• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
2,475 (0.95/day)
A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data. Researchers Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, have revealed that the vulnerability can be exploited through various methods, enabling attackers to extract confidential information from affected systems, including passwords and personal data. The issue is especially concerning, given that it is present in all AMD CPUs made in the last 18 years and their widespread use in both consumer and enterprise environments. However, to exploit this vulnerability, an attacker must possess access to system's kernel. Downloading of malware-infused files can trigger it, so general safety measures are recommended.

The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.




In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August. No fixes are planned for 3000 series Ryzen CPUs. Workstation-grade CPUs have also received an update to mitigate this issue.

Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.

View at TechPowerUp Main Site | Source
 
Joined
Jan 18, 2020
Messages
782 (0.45/day)
Yes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.
 
Joined
Mar 21, 2005
Messages
1,642 (0.23/day)
Location
Maribor, Slovenia, EU
System Name Core i9 rig / Lenovo laptop
Processor Core i9 10900X / Core i5 8350U
Motherboard Asus Prime X299 Edition 30 / Lenovo motherboard
Cooling Corsair H115i PRO RGB / stock cooler
Memory Gskill 4x8GB 3600mhz / 16GB 2400mhz
Video Card(s) Asus ROG Strix RTX 2080 Super / UHD 620
Storage Samsung SSD 970 PRO 1TB / Samsung OEM 256GB NVMe
Display(s) Dell UltraSharp UP3017 / Full HD IPS touch
Case Coolermaster mastercase H500M
Audio Device(s) Onboard sound
Power Supply Enermax Platimax 1700 watt / Lenovo 65watt power adapter
Mouse Logitech M500s
Keyboard Cherry
Software Windows 11 Pro / Windows 11 Pro
I hope that the fix won't affect the performance of these chips.
 
Last edited:
Joined
Jun 29, 2018
Messages
528 (0.23/day)
The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions
Just to clarify, "standard operating system permissions" means administrative access. In this context "standard" means ring 0 in the x86 nomenclature, while SMM itself is often described as ring -2.
AMD was made aware of this vulnerability before revealing it; however, time is still required to implement the fix.
In the AMD security bulletin linked in the news it clearly states that microcode fix has been already released in May 2024, but only for EPYCs and Instinct APUs.
Fixed consumer firmware will come later this year.

I hope that the fix won't have a performance penalty.
It's unlikely since the fix for EPYCs was already in use for a few months.
 

gs020p

New Member
Joined
Apr 30, 2024
Messages
7 (0.04/day)
Yepp till Intel stock did not crash AMD issues never got highlighted. We as users will always be played by state to use our data in the name of hackers.
 
Joined
Jun 3, 2008
Messages
673 (0.11/day)
Location
Pacific Coast
System Name Z77 Rev. 1
Processor Intel Core i7 3770K
Motherboard ASRock Z77 Extreme4
Cooling Water Cooling
Memory 2x G.Skill F3-2400C10D-16GTX
Video Card(s) EVGA GTX 1080
Storage Samsung 850 Pro
Display(s) Samsung 28" UE590 UHD
Case Silverstone TJ07
Audio Device(s) Onboard
Power Supply Seasonic PRIME 600W Titanium
Mouse EVGA TORQ X10
Keyboard Leopold Tenkeyless
Software Windows 10 Pro 64-bit
Benchmark Scores 3DMark Time Spy: 7695
Yes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.
I don't understand this sort of flippant response. People install malicious software every day via social engineering. This is another exploit that allows slightly malicious software to become very malicious. There is no reason to downplay its potential until it is fixed.
 
Joined
Dec 16, 2021
Messages
278 (0.27/day)
Location
Denmark
Processor AMD Ryzen 7 3800X
Motherboard ASUS Prime X470-Pro
Cooling bequiet! Dark Rock Slim
Memory 64 GB ECC DDR4 2666 MHz (Samsung M391A2K43BB1-CTD)
Video Card(s) eVGA GTX 1080 SC Gaming, 8 GB
Storage 1 TB Samsung 970 EVO Plus, 1 TB Samsung 850 EVO, 4 TB Lexar NM790, 12 TB WD HDDs
Display(s) Acer Predator XB271HU
Case Corsair Obsidian 550D
Audio Device(s) Creative X-Fi Fatal1ty
Power Supply Seasonic X-Series 560W
Mouse Logitech G502
Keyboard Glorious GMMK
A bit miffed that the 3000 (and also 1000 and 2000) series won't get a patch. Thinking about desktop chips, of course.
 
