News AMD's 'Sinclose' vulnerability affects hundreds of millions of processors, enables data theft — AMD begins patching issue in critical chip lines, m...

[mhmarefat]

I don't see how your links/quotes even remotely support your claim. Are you arguing that Intel adding a switch to toggle ME on/off for a local machine, at the behest of government agencies, is proof that those government agencies have a backdoor into ME (which in turn can compromise the whole machine) for every system with ME? Because the former in no way implies that latter.

Your original links do not claim at all that Intel (or AMD) created these management features on the behest of the NSA, merely that they developed a way to shut them off locally (presumably you'd need firmware access, like this vulnerability, to shut them off remotely) at the behest of the NSA. This could be because the NSA wants the ability to hack into systems, or it could be because the NSA wants the ability to open up seized systems as part of an investigation, or because the NSA wants full security control of the systems it uses internally.

There exists what one basically can say a CPU within your CPU with its own Operating System, residing in ring -3 [1], independent of any OS/Software [2], able to use TCP/IP [3] even when PC is turned off (!)[4], collects the most critical hardware information the moment PC is turned on [5], is able to FULLY REMOTELY control your PC [6][7][8], named Intel Management Engine (also AMD Secure Platform) and only one entity, the incredibly disgraceful NSA, knows how to turn this off [9][10] despite scientists and engineers even google [11] (which was not liking the taste if its own medicine) trying hard for years to disable it and failed, and you are saying these are not relevant to my "claim"?! Wow.

NSA (and NSA only) having a kill switch to such a hardware speak volumes for itself! Things become darker quickly if we remember NSA's shameful, disgraceful, predatory and criminal history (as exposed by whistleblowers who are witch hunted for life) as well.

My point is, why is everyone silent about the elephants in the room, but when a CPU Vulnerability is exposed, the fear-mongering is brutal!
________________________
[1]: Wikipdia:
The ME is colloquially categorized as ring −3, below System Management Mode (ring −2) and the hypervisor (ring −1), all running at a higher privilege level than the kernel (ring 0).
[2]: Same
[3]: Wikipedia:
The ME has its own MAC and IP address for the out-of-band management interface, with direct access to the Ethernet controller;
[4]: Wikipedia:
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off.
[5]: Intel:
Intel AMT stores the following information in flash (Intel ME data):
* PC manufacturer-configurable parameters:

* Setup and configuration parameters such as passwords, network configuration, certificates, and access control lists (ACLs).​

* Other configuration information, such as lists of alerts and Intel AMT System Defense policies.​

* The hardware configuration captured by the BIOS at startup.​

[6]: Intel (note: Intel AMT is a sub-part of Intel Management Engine):
Intel AMT is part of the Intel vPro technology offering. Platforms equipped with Intel AMT can be managed remotely, regardless of its power state or if it has a functioning OS or not.
[7]: Wikipedia:
"full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data."
[8]: StackExchange (read the answer):
How can I prevent a computer from turning ON?
[9]: TheRegister:
On Monday, Positive Technologies researchers said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file.
HAP stands for high assurance platform. It's an IT security framework developed by the US National Security Agency.
[10]: Wikipedia:
the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables most of ME's functions.
[11]: Wikipedia:
As of 2017, Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that.

 

[slightnitpick]

NSA (and NSA only) having a kill switch to such a hardware speak volumes for itself! Things become darker quickly if we remember NSA's shameful, disgraceful, predatory and criminal history (as exposed by whistleblowers who are witch hunted for life) as well.

The NSA helped secure DES encryption against differential cryptanalysis over 15 years before outside researchers knew about it: https://en.wikipedia.org/wiki/Data_Encryption_Standard

They did also make sure it was vulnerable to brute-force attacks, but it's not as if they don't give as well as take.

The NSA may have developed "a series of rules for running secure computing platforms", but that doesn't mean that the implementations are exploitable because of this.

Was the NSA responsible for ME existing in the first place, or was this an industry decision? It's one thing for the government to require that a company allow disabling a feature, or mandate certain security precautions, it's quite another to require that a company implement a feature.

 

[araghur12]

Exactly. The ol' "Nothing to see here" Emperor's New Clothes syndrome.

