the first flash we need.

So they would need physical access to your system to even flash the bios with the "modified bios with malicious code injected"

Personally I think, if someone has this intent and already has physical access to my systems, them I really have much bigger things to worry about.


Source : https://www.reddit.com/r/Amd/comments/845w8e/_/dvmzymy

If you want do flashing modded bios on Ryzen , atm It's impossible to do it inside Windows
 
Joined
Oct 19, 2007
Messages
7,706 (1.50/day)
Processor Intel i9 9900K @5GHz w/ Corsair H150i Pro CPU AiO w/Corsair HD120 RBG fan
Motherboard Asus Z390 Maximus XI Code
Cooling 6x120mm Corsair HD120 RBG fans
Memory Corsair Vengeance RBG 2x8GB 3600MHz
Video Card(s) Asus RTX 2080 STRIX OC
Storage Samsung 970 EVO Plus 500GB , 970 EVO 1TB, Samsung 850 EVO 1TB SSD, 10TB Synology DS1621+ RAID5
Display(s) Acer Predator 32" 2560x1440 OC'd to 170MHz
Case Corsair 570x RBG Tempered Glass
Audio Device(s) Onboard / Corsair Virtuoso Wireless RGB
Power Supply Corsair HX850w Platinum Series
Mouse Logitech G604s
Keyboard Corsair K70 Rapidfire
Software Windows 11 x64 Professional
Benchmark Scores Firestrike - 23520 Heaven - 3670
Made me think of the POS WinChip :eek:|, not sure if thats what you were getting at.
Was actually making a Game of Thrones reference on Winterfell. :)
 
Top