Joined
Sep 6, 2013
Messages
3,294 (0.81/day)
Location
Athens, Greece
System Name 3 desktop systems: Gaming / Internet / HTPC
Processor Ryzen 5 5500 / Ryzen 5 4600G / FX 6300 (12 years latter got to see how bad Bulldozer is)
Motherboard MSI X470 Gaming Plus Max (1) / MSI X470 Gaming Plus Max (2) / Gigabyte GA-990XA-UD3
Cooling Νoctua U12S / Segotep T4 / Snowman M-T6
Memory 32GB - 16GB G.Skill RIPJAWS 3600+16GB G.Skill Aegis 3200 / 16GB JUHOR / 16GB Kingston 2400MHz (DDR3)
Video Card(s) ASRock RX 6600 + GT 710 (PhysX)/ Vega 7 integrated / Radeon RX 580
Storage NVMes, ONLY NVMes/ NVMes, SATA Storage / NVMe boot(Clover), SATA storage
Display(s) Philips 43PUS8857/12 UHD TV (120Hz, HDR, FreeSync Premium) ---- 19'' HP monitor + BlitzWolf BW-V5
Case Sharkoon Rebel 12 / CoolerMaster Elite 361 / Xigmatek Midguard
Audio Device(s) onboard
Power Supply Chieftec 850W / Silver Power 400W / Sharkoon 650W
Mouse CoolerMaster Devastator III Plus / CoolerMaster Devastator / Logitech
Keyboard CoolerMaster Devastator III Plus / CoolerMaster Devastator / Logitech
Software Windows 10 / Windows 10&Windows 11 / Windows 10
Time to replace those old Opteron servers.
Or maybe
to exploit this vulnerability, an attacker must possess access to system's kernel
not.

A bit miffed that the 3000 (and also 1000 and 2000) series won't get a patch. Thinking about desktop chips, of course.
AMD does have a habit of not supporting hardware that is still in the market. I am not sure if the old(10-15 years ago) AMD was doing it, but today's AMD does.
I mean, Vega is not getting the same upgrades as RDNA2/3 chips, but it's still on the market, in the form of the iGPU in many AMD chips.
3000(Zen 2) series is still selling as mobile chips and desktop chips. Under new names as part of mobile 7000 series, or as part of the 4000 desktop APUs.
 
Last edited:
Joined
Jan 11, 2022
Messages
768 (0.76/day)
Yes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.
The concern for your average user with administrator privileges, which is like 99.9% of home users is very much there.
Especially if they use pirated software or cheat software which makes you turn off your anti virus software
I've even seen legitimate printer drivers trigger antivirus warnings forcing me to turn off protection to be able to install the device.

So, yes it's important this patch gets pushed and I hope it happens automatically trough a windows update or something so tech illiterate's machines get patched too.
 
Joined
Apr 18, 2019
Messages
2,315 (1.16/day)
Location
Olympia, WA
System Name Sleepy Painter
Processor AMD Ryzen 5 3600
Motherboard Asus TuF Gaming X570-PLUS/WIFI
Cooling FSP Windale 6 - Passive
Memory 2x16GB F4-3600C16-16GVKC @ 16-19-21-36-58-1T
Video Card(s) MSI RX580 8GB
Storage 2x Samsung PM963 960GB nVME RAID0, Crucial BX500 1TB SATA, WD Blue 3D 2TB SATA
Display(s) Microboard 32" Curved 1080P 144hz VA w/ Freesync
Case NZXT Gamma Classic Black
Audio Device(s) Asus Xonar D1
Power Supply Rosewill 1KW on 240V@60hz
Mouse Logitech MX518 Legend
Keyboard Red Dragon K552
Software Windows 10 Enterprise 2019 LTSC 1809 17763.1757
I'm guessing the first unaffected uArch is K8?
Phenom/K10 was introduced in 2006, iirc.
 
Joined
Oct 10, 2009
Messages
936 (0.17/day)
System Name Desktop
Processor AMD Ryzen 7 5800X3D
Motherboard MAG X570S Torpedo Max
Cooling Corsair H100x
Memory 64GB Corsair CMT64GX4M2C3600C18 @ 3600MHz / 18-19-19-39-1T
Video Card(s) EVGA RTX 3080 Ti FTW3 Ultra
Storage Kingston KC3000 1TB + Kingston KC3000 2TB + Samsung 860 EVO 1TB
Display(s) 32" Dell G3223Q (2160p @ 144Hz)
Case Fractal Meshify 2 Compact
Audio Device(s) ifi Audio ZEN DAC V2 + Focal Radiance / HyperX Solocast
Power Supply Super Flower Leadex V Platinum Pro 1000W
Mouse Razer Viper Ultimate
Keyboard Razer Huntsman V2 Optical (Linear Red)
Software Windows 11 Pro x64
Where humans exist, errors exist.
 

