AMD has readied patches against MasterKey, Fallout, and Chimera vulnerabilities
Click here to post a comment for AMD has readied patches against MasterKey, Fallout, and Chimera vulnerabilities on our message forum
moo100times
I find it funny how this time round so many sites that were claiming that the claims from CTS were valid are all suspiciously staying quiet about this, and now also being quiet around the new round of Spectre Variant flaws particularly impacting Intel chips. The biases of the tech news sources are beginning to strongly reveal themselves, glad guru3d still has integrity to report it all!
The Reeferman
Size_Mick
Fox2232
^/^^ mitigation is good choice of words in this situation. 1st it does not imply that there is no more chance to pull similar thing when 'attacker' has direct physical access to system. (Since this is smearing campaign and use of wording implying 100% safety may come with barrage of dirt later.)
2ndly, there is really no such thing as 100% safety from actions of someone having access needed in those 'attacks'. So, if anyone wants to cause harm with such access, then system will get screwed in other way.
yagma
Shame on 911-nation's CTS for their hitjob! Interesting none-the-less. If anything hopefully it will encourage AMD to get on it. AMD's own website, blog, and forum haven't released any data about any patches. The link also falsely cites, like AMD's blog, outdated and or incorrect data, falsely claiming these exploits are only possible with admin access, whereas CVEdetails & NIST.GOV clearly state they are remote exploits capable over the network and do not require permissions or authentication
All 13 exploits are exploitable remotely over the network, with zero privileges, meaning no admin access necessary, as reported by NIST.GOV & cvedetails.com
https://www.cvedetails.com/vulnerability-list/vendor_id-7043/AMD.html
https://nvd.nist.gov/vuln/detail/CVE-2018-8936
https://nvd.nist.gov/vuln/detail/CVE-2018-8935
https://nvd.nist.gov/vuln/detail/CVE-2018-8934
https://nvd.nist.gov/vuln/detail/CVE-2018-8933
https://nvd.nist.gov/vuln/detail/CVE-2018-8932
https://nvd.nist.gov/vuln/detail/CVE-2018-8931
https://nvd.nist.gov/vuln/detail/CVE-2018-8930
HP appears to be the only one releasing patches:
https://support.hp.com/gb-en/document/c05950716
HP's website, like AMD cites the same outdated and or incorrect information. HP patched their servers which USE this chipset. HP's statements about "Commercial Desktop workstations not being impacted", they use Intel chipsets. They are patching "Commercial desktops and notebooks" for HP & Compaq computers. A great sign, however we are not seeing any of this with major third party motherboard vendors such as ASRock, ASUS, or MSI.
Regarding Chimera backdoors, disabling the ASmedia chipset via bios would be a choice worth having until something better potentially comes along. 3rd party USB 3 controllers could be installed via PCI-E expansion slots. I have brought this to AMD's attention.
There is a new firmware released on Nov 15, 2018 for the Asmedia ASM-1042A to ASM-1074 USB 3.x Controllers that should allow users to flash over any CHIMERA malware hiding in the firmware. Problem is if the malware gets in thereafter, you may have to wait for a future FW update. Most flashing utils and or chipsets wont allow flashing the same installed, or older firmware. In the age of chimera, not being able to flash over the same version FW is not a very wise policy. The last time an update was released was over a year ago, and before that, 2014; according to the previous link.
https://www.station-drivers.com/index.php?option=com_remository&Itemid=353&func=select&id=462&lang=en
I don't see anything suggesting FW level chimera vulnerabilities were addressed in this firmware, but a re-flash will overwrite any malware regardless...
If ASmedia could release a security tool that automates this, running this regularly will ensure no hardware level exploits can remain intact on the chipset. I'm unware if asmedia locks users out from reflashing the same firmware.