Remote View

5mo ago

AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose'

www.tomshardware.com AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose'

AMD says some chips fall outside of the software support window.

AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose'

Here we are - 3600 which was still under manufacture 2-3 years ago are not get patched. Shame on you AMD, if it is true.

Hardware @lemmy.world

AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose'

www.tomshardware.com /pc-components/cpus/amd-wont-patch-all-chips-affected-by-severe-data-theft-vulnerability-ryzen-1000-2000-and-3000-will-not-get-patched-among-others

30 8

183 comments

That's so stupid, also because they have fixes for Zen and Zen 2 based Epyc CPUs available.
Intel vs. AMD isn't "bad guys" vs. "good guys". Either company will take every opportunity to screw their customers over. Sure, "don't buy Intel" holds true for 13th and 14th gen Core CPUs specifically, but other than that it's more of a pick your poison.
- Tangent: If we started buying risc-v systems we might get to a point where they can actually compete.
  
  That's still far away from us as a consumer standpoint, but I'm eagerly waiting for a time when I could buy a RISC V laptop with atleast midrange computing capabalities
  
  I'm not buying hardware that doesn't suit my needs as an investment hoping maybe it eventually will.
  
  Jeff Geerling had a video recently about the state of RISC V for desktop. https://youtu.be/YxtFctEsHy0?si=SUQBiepSeOne8-2u
  
  At the rate we are going Qualcomm might pivot to Risc-V (they are being sued by ARM)
  
  I'm waiting to see how DeepComputing's RISC-V mainboard for the Framework turns out. I'm aware that this is very much a development platform and far from an actual end-user product, but if the price is right, I might jump in to experiment.
- “Both sides”
  “Vote third party!”
  Wtf seriously this isn’t the same thing remotely but the arguments used are.
  
  cmon man
- How is AMD "screwing us over"? Surely they aren't doing this on purpose? That seems very cynical.
  
  They are 100% not patching old chips intentionally by not allocating resources to it. It's a conscious choice made by the company, it is very much "on purpose".

Really not good enough from AMD. I wonder if Intel wasn't a complete dumpster fire right now if they would still cut off the fix at Zen 3 (I doubt it). There's really no reason not to issue a fix for these other than they don't want to pay the engineers for the time to do it, and they think it won't cost them any reputational damage.
I hate that every product and company sucks so hard these days.
- They did issue a fix: "Buy a new CPU please!"
  That's why they don't mind the reputation hit. If 1 person swears allegiance to Intel as a result but 2 people buy new AMD chips, they're still ahead. And people will forget eventually. But AMD won't forget the Q3 2024 sales figures.
  
  Well, guess who's not buying next gen Ryzen?
  They are doing similar stuff with deliberately delaying Linux driver capabilities for Radeon 7xxx series, to make more GPUs die out faster, by overheating (zero RPM fan until 60°+).

Attackers need to access the system kernel to exploit the Sinkclose vulnerability, so the system would have to already be compromised. The hack itself is a sophisticated vector that is usually only used by state-sponsored hackers, so most casual users should take that into account.
So it's a vulnerability that requires you to.already have been compromised. Hardly seems like news.
I can understand AMD only patching server chips that by definition will be under greater threat. On the other hand it's probably not worth the bad publicity not to fix more.
- The reason that this is news is because it allows malware to embed itself into the processor microcode once kernel is breached. IE: If it is exploited for compromise, you either have to have the knowledge and hardware to reset the processor microcode manually (Requires an SPI flash tool) or you toss the hardware entirely. There's no just 'blow the drive away and reinstall the OS' solution available.
  
  This sounds weird. I was in the impression that operating systems load updated cpu microcode at every boot, because it does not survive a power cycle, and because the one embedded in the BIOS/UEFI firmware is very often outdated. But then how exactly can a virus persist itself for practically forever?
  
