News AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 1000, 2000, and 3000 will not get patched, among others

[mitch074]

I find it strange that Ryzen 3000 don't get the patch, as it's the first Zen 2 generation and Zen 2 was used for Ryzen 4000 (patched) and some laptop Ryzen 5000 (patched)... And considering AMD's use of a unified AGESA, should be covered too.
Either they patched it but didn't test it, or the affected component on that generation belonged to an earlier révision and didn't get the patch. Or something.
Edit : well, looks like it's something like the former : https://www.tomshardware.com/pc-com...es-course-and-will-patch-ryzen-3000-after-all

 

[das_stig]

So if out of support, AMD should enforce a recall of all remaining stock that is still being sold new and not allowing their resellers to sell faulty products. Maybe time for watchdogs to start enforcing patching for all so long as chips are being allowed to be sold new by manufacturers and their resellers.

 

[Aurn]

I am not sure about Zen + and Zen 2, but with Zen 1, it’s not so easy : on my old X370 board + Ryzen 7 1700X (I don’t use it anymore), I wouldn’t even be able to update the BIOS even if a patch were released because at some point, they stopped supporting the older CPUs (I think that it’s because the size/available space of the BIOS chips is too small ?). So, motherboard makers would need to add the patch to older BIOS versions as well, not just the latest ones for those boards

 

[Steve Nord_]

amd ryzen 1xxx 2xxx are so problematic amd try hard to hidden these cpus.
Amd don't want patch these cpus because all the epyc cpus out there. Amd want piles of e-waste

Name doesn't check out. Doubt that's in their disclosures but go on and tell us your exposé of Applied Materials.

 

[Steve Nord_]

So if out of support, AMD should enforce a recall of all remaining stock that is still being sold new and not allowing their resellers to sell faulty products. Maybe time for watchdogs to start enforcing patching for all so long as chips are being allowed to be sold new by manufacturers and their resellers.

Where will CTF and Cheating based schools get appropriate equipment upgrades from slide rule with sharpened D rule and DSP radio?

 

[Steve Nord_]

Instead of prosecuting, arresting and keeping these "tech scoundrels" behind bars for life time, the mindset has been "I have nothing to hide anyway!" and instead the protectors of human dignity in our century are being shunned/witch hunted for life.

If extreme punishments were in place for breaching of Human private life, then the danger would be minimal/non-existent even. I have said it before, I hope Tom's Hardware realize that it is not only tech that can stop these practices, some new vulnerability will always be found,. what can truly protect our digital lives is strong laws/awareness of people . TH can begin using its influence to make people demand these laws from their lawmaker representatives and pressure them as the strongest enemies of human private life are already at top of power unfortunately.

Courts are famously affordable, maybe! Too bad about the schedules. Perhaps there's a nudge loop closer to durable stores and ciphers that would better suit polity but affect bad actors outside of representative law too.

 

[The Historical Fidelity]

While I'm personally no expert on these particular matters, it has been made clear to me by someone who is, that this is of little consequence for the home user as it requires an extremely complex, targeted attack. No one is going to be collateral damage and this is the main reason AMD isn't too concerned with patching older, consumer level machines. For us, the risk is basically nil.

But North Korea really wants access to my meme library lol!

 

[EzzyB]

"AMD processors dating back to 2006 reportedly suffer from a major security flaw that allows attackers to infiltrate a system virtually undetectable."

"Attackers need to access the system kernel to exploit the Sinkclose vulnerability"

If you already have access to the Kernel, this exploit is kind of a nothing-burger.

/facepalm

Regards...?

What I'm thinking here is the kind of thing we do hear about regularly. Domain admin has their credentials compromised. Domain admin can install software with kernal access on every machine in the domain....

That's a pretty big deal considering the possible outcome is a rootkit on the machines that requires the processor to be removed and hooked up to specialized hardware to remediate it.

So is it dangerous to your gaming PC? Nah, probably not unless you just play ridiculously fast and loose with security anyways, (or get hit with a supply-side attack in a vulnerable driver) but the potential impact elsewhere is pretty concerning.

 

[waltc3]

Another Ring 0 access story...Yawn. Here's what's coming next: https://medium.com/swlh/negative-ri...ts-youve-probably-never-heard-of-d725a4b6f831

Pretty much, if you can get Ring 0 access in a given system, You can do most anything you want.

 

[JamesJones44]

"AMD processors dating back to 2006 reportedly suffer from a major security flaw that allows attackers to infiltrate a system virtually undetectable."

"Attackers need to access the system kernel to exploit the Sinkclose vulnerability"

If you already have access to the Kernel, this exploit is kind of a nothing-burger.

/facepalm

Regards...?

Yes and No. The issue is, once the kernel access is discovered in normal instances you can close that hole and be "safe" again. The issue with this vulnerability is even once the kernel hole is closed, the system is still exposed if the CPU vulnerability is exploited.

So in general I agree it's a low chance/vector of attack in the realm of a nothing-burger, but it's still a fairly severe vulnerability if a system does get compromised as one can't easily clean it if the exploit gets executed.

 

[Guardians Bane]

No, you're not important. Your hardware as a new zombie recruit however, is. And, I mean, if north korea gets some sort of access they go after every penny. Hard to keep an entire population that is starving pacified when their glorious leader flaunts his flab every chance he has. They need that $2 in your savings account.

Damn... I thought I was safe!!! Lmao... I feel for those in the north. I was stationed in S Korea when in the US Army. Amazing place. But we did learn a lot of stuff about those people in the north and their horrible living conditions.

 

[geog741]

If I wanted to know if I'm being or going to be updated on my 3 AMD (2 Ryzen's and 1 EPYC) systems, how would I go about it? 🤔

 

[mitch074]

I am not sure about Zen + and Zen 2, but with Zen 1, it’s not so easy : on my old X370 board + Ryzen 7 1700X (I don’t use it anymore), I wouldn’t even be able to update the BIOS even if a patch were released because at some point, they stopped supporting the older CPUs (I think that it’s because the size/available space of the BIOS chips is too small ?). So, motherboard makers would need to add the patch to older BIOS versions as well, not just the latest ones for those boards

No, don't worry, it's only pre - Zen processors that were dropped. On a B350 mobo with a Ryzen 1400X, I upgraded (in steps) from the original UEFI to the latest beta version which then allowed me to install a Ryzen 5500.
It unlocked the TPM, some RAM speed, increased boot speed, unlocked resizable BAR... Yeah, AM4 was a great platform !
On your X370 you should be even better off, as it's virtually identical to X470.

 

[CountMike]

amd ryzen 1xxx 2xxx are so problematic amd try hard to hidden these cpus.
Amd don't want patch these cpus because all the epyc cpus out there. Amd want piles of e-waste

Booo

 

[Svetoslav Enkov]

AMD have updated their CVE document for Sinkclose - Ryzen 3000 (Matisse) will get updated AGESA - target date is 20 Aug 2024.

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

Mine is Ryzen 3600X, so I am very satisfied.