Frick

Fishfaced Nincompoop
Joined
Feb 27, 2006
Messages
19,320 (2.84/day)
Location
Piteå
System Name White DJ in Detroit
Processor Ryzen 5 5600
Motherboard Asrock B450M-HDV
Cooling Be Quiet! Pure Rock 2
Memory 2 x 16GB Kingston Fury 3400mhz
Video Card(s) XFX 6950XT Speedster MERC 319
Storage Kingston A400 240GB | WD Black SN750 2TB |WD Blue 1TB x 2 | Toshiba P300 2TB | Seagate Expansion 8TB
Display(s) Samsung U32J590U 4K + BenQ GL2450HT 1080p
Case Fractal Design Define R4
Audio Device(s) Line6 UX1 + some headphones, Nektar SE61 keyboard
Power Supply Corsair RM850x v3
Mouse Logitech G602
Keyboard Cherry MX Board 1.0 TKL Brown
Software Windows 10 Pro
Benchmark Scores Rimworld 4K ready!
The concern for your average user with administrator privileges, which is like 99.9% of home users is very much there.

Can you even run Windows 10/11 as admin by default?
 
Joined
Jan 11, 2022
Messages
768 (0.76/day)
Can you even run Windows 10/11 as admin by default?
sure you can, just because it's tied to a cloud account doesn't take away your admin privileges.
you wouldn't be able to install office 365 is you weren't
 

Frick

Fishfaced Nincompoop
Joined
Feb 27, 2006
Messages
19,320 (2.84/day)
Location
Piteå
System Name White DJ in Detroit
Processor Ryzen 5 5600
Motherboard Asrock B450M-HDV
Cooling Be Quiet! Pure Rock 2
Memory 2 x 16GB Kingston Fury 3400mhz
Video Card(s) XFX 6950XT Speedster MERC 319
Storage Kingston A400 240GB | WD Black SN750 2TB |WD Blue 1TB x 2 | Toshiba P300 2TB | Seagate Expansion 8TB
Display(s) Samsung U32J590U 4K + BenQ GL2450HT 1080p
Case Fractal Design Define R4
Audio Device(s) Line6 UX1 + some headphones, Nektar SE61 keyboard
Power Supply Corsair RM850x v3
Mouse Logitech G602
Keyboard Cherry MX Board 1.0 TKL Brown
Software Windows 10 Pro
Benchmark Scores Rimworld 4K ready!
sure you can, just because it's tied to a cloud account doesn't take away your admin privileges.
you wouldn't be able to install office 365 is you weren't

Why would installing programs require admin privilegies? If I launch CMD it does not have that.
 
Joined
Jun 20, 2024
Messages
268 (2.35/day)
"No fixes are planned for 3000 series Ryzen CPUs."

I wonder why such an arbitrary cut-off date for relatively recent product? There wasn't much incentive for Ryzen 3000 users to upgrade, so I think they are still very common?
I am even more confused as the Ryzen 4000 APUs are using Zen2 cores which normal desktop Ryzen 3000 CPUs also use. Maybe because 3000 series APUs are not Zen2 based they saved confusion by excluding the entire 3000 lineup... seems odd/dumb, especially as they qualify for the whole BS around Win11 compatibility.

Why would installing programs require admin privilegies? If I launch CMD it does not have that.
Not until you run a command that does and then you get the UAC prompt...
 
Joined
Feb 15, 2019
Messages
1,648 (0.80/day)
System Name Personal Gaming Rig
Processor Ryzen 7800X3D
Motherboard MSI X670E Carbon
Cooling MO-RA 3 420
Memory 32GB 6000MHz
Video Card(s) RTX 4090 ICHILL FROSTBITE ULTRA
Storage 4x 2TB Nvme
Display(s) Samsung G8 OLED
Case Silverstone FT04
to exploit this vulnerability, an attacker must possess access to system's kernel

I don't think anyone having access to your kernel really needs to use an vulnerability anymore.
 
Joined
Jun 3, 2008
Messages
673 (0.11/day)
Location
Pacific Coast
System Name Z77 Rev. 1
Processor Intel Core i7 3770K
Motherboard ASRock Z77 Extreme4
Cooling Water Cooling
Memory 2x G.Skill F3-2400C10D-16GTX
Video Card(s) EVGA GTX 1080
Storage Samsung 850 Pro
Display(s) Samsung 28" UE590 UHD
Case Silverstone TJ07
Audio Device(s) Onboard
Power Supply Seasonic PRIME 600W Titanium
Mouse EVGA TORQ X10
Keyboard Leopold Tenkeyless
Software Windows 10 Pro 64-bit
Benchmark Scores 3DMark Time Spy: 7695
I don't think anyone having access to your kernel really needs to use an vulnerability anymore.
Why not? Kernel access just needs social engineering. That happens all the time. That will "only" give them Ring 0 access. This vulnerability would allegedly give them Ring -2 access. That's where you can do lasting damage without detection.
 