  And that introduces a specific type of supply chain threat: someone who possesses a computer can infect their own computer, sell it or transfer it to the target, and then use the embedded microcode against the target, even if the target completely reformats and reinstalls a new OS from scratch.
  That's not going to affect most people, but for certain types of high value targets they now need to make sure that the hardware they buy hasn't already been infected in the supply chain.
  
  I don’t think it gets to the microcode but the UEFI.
- It’s important because it allows them to directly modify the CPU’s microcode. Basically, the CPU has its own set of instructions, called microcode, which controls how the chip functions on a physical level. If they manage to change your microcode, even a full system reformat won’t kill the virus; You’ll need to either re-flash the CPU (which is not something the standard user or even power user will know how to do) or replace the entire CPU.
- That being said it builds up vulnerabilities in anti-cheats to another beautiful crowstrike like domino cluster fuck
- I personally agree. I think it's being somewhat overhyped. If step one is physical access to get things rolling... like for sure some machines are in more public areas than others. But for me, someone would have to break into my house first, then access my machine, just to run exploits later. The exploit is pretty massive, but I think needs to be tempered with "first they need physical access". Because physically controlling machines has always been number 1 for security.

I feel like this is the perfect place for Right to Repair legislation: the product is broken? And it's outside your support window? Then give customers what they need to make the fix themselves. It's not good enough to say "meh, guess you gotta buy one of our newer chips then 🤷"
- Especially since the Linux community are the types to go way overkill
  
  Yep, every intel or AMD CPU vulnerability get patched in the kernel before the official firmware patches

The enterprise models are getting patched but the consumer ones aren’t. Shame on them.
- Consumer usage is not really concerned by the attack scenario of this vulnerability from what I understand. The prerequisite is to have access to the bios so it's already game over at this point.
  
  Sure, but that feels a little bit like saying “We don’t need guards inside the prison, because we already have them patrolling around the perimeter.”
  
  Chip makes should not only treat customer CPUs as possibly-business hardware when adding shit like (Intel) ME, Pluton and (AMD) PSP, but also when patching serious vulnerabilities and providing support!
- Any news on the "pro" line? They were installed on business PCs and had additional security features built in. For instance there is a 3600 pro model.
- I like my eBay "business" class machines

welp, time to go buy intel... wait.
- You laugh, but if you're buying used, this 100% makes Intel the way to go over a Ryzen 1000/2000/3000 CPU.
  
  I dont know.
  If I had my choice between a CPU that has a vulnerability that can only be exploited if the system is already compromised
  or a CPU that are full of oxidation cancer, or frying themselves and doing irreparable damage.. Which the company is being excessively shady about concretely admitting to any RMA promises and wwill all eventually die in short order..
  I think I'm gonna go with the Ryzen and not leave leave my computer outside at defcon.
  
  as long as we're buying 12th gen, we're ok.

lol for the past 15 years I have "rebuilt" my desktop every 5 years but I didn't expect the would try to force me out of my 7 3700x right on the date
- Which is a shame because our 3700X is still pretty potent for the average user or gamer.
  
  Yeah, I have been eyeing upgrades to get avx512 anyway because lately I have been doing very heave very low preset av1 encodes but when they are a dick about it I just feel like postponing it.
  
  At launch, I've upgraded my system to a 3900x, and even today, it fulfills my cpu needs. This thing is incredible

How severe is this vulnerability?
- The good news is that in order to exploit the new vulnerability, the attacker first has to obtain kernel level access to the system somehow - by exploiting some other vulnerabilities perhaps.
  The bad news is once Sinkclose attack is performed, it can be hard to detect and mitigate: it can even survive an OS reinstall.
  
  So basically what you are saying is we just need one pvp game with kernel level anti cheat to fuck up somewhere...... yeah I'm sure that's not going to happen.
  
  The other bad news: there are so many vulnerabilities on all systems which can be used to gain root-level access, it's just a matter of time. Also, even future vulnerabilities will be an issue, as the underlying Sinkclose attacks will still work.
- You need to be a root to exploit it, but if it get exploited any way to get rid of it is to throw MB to trash.
  
