The RCE that AMD won't fix

Posted by MrBruh 1 day ago

361 points | 156 commentspage 3

burnt-resistor 1 day ago|

Thanks for this, author.

No https:// and no cryptographic signature nor checksum that I can see. This makes it almost trivial for any nation-state to inject malware into targeted machines.

I removed AMD auto-update functionality from Windows boxen. (And I won't install anything similar on Linux.) And, besides, the Windows auto-update or check process hangs with a blank console window regularly.

Such trashy software ruins the OOBE of everything else. Small details attention zen philosophy and all that.

jMyles 1 day ago||

If this is true, it seems like a much more serious vulnerability than I was expecting when I clicked the link.

And it's obviously an oversight; there is no reason to intentionally opt for http over https in this situation.

bb88 1 day ago||

It's not directly an RCE unto itself, it requires something else. A compromised DNS on the network, e.g. So no surprise they ignored it.

Also, if AMD is getting overwhelmed with security reports (a la curl), it's also not surprising. Particularly if people are using AI to turn bug bounties into income.

Lastly if it requires a compromised DNS server, someone would probably point out a much easier way to compromise the network rather than rely upon AMD driver installer.

pixl97 1 day ago||

As someone that works security, the whole "A compromised DNS on the network" would be a total excuse not to pay.

The fact is allowing any type of unsigned update on HTTP is a security flaw in itself.

>someone would probably point out a much easier way to compromise the networ

No, not really. That's why every other application on the planet that does security of any kind uses either signed binaries or they use HTTPSONLY. Simply put allowing HTTP updates is insecure. The network should never be by default trusted by the user.

What's even fucking dumber on AMDs part is this is just one BGP hijacking from a worldwide security incident.

pooper 22 hours ago||

> The fact is allowing any type of unsigned update on HTTP is a security flaw in itself.

Reminds me about ten years or so ago when I was installing Debian or something and I noticed the URL for the apt install mirrors were http and not https. People helpfully pointed out this is a non issue because the updates are signed.

Ok I guess but then why did Debian switch to https?

kasabali 21 hours ago||

> Ok I guess but then why did Debian switch to https?

Because security people kept bullying them?

dns_snek 21 hours ago|||

You're completely misunderstanding the impact. If you run AMD's software you're effectively giving root access to your computer to any wifi network you connect to and any person who happens to be on that network.

rkeene2 1 day ago||

It really just requires a network that doesn't use some kind of NAC since you can trivially do ARP poisoning of your target.

TekMol 20 hours ago||

Even though the software might have been written by AMD, I think there is at least one more party to blame.

Who has put that software on the PC in the first place?

Was it the manufacturer?

Or was it Microsoft via Windows?

bravetraveler 1 day ago||

Based on the policy (and my hat) I have to assume some business partner failed to maintain the 'ca-certificates' equivalent for Windows (or NTP) and was rewarded in their insane demand for plaintext.

So easy to fix, just... why? My kingdom for an 's'. One of these policies are not like the others. Consider certificates and signatures before categorically turning a blind eye to MitM, please: you "let them in", AMD. Wow.

TacticalCoder 1 day ago||

> This means that a malicious attacker on your network, or a nation state that has access to your ISP can easily perform a MITM attack and replace the network response with any malicious executable of their choosing.

    http://www2.ati.com/...

I'm blocking port 80 since forever so there's that.

But now ati.com is going straight into my unbound DNS server's blocklist.

Habgdnv 1 day ago||

I was in the shop for new PC today and decided on 9950x3d but I don't know how I opened HN just before the checkout and now I am a happy owner of intel 14900!

NullPrefix 1 day ago||

>Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts

I love how they grouped man in the middle there

coip 1 day ago||

Spooky, this is not exposure if using Linux?

yrro 22 hours ago||

Of course not, the vulnerability is in "AMD’s AutoUpdate software" (i.e., vendor trash).

Kodiack 22 hours ago||

If you’re using Linux you’re almost certainly using your package manager to get any relevant updates.

akabul0us 6 hours ago|

[dead]

More comments...