News AMD discloses slew of high severity security vulnerabilities for Zen CPUs that attack BIOS chips — updates aim to patch bugs, finally fix Zenbleed

[Sleepy_Hollowed]

Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

If not, could someone more knowledgeable on this type of thing give an example scenario of how an unsuspecting user could fall victim to one of these vulnerabilities?

No, if you read the article, Zenbleed for example, which is fixed with these, is completely possible to do it remotely.

 

[spongiemaster]

Breaking News: Hackers can physically access your computer locally if you invite them into your home and give them your password willingly.

It's trivial to strip a password off a Windows account. Anyone attempting this hack would not be slowed by a Windows password.

 

[passivecool]

Wondering the same thing. I generally don't like to update my BIOS if I don't need to, so I'd like to know if I really should or not.
Because if the hacker has to physically be sitting at my PC, here in my bedroom, then I've got much bigger problems to worry about than being hacked.

hacker would also require a patch: on the back of their head.

 

[torbjorn.lindgren]

Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

If not, could someone more knowledgeable on this type of thing give an example scenario of how an unsuspecting user could fall victim to one of these vulnerabilities?

It's very useful for attackers to be able to step up from "run program as non-privileged user" to "can install root kit" or in one case it looks like it can likely be used to install a root kit in UEFI/BIOS where it survives even a "rip out SSD, install new, install new OS". We're talking "buy new motherboard" level!

MOST serious attacks consists of a chain of different vulnerabilities and the early ones are far more numerous, so finding a "severe local" vulnerability like these are often the key to make a successful attack rather than just a CVE entry.

Since it requires the program to run locally there's a significant threshold to be able to exploit it, but it's an very important since it converts a bad situation into potentially "I hope you had up to date backups, and is willing to buy some new hardware".

It's also a big problem even without any other exploits in many Corporate scenarios where the user often doesn't have much access to the machine, the IT department installs and manage all software on the machine. Think banking or the financial sector for the most extreme examples.

 

[Toni Vicente]

I find in msi webpage, almost my MB is avaiable with B patch

https://es.msi.com/Motherboard/B450-TOMAHAWK-MAX/support
V. 7C02v3I
Description:
- AGESA ComboAm4v2PI 1.2.0.B update.- AMD security issue patch.- Support new Ryzen 5000 CPU.
2023-10-28

 

[PiersPlowman]

Once upon a time BIOS updates were as rare as hen's teeth and only then done to enable some additional functionality. I seem to recall overcoming HDD capacity limits being one such reason.

These days BIOS updates should be regarded as somewhat analogous to Microsoft's patch Tuesdays. It's not 1995 any more; sitting on an old BIOS version might not be the smart play.

 

[Roland Of Gilead]

Breaking News: Hackers can physically access your computer locally if you invite them into your home and give them your password willingly.

Computer manufacturers have issued a mitigation requiring users to answer a Captcha correctly after password entry.

More breaking news: Captcha has determined computer owners to be hackers after widespread failure to identify the tiles in a picture of the ocean surface that contain submerged submarines.

Brilliant 🤣 Love it!

 

[Pierce2623]

Wondering the same thing. I generally don't like to update my BIOS if I don't need to, so I'd like to know if I really should or not.
Because if the hacker has to physically be sitting at my PC, here in my bedroom, then I've got much bigger problems to worry about than being hacked.

Exactly. Nobody has access to my system.(even wifey doesn’t even care to know the password). Why would I do this knowing I’ll probably be giving up performance and introducing some sort of micro stutter like these fixes always seem to do in games?

 

[Pierce2623]

Once upon a time BIOS updates were as rare as hen's teeth and only then done to enable some additional functionality. I seem to recall overcoming HDD capacity limits being one such reason.

These days BIOS updates should be regarded as somewhat analogous to Microsoft's patch Tuesdays. It's not 1995 any more; sitting on an old BIOS version might not be the smart play.

I disagree. Both AMD and Intel have gotten to where these mitigations ALWAYS cost performance. Nobody has physical access to my machine but me. I’m completely safe.

 

[stonecarver]

Exactly. Nobody has access to my system.(even wifey doesn’t even care to know the password).

Careful there our wives are ninja masters at stealth. Plausible deniability . She most likely knows your password already.

 

[snemarch]

I disagree. Both AMD and Intel have gotten to where these mitigations ALWAYS cost performance. Nobody has physical access to my machine but me. I’m completely safe.

Mitigating flaws like meltdown and spectre tends to come with performance penalties, flaws in the write protection of UEFI flash probably won't.

It doesn't sound like physical access is needed – as I mentioned earlier, at least one of the flaws just requires local code execution with administrative privileges. There's several ways to achieve that without physical access

 

[TJ Hooker]

Yeah, my understanding is that the trend of mitigations resulting in performance hits is because most of the high profile vulnerabilities in the last while (starting with spectre/meltdown, IIRC) related to speculative execution. Effective speculative execution plays a significant part in IPC/performance, so changing that behavior was much more likely to negatively impact performance.

These new AMD vulnerabilities don't seem to be related to speculative execution though, and therefore their mitigations shouldn't be assumed to have similar performance penalties as those for spectre and co.