  Patch/reflash with a new bios?

AMD has unfortunately a long history of abandoning products before its reasonable on its graphics division. Its not really acceptable, up until earlier this year my NAS/server was running a 3600 and its only for power saving purposes I changed that as its still a very workable CPU in that role.
- Er I'm still running a FX-8350 as a gaming machine (not AAA games obviously). I had another one as a host for a few VMs and it was more than enough till the motherboard went. One day I'll upgrade I guess.
  
  I moved from an FX8350 to a R5 5600G a few years ago, having run it for about 9 years. Initially I didn't think I'd notice much difference, but frankly it's an entirely different ballgame.

Yay, another BIOS update!
I am getting so sick of all these BIOS updates because of all these security vulnerabilities all the time. It is so tiring having to set up my settings all over again all of the time. Earlier this year, or maybe it was last year, it felt like every month or two there was a new BIOS update for a new security vulnerability.
- Back your settings up and restore them then.
  
  Depending on your BIOS and/or motherboard, you can't restore them between versions. The point of clearing the BIOS settings after flashing a new version is to ensure that you only have values that are expected, which is why restoring backups can often be blocked between versions.

So I have a 3700x, I've read about the vulnerability but don't fully understand it. How at risk am I?
- If an attacker gets access to your system, they will be able to ensure you can't get rid of their access
  It will persist across operating system installs
  However, this requires them to get access first
  
  Sounds like it's time for an upgrade. Never know what kind of weirdos are out there. Thanks for the information.
- If they get root or admin they can hack the chip itself.
  But minor exploits, nada, no issue, you good. Gotta get root to make it happen.
  Problem is if you, as they say, get got, you have no way of knowing if they're in your CPU, and no way to fix if they did -- basically gotta trash it and replace.
- Not particularly. The exploit requires ring 0 access, if an attacker managed to get that, you are screwed already.
- Yes.
- In short, if you're pwned once, you are pwn3d f0r3v#rrrrreeeheehaahaahaacoughcough
  These are the kinds of exploits you use to create APT (Advanced Persistent Threats).

so that means you can internally flash the bios chip from the os?
would be cool if there were coreboot builds for these platforms, this exploit seems pretty useful
- Wait yeah can someone explain why this exploit couldn't be used to say rewrite it to support coreboot and turn this into a good thing?
  
  because you need the coreboot people to write firmware that can initialise the system, and that probably takes a lot of reverse engineering
  I don't know much about this, but I assume there's little to no effort for corebooting on the amd side, I've only seen intel platforms with coreboot

Cries in 5 2600 and 1070
- you and me both my friend, you and me both... except for the fact that im still vibing with them. EVGA 1070, i don't want to give it up F
  
  My EVGA GTX 1070 SC Gaming ACX 3.0 Black Edition is also holding up strong, especially with AMD FSR or good games (like Metro), but 4k is really bad for the poor little guy :c
  But even with my new PC, he will continue to live in my server :3

Basically, reflash spi chips and it'll be gone, and to be infected by that, person gotta have physical access to hardware he hacks, and physical access is root access as always has been
- Nope. You do not need physical access for it, just root access. and you HW is compromised with only means to recover it is SPI flashing of CPU.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters

IP Internet Protocol
NAS Network-Attached Storage
SSD Solid State Drive mass storage
3 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.
[Thread #919 for this sub, first seen 12th Aug 2024, 20:35] [FAQ] [Full list] [Contact] [Source code]

Fewer Letters	More Letters
IP	Internet Protocol
NAS	Network-Attached Storage
SSD	Solid State Drive mass storage

Shit, I have desktops running with 2200G and 2400G.

custom firmware!
- Does not exist for Ryzen because of AGESA licensingnq
  
  Arrrr?

AMD published a list with the mitigation on Sinkclose on all their processor ranges, and the ComboPI version that will have a patch:
Security bulletin 7014

anyone know how intel's microcode update policy is in comparison to AMD's?

Welp, glad I avoided that

183 comments