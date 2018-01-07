After Intel ME, Researchers Find Security Bug In AMD's SPS Secret Chip-on-Chip (bleepingcomputer.com) 65
An anonymous reader writes: AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor. This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME). Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.
The security bug is a buffer overflow that allows code execution inside the AMD SPS TPM, the component that stores critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores. Intel fixed a similar flaw last year in the Intel ME.
Not the same? Not an actual backdoor? (Score:5, Informative)
Re: (Score:1)
It’s because AMD fangirls can’t handle bad news about the company. It’s like their whole identity is tied up in some corporation who couldn’t get two shits about them. It’s really sad...
That's not actually addressing the comment above. Does this require physical access? Does Meltdown/spectre? Did the Intel ME exploit require it? That is a huge difference if so.
Re: (Score:2, Informative)
This AMD PSP vuln requires prerequisite physical access.
Info: Intel CPU backdoors (Score:3)
Re: (Score:2)
Because buffer overflows are only usable with physical access? AMD fanboys are the best.
Re: (Score:2)
There wouldn't BE buffer overflows if companies would use my simple idea: only sell computers with infinite RAM and infinite memory address registers.
This one requires keyboard / BIOS access (Score:2)
Yes, installing an EK cert requires pre-boot access.
You don't know what a buffer overflow, TPM, or attestation certificate are, do you?
Re: (Score:2)
"The researcher claims that an attacker could use specially-crafted EK certificates to get remote code execution rights on the AMD Secure Processor, allowing him to compromise its security."
Is the TPM protected from writing? If not, I assume the certificate can be modified/replaced via software. I know that motherboards I've owned over the years typically don't write-protect the BIOS by default. Not sure if that includes TPM. Dell certainly makes TPM firmware updates easy via Windows software.
Either way
Need to connect wires to microscopic TPM traces (Score:2)
> Is the TPM protected from writing? If not, I assume the certificate can be modified/replaced via software.
No, you cannot write directly to TPM nvram from the OS. The spec says the endorsement key is supposed to be permanently burned in at the factory, but some manufacturers instead support CreateEndorsementKeyPair, which asks the TPM to create a key for itself, if it doesn't already have one. If it already has a key, as it should, CreateEndorsementKeyPair does nothing but return an error code.
Re: (Score:2)
AMD still feels the need to patch this.
Re: (Score:3)
Because buffer overflows are only usable with physical access?
doesn't that depend on what the buffer overflow exploit is in?
I have not RTFA because this is slashdot, but buffer overflows are not de-facto remote exploits. If the buffer is accessible via the network, you're in the crap. If it's only available locally then it's only a local exploit.
Of course local priviledge elevation is bad because that's only one remote unpriviliged exploitation away from being a remote root access. No idea what this one is
Re: (Score:2)
Both Intel ME and AMD's SPS require access to the system to enable in the first place, so yes, you need at the very least an account on the computer. It doesn't require physical access (as in, you don't need to attach wires to the bus or push buttons).
Given that AMD's SPS flaw sits in a certificate validation routine, it may actually be possible to trick the computer into the exploit by using some DRM shenanigans (eg. an evil Netflix site) whereas from what I could compile from a cursory look on the Intel l
Re: (Score:3)
No it isn't the same. Until you show me that it can be used through a network attack. While it is a security bug it's relevant to a TPM boot chain.
Who is using TPM? I've considered getting one at home just to play around with it.
To me TPM has been in perpetual development because of bugs. And honestly until there are BIOS setting which enable ME to manage all of it's keys then I will never trust it.
Re: (Score:2)
Tons of people use TPM.
Re: (Score:2)
TPM is very useful for storing secrets like encryption keys. For example, you can use it to store the encryption keys for your hard drive, in order to support waking from sleep modes, without needing the key to be in RAM where it is vulnerable.
You can also use TPM to secure your OS against rootkit attacks. The TPM can verify the boot code is unmodified, independent of the CPU and any other code that could be compromised.
Hardware TPMs have proven reliable. AMD uses a software TPM, which has this issue.
Re: (Score:2)
Re: (Score:3)
It’s both and neither depending on if the cat is dead in the box or not.
hmmm.... (Score:1, Interesting)
the real AMD64 x86 CPU cores"
softpedia yesterday was telling us about AMD Radeon Processors
now we get real AMD64 x86 CPU cores
Re: (Score:3)
It seems that particular AMD bug can by disabled/bypassed by a BIOS/UEFI update, so the suggestion is still valid.
Luckily it can be officially disabled... (Score:4, Informative)
...at least when mainboard makers support the option in UEFI.
https://www.phoronix.com/scan.... [phoronix.com]
Re: (Score:1)
Unfortunately, none of my Ryzen motherboards have seen vendor BIOS updates since September, so not yet able to confirm this feature on any of my motherboards.
So basically next to no one can do this.
Re: (Score:1)
AsRock's shockingly badly designed web page. (Score:2)
AsRock mentions fixes for AsRock Intel processor motherboards in one of the most badly designed web pages I've seen: Intel Firmware vulnerability INTEL-SA-00086 [asrock.com].
we need to stop accepting these as accidents (Score:2, Interesting)
the fact that over, and over, and over, systems prove to have obscure vulnerabilities that allow an attacker to spy on everything the user is doing.... seems like it might be deliberate. i.e. the government gave up on the clipper chip, and cracking down on encryption.... why?
The era of "oh the government doesnt care" or "it would never spy" is gone. they do spy. they feel like its their job, their purpose in life, the necessity of a stable government, they believe they have a god given right to all of your
Not A Problem (Score:2)
Anything that disables IME or PSP is a net positive for the world.
Javascript!!! (Score:2)
The intel team must have worked long and hard to find some fud for that one.
SPECTRE can be exploited through javascript!
Disappointed with AMD over Meltdown and more (Score:2)
Sadly AMD has completely failed to counter the Intel PR that Meltdown/Spectre affects all CPUs when in reality Intel is massively more impacted. The press it parroting Intel PR unchallenged.
AMD doesn't have an easy way to remove their inbuilt PSP when Intel has made lots of people worry about their ME. An obvious thing for AMD to offer.
And why oh why don't AMD support ECC memory on their desktop chips. I know why Intel don't as they want to sell Xeons but AMD has no real server market share. The silicon to
Donâ(TM)t assume anything is secure (Score:2)
While it is worrying there are these security issues, I am not sure how worried we should be? We didnâ(TM)t have these security features in the past and this shouldnâ(TM)t be the only line of defense. It is good to have these security elements in place, but I wonder if too much focus is being put on a single security point?