The RCE that AMD wouldn't fix

Posted by MrBruh 2 hours ago

The RCE that AMD wouldn't fix(mrbruh.com)

89 points | 32 comments

Terr_ 44 minutes ago|

> Final update: A couple of days before the embargo ended (and after I wrote the majority of this blog post), AMD told me what their patch for this vulnerability is [...] Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.

tlb 2 hours ago||

It's ridiculous to consider MITM attacks out of scope for taking over your computer. Also, there are probably ways to exploit this without a true MITM like DNS cache poisoning. But it's best to just assume the whole internet is MITMed.

amiga386 1 hour ago||

MITM where attacker needs to install their own CA certs on the victim's device -- sure, out of scope.

MITM because you used http instead of https and you don't have any other verified cryptographic signature on your data -- get tae fuck, fix it pronto.

pietervdvn 1 hour ago||

I'd even count this as "having local access to the device", as that is what is needed to install such a cert

arcfour 4 minutes ago||

I think it's fair to say that requiring local administrative access to the device is out of scope, since you have already completely pwned the device in that case, which is what what you need to install a CA cert on any OSes.

joxdosba 42 minutes ago|||

Why would anyone ever exclude true mitm?

Various domain registrars have been compromised over and over again (often by children!), resulting in companies like Tesla and Cloudflare getting owned.

The reality is that any vaguely competent attacker can compromise a court clerk and just compel e.g. the .com registry to hand over whatever domain they want.

Although I suppose the aforementioned problem has significant implications beyond dns…

gruez 9 minutes ago||

>Why would anyone ever exclude true mitm?

Same reason security programs exclude social engineering, even though that's a pretty common way for companies to get pwned.

sigmoid10 2 hours ago|||

Out of scope does not necessarily mean out of impact. It is merely a question of how far a company wants to be responsible for the environment their software is run in. Most of the time that answer is "not much."

tuckerpo 1 hour ago|||

Out of scope in this case means "we don't wanna pay you"

dlcarrier 2 hours ago||

But I use a Wi-Fi password, so my phone says it's secure!

nickdothutton 1 hour ago||

AMD's inability to make good software has been a recurring problem for decades. Many years ago I had some success with their optimising compiler, but everything else I've touched was bad. A real pity.

dcminter 2 hours ago||

The "signature verification" in the fix being CRC32 is pretty hilariously clueless.

jeroenhd 1 hour ago||

It's technically possible (though I don't know if they actually do this) that they're not referring to a signature check in the download part, but are verifying the code signing signature of the executable downloaded. You'd only notice the CRC if you were looking at the downloaded content, but if the updater refuses to launch an executable that isn't signed by AMD's cert then they would be fine.

Given the way AMD has been treating this issue, I'm assuming they're just incompetent, though.

LgWoodenBadger 1 hour ago||

A manager somewhere made the embarrassingly wrong decision to not fix this, and they’re too egotistical to correct their mistake.

That’s my take.

throwway120385 1 hour ago|||

Especially because if they had read about or studied this problem they would find tons of prior art where CRC32 was considered not secure for solving the problem. CRC32 solves a different problem -- how do you verify that the data that was received is identical to the data that was sent. It makes no guarantees about who is sending the data, which is the real problem signatures solve.

wat10000 1 hour ago||

More specifically, it solves the problem of verifying that the data received was not accidentally corrupted somehow. Unlike cryptographic hashes, CRC32 does not do much to defend against deliberate, malicious modification. It's too easy to craft some different data that matches a given CRC32 value.

AlotOfReading 1 hour ago||

Computing a CRC is equivalent to attacking it. The checksum is the value that produces a certain fixed constant when appended to the data. This is why you'll often see checksums as the last field in a message. It allows for hardware to verify the entire message by checking if the CRC of the bytes equals that fixed constant without having to parse it.

sitkack 2 hours ago||

They should have done base64 encryption before the crc32. noobs

larpfinder 37 minutes ago||

Perhaps they're concerned that you're simultaneously a 'security professional' and online harasser/doxxer? https://www.youtube.com/watch?v=YRI4Dshn0CE&t=3114s

qrobit 1 hour ago||

previously https://news.ycombinator.com/item?id=46906947

leecommamichael 1 hour ago||

Thank you for looking into this, I also have the annoying pop-up and have been suspicious of it…

bwfan123 2 hours ago||

> In my frustration, I decided to punish this software

Love this. I am frustrated by idiot software features everywhere, but am not triggered yet to punish them. AI automation is coming close however.

hilariously 45 minutes ago|

I got so mad at plex/jellyfin's crap I vibe coded an entire entertainment system out of spite.

Works great!

Dwedit 1 hour ago||

There's two requests involved for the auto updater, one to grab the XML file, and one to grab the driver file over plain http.

If the autoupdater can't handle the redirection when grabbing the XML file, then it's a case of accidental safety by mistake that would prevent grabbing the plain http file.

OkayPhysicist 1 hour ago|

AMD's utter incompetence when it comes to the software side of things is truly, truly baffling to me. It's not like you need a mountain of developers, a team or two on the right project would do wonders for their market share.

For example: Implement the CUDA. CUDA's won, hands down, that toothpaste is solidly outside the tube. Luckily, to the outside observer CUDA is just an API, and API's aren't copyrightable. Literally nothing is stopping AMD from hiring a relatively small team of developers to make AMD GPUs CUDA-compatible.

More comments...