If this was an Intel flaw it wouldn't matter as well because the CPU would have to be thrown away anyway because it burned out because of silicon-level defects that have carried over for two whole generations 🤡
Fanboys are so insufferable, enjoy your defective space heater and stop bringing up your insecurities under unrelated articles.

 

[araghur12]

If this was an Intel vulnerability the pitchforks would be out predicting the end of the company. Now that it’s AMD, we get comments like “nothing burger “! lol.

My guy, Intel has steadily been going down the toilet for the better part of a decade, it doesn't need more bad news.

You know that you can be your own individual that makes informed choices instead of applying tribalistic tendencies to consumer products made by soulless corporations?

Are you at least heavily invested in Intel and reeling from the recent losses or is your life sad enough that you feel the need to rep your team, even when "your team" only sees you as a lemon to squeeze?

 

[jp7189]

They're not talking about patching to prevent getting compromised. They're talking about once you are compromised by this, the fix is so difficult that you might as well throw the computer out.

I'm still trying to understand... what components must be replaced to fix a compromise? Motherboard? CPU? Both?

Could a fix not be created that overwrites the affected area with known good code?

Is there any dependable detection method yet?

 

[jp7189]

There exists what one basically can say a CPU within your CPU with its own Operating System, residing in ring -3 [1], independent of any OS/Software [2], able to use TCP/IP [3] even when PC is turned off (!)[4], collects the most critical hardware information the moment PC is turned on [5], is able to FULLY REMOTELY control your PC [6][7][8], named Intel Management Engine (also AMD Secure Platform) and only one entity, the incredibly disgraceful NSA, knows how to turn this off [9][10] despite scientists and engineers even google [11] (which was not liking the taste if its own medicine) trying hard for years to disable it and failed, and you are saying these are not relevant to my "claim"?! Wow.

NSA (and NSA only) having a kill switch to such a hardware speak volumes for itself! Things become darker quickly if we remember NSA's shameful, disgraceful, predatory and criminal history (as exposed by whistleblowers who are witch hunted for life) as well.

My point is, why is everyone silent about the elephants in the room, but when a CPU Vulnerability is exposed, the fear-mongering is brutal!
________________________
[1]: Wikipdia:
The ME is colloquially categorized as ring −3, below System Management Mode (ring −2) and the hypervisor (ring −1), all running at a higher privilege level than the kernel (ring 0).
[2]: Same
[3]: Wikipedia:
The ME has its own MAC and IP address for the out-of-band management interface, with direct access to the Ethernet controller;
[4]: Wikipedia:
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off.
[5]: Intel:
Intel AMT stores the following information in flash (Intel ME data):
* PC manufacturer-configurable parameters:

* Setup and configuration parameters such as passwords, network configuration, certificates, and access control lists (ACLs).​

* Other configuration information, such as lists of alerts and Intel AMT System Defense policies.​

* The hardware configuration captured by the BIOS at startup.​

[6]: Intel (note: Intel AMT is a sub-part of Intel Management Engine):
Intel AMT is part of the Intel vPro technology offering. Platforms equipped with Intel AMT can be managed remotely, regardless of its power state or if it has a functioning OS or not.
[7]: Wikipedia:
"full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data."
[8]: StackExchange (read the answer):
How can I prevent a computer from turning ON?
[9]: TheRegister:
On Monday, Positive Technologies researchers said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file.
HAP stands for high assurance platform. It's an IT security framework developed by the US National Security Agency.
[10]: Wikipedia:
the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables most of ME's functions.
[11]: Wikipedia:
As of 2017, Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that.

You argument suggests ME is a security concern that some organizations would like to be able to disable, and then mention the many organizations that think they are better off without it.

Why does it make NSA a villian for them to insist on a way to disable it.. presumably as a way to tighten their internal security as your other mentioned orgs are trying to do?

 

[derekullo]

Persistent rootkits (as this enables) are far more insidious. Format the drive, reinstall the OS, even swap to a brand new drive? the malware install persists. Pop the CPU out of an infected system and install it in a new system? The new system is infected.
A single threat actor adding a rootkit to CPUs before reselling on eBay (or any other supply chain vulnerable to 3rd party insertion, such as Amazon fulfilment) could gain root access to as many boxes as they can ship CPUs, with no trivial way for end users to identify the infection, let alone remove it.

Management-engine persistent malware is particularly nasty to deal with.

