Friday, August 16th 2024
"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data. Researchers Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, have revealed that the vulnerability can be exploited through various methods, enabling attackers to extract confidential information from affected systems, including passwords and personal data. The issue is especially concerning, given that it is present in all AMD CPUs made in the last 18 years and their widespread use in both consumer and enterprise environments. However, to exploit this vulnerability, an attacker must possess access to system's kernel. Downloading of malware-infused files can trigger it, so general safety measures are recommended.
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August.No fixes are planned for 3000 series Ryzen CPUs. Workstation-grade CPUs have also received an update to mitigate this issue.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
Sources:
Wired, AMD
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
120 Comments on "Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
The concern for your average user is less than zero.
If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.
Fixed consumer firmware will come later this year. It's unlikely since the fix for EPYCs was already in use for a few months.
Or maybe not. AMD does have a habit of not supporting hardware that is still in the market. I am not sure if the old(10-15 years ago) AMD was doing it, but today's AMD does.
I mean, Vega is not getting the same upgrades as RDNA2/3 chips, but it's still on the market, in the form of the iGPU in many AMD chips.
3000(Zen 2) series is still selling as mobile chips and desktop chips. Under new names as part of mobile 7000 series, or as part of the 4000 desktop APUs.
Especially if they use pirated software or cheat software which makes you turn off your anti virus software
I've even seen legitimate printer drivers trigger antivirus warnings forcing me to turn off protection to be able to install the device.
So, yes it's important this patch gets pushed and I hope it happens automatically trough a windows update or something so tech illiterate's machines get patched too.
Phenom/K10 was introduced in 2006, iirc.
I wonder why such an arbitrary cut-off date for relatively recent product? There wasn't much incentive for Ryzen 3000 users to upgrade, so I think they are still very common?
you wouldn't be able to install office 365 is you weren't
Once a bad actor has kernel access, isn't the whole system already 100% exploitable, 100% compromised at that point, no matter what?
Ring 0 access is already a total system loss, time for a system wipe involving a BIOS reflash and then bootup from an external drive to secure-erase the original disk. The fact this gives attackers even more access is a moot point, no?
Ring -2 could theoretically avoid detection forever and not be eliminated so easily. Almost no one will think that they will have something operating at that level that a bios reflash is necessary.
One is lasting and avoids detection, the other not.
What is this logic? Because something that is bad already exists, something that is worse isn't bad?
Most modern uses of SMM for power management, device hotplugging, plug/play & IO/APIC stuff, would all be masked by the hypervisor in nearly every instance I can think of.
This would seem to be a vulnerability that is primarily exposed by the exploit needing to be executed by someone/something at the main OS level.
I barely have a clue, but that's why I hire people whose sole job it is to be on top of this stuff.