News AMD Discloses Vulnerabilities in EPYC Processors’ Secure Encrypted Virtualization

[Admin]

AMD disclosed security vulnerabilities affecting the Secure Encrypted Virtualization feature used by its EPYC processors.

AMD Discloses Vulnerabilities in EPYC Processors’ Secure Encrypted Virtualization : Read more

 

[hotaru.hino]

This makes me wonder how secure AMD's PSP really is, considering the feature relies on that.

Or rather, if AMD wants to really put a leg up against Intel, they should make it open for auditing.

 

[ginthegit]

Love it, Just like Intel, it seems that the features meant to increase security actuually decreases it!

Some would almost say they have yielded to the FBI in their desired want for Backdoors for spying on its citizens.

LOL Security features = Failed security

 

[waltc3]

Yawn, both vulnerabilities require Administrator access...another dud "report" from university hackers that a company has to respond to. No exploits (of course)...and the sensational tech press strikes out again, imo.

 

[Soaptrail]

"Requiring physical access should limit the exploits’ reach" can companies trust their cloud server provider?

 

[NatalieEGH]

If this is a vulnerability that must be addressed then EVERY system administrator in the world should be fired.

The so-called vulnerability requires a system administrator to be physically connected with the system. That means on-site using a trusted console (the one used to start, restart after a termination (hopefully from a system shutdown done at that terminal and not a system abort/crash, application of updates, initiate system debugging, ...). The system administrator should be a "Trusted User". They have all power on the machine.

Okay they discovered the system administrator working from the system console has the ability to cause the injection of code into a running virtual system. BIG FREAKING DEAL.

I was a system programmer/system administrator for years. I actually broke the system (luckily a development and testing system with only a few hundred users on) on more than one occasion. I regularly was working on extraction of information from the OS and when needed injection/modification of information. IT WAS MY JOB. PEOPLE KNEW WHEN I WAS BEING DANGEROUS.

Maybe there was no intention to allow the system administrator that particular ability. Maybe if the administrator is a thief, terrorist, or just stupid prankster they can cause problems. If a site hires an administrator and gives them the complete set of keys to the kingdom (including in this case a few keys not known on the key chain), they are stupid and the HR personnel, the supervisor, and everyone involved in the hiring should be fired.

To be honest depending on what was done and whether I consider the person was a further danger, if I was the boss, I would consider hiring the person to be head of the department with a salary big enough the person will stay legal just because of the legal/respectable/small bragging rights lifestyle they would be living.

This might be a flaw in the intended way the chip works but it is hardly a security issue.

 

[NatalieEGH]

"Requiring physical access should limit the exploits’ reach" can companies trust their cloud server provider?

If not, they should either be looking for a different provider or bringing the functions back in-house.