Plus, AMD have decided to straight up NO FIX PLANNED the Ryzen 3000 series, so if you own one then no fix for you.

I was under the impression that CPUs had no space to store any significant amount of data when they are powered off/taken out of a motherboard and that all data was essentially read only that was read by the motherboard as needed ... besides TPM ... or is that exactly what they write to?
Is this incorrect?

 

[mhmarefat]

Why does it make NSA a villian for them to insist on a way to disable it.. presumably as a way to tighten their internal security as your other mentioned orgs are trying to do?

No, NSA does not want to be subjected to its own medicine. That's why they already have a key to disable ME and that key is in the hands of NSA.

 

[edzieba]

I was under the impression that CPUs had no space to store any significant amount of data when they are powered off/taken out of a motherboard and that all data was essentially read only that was read by the motherboard as needed ... besides TPM ... or is that exactly what they write to?
Is this incorrect?

All modern CPUs have some writeable storage, e.g. the Microcode store.
AMD's CPUs also have the entire Platform Security Processor subsystem stored on the CPU die, as the capability to operate without a PCH (e.g. the A300 'chipset') is just the CPU performing the PCH duties itself, so placing the PSP in the PCH - as Intel does with the IME - would not work. The PSP is an independent system sat within the PCU die with its own processors (ARM-based), own storage, etc, but also has control over the rest of the CPU - can enable/disable the x86 cores (and is responsible for doing so during boot prior to the firmware loading), controls x86 core clocks, can read/write to memory, etc.
This Blackhat presentation on the PSP as of Zen 1 gives an overview of how it has been hacked in the past.

 

[jp7189]

No, NSA does not want to be subjected to its own medicine. That's why they already have a key to disable ME and that key is in the hands of NSA.

A quick Google search seems to indicate several brands of motherboards and even full system vendors are adding an option in the BIOS to disable ME. Does that also make e.g. HP a villian now too?

 

[mhmarefat]

A quick Google search seems to indicate several brands of motherboards and even full system vendors are adding an option in the BIOS to disable ME. Does that also make e.g. HP a villian now too?

No, Intel ME cannot be disabled at all unless hacked. To my very limited knowledge, the only vendor who has been capable of disabling it for newer Intel CPUs (13th Gen) has been System76 as you can see here. And they have HACKED it to be able to do this as there is no way for users (since 2006 that it was implemented) to disable ME. Also the same is true about AMD PSP. Simply cannot be disabled.
Where is your source for HP?

 

[spongiemaster]

I'm still trying to understand... what components must be replaced to fix a compromise? Motherboard? CPU? Both?

Could a fix not be created that overwrites the affected area with known good code?

Is there any dependable detection method yet?

Try reading the article next time.

To remove the malware, one would need to open the computer, connect to a specific part of its memory using an SPI Flash programmer, carefully inspect the memory, and then remove the malware.

 

[jp7189]

Try reading the article next time.

If you know the answers to my questions, could you just state them plainly? Perhaps a different restating could add different understanding. There are a lot of smart people here that may bring more than the original article had to say.

Perhaps Im confused what SPI flash is or perhaps I think it seems crazy to have to desolder an eeprom to insert in to an external spi programmer (as the article seems to be indicating) since the malware was able to do it without external devices.

Can you shed some light on how to detect this malware? The article was completely mum on that.

Hypothetically, some of us might be spending a few months on threat hunting, patching, and <hopefully not> remediation. It's also possible some of us might have to generate a plan of action and possible impact study like yesterday and would be happy for any extra knowledge that this very smart community might add.

This article, other sites, AMDs site, the CVE site are all missing key pieces that are necessary to address this in large environments.

 

[dehjomz]

My guy, Intel has steadily been going down the toilet for the better part of a decade, it doesn't need more bad news.

You know that you can be your own individual that makes informed choices instead of applying tribalistic tendencies to consumer products made by soulless corporations?

Are you at least heavily invested in Intel and reeling from the recent losses or is your life sad enough that you feel the need to rep your team, even when "your team" only sees you as a lemon to squeeze?

All of that baseless nonsense but fail to refute or even address my essential point that when AMD errs, folks online have a muted response…. But when it’s intel, the response is far more vocal and negative. Just an interesting observation. ,