Joined
Feb 20, 2019
Messages
8,074 (3.92/day)
System Name Bragging Rights
Processor Atom Z3735F 1.33GHz
Motherboard It has no markings but it's green
Cooling No, it's a 2.2W processor
Memory 2GB DDR3L-1333
Video Card(s) Gen7 Intel HD (4EU @ 311MHz)
Storage 32GB eMMC and 128GB Sandisk Extreme U3
Display(s) 10" IPS 1280x800 60Hz
Case Veddha T2
Audio Device(s) Apparently, yes
Power Supply Samsung 18W 5V fast-charger
Mouse MX Anywhere 2
Keyboard Logitech MX Keys (not Cherry MX at all)
VR HMD Samsung Oddyssey, not that I'd plug it into this though....
Software W10 21H1, barely
Benchmark Scores I once clocked a Celeron-300A to 564MHz on an Abit BE6 and it scored over 9000.
Dumb question;

Once a bad actor has kernel access, isn't the whole system already 100% exploitable, 100% compromised at that point, no matter what?

Ring 0 access is already a total system loss, time for a system wipe involving a BIOS reflash and then bootup from an external drive to secure-erase the original disk. The fact this gives attackers even more access is a moot point, no?
 
Joined
Jun 3, 2008
Messages
673 (0.11/day)
Location
Pacific Coast
System Name Z77 Rev. 1
Processor Intel Core i7 3770K
Motherboard ASRock Z77 Extreme4
Cooling Water Cooling
Memory 2x G.Skill F3-2400C10D-16GTX
Video Card(s) EVGA GTX 1080
Storage Samsung 850 Pro
Display(s) Samsung 28" UE590 UHD
Case Silverstone TJ07
Audio Device(s) Onboard
Power Supply Seasonic PRIME 600W Titanium
Mouse EVGA TORQ X10
Keyboard Leopold Tenkeyless
Software Windows 10 Pro 64-bit
Benchmark Scores 3DMark Time Spy: 7695
Dumb question;

Once a bad actor has kernel access, isn't the whole system already 100% exploitable, 100% compromised at that point, no matter what?

Ring 0 access is already a total system loss, time for a system wipe involving a BIOS reflash and then bootup from an external drive to secure-erase the original disk. The fact this gives attackers even more access is a moot point, no?
No. A threat can operate quietly in Ring 0 theoretically for a while, but once found out, it can be detected and eliminated. You gave an example of how it could be eliminated. But let's be real: almost no one is going to do a bios flash.

Ring -2 could theoretically avoid detection forever and not be eliminated so easily. Almost no one will think that they will have something operating at that level that a bios reflash is necessary.
 
Joined
Dec 12, 2016
Messages
1,702 (0.59/day)
Why not? Kernel access just needs social engineering. That happens all the time. That will "only" give them Ring 0 access. This vulnerability would allegedly give them Ring -2 access. That's where you can do lasting damage without detection.
He or she means that already having Kernel level access gives you the ability to wreak havoc, even if Sinkclose didn’t exist.
 
Joined
May 19, 2009
Messages
1,857 (0.33/day)
Location
Latvia
System Name Personal \\ Work - HP EliteBook 840 G6
Processor 7700X \\ i7-8565U
Motherboard Asrock X670E PG Lightning
Cooling Noctua DH-15
Memory G.SKILL Trident Z5 RGB Black 32GB 6000MHz CL36 \\ 16GB DDR4-2400
Video Card(s) ASUS RoG Strix 1070 Ti \\ Intel UHD Graphics 620
Storage 2x KC3000 2TB, Samsung 970 EVO 512GB \\ OEM 256GB NVMe SSD
Display(s) BenQ XL2411Z \\ FullHD + 2x HP Z24i external screens via docking station
Case Fractal Design Define Arc Midi R2 with window
Audio Device(s) Realtek ALC1150 with Logitech Z533
Power Supply Corsair AX860i
Mouse Logitech G502
Keyboard Corsair K55 RGB PRO
Software Windows 11 \\ Windows 10
Dumb question;

Once a bad actor has kernel access, isn't the whole system already 100% exploitable, 100% compromised at that point, no matter what?

Ring 0 access is already a total system loss, time for a system wipe involving a BIOS reflash and then bootup from an external drive to secure-erase the original disk. The fact this gives attackers even more access is a moot point, no?
Not a dumb question, but yes, at that point you already have lost. Biggest issue is with virtualization - if you can escape it all these CPU vulnerabilities can allow attacker to start moving around.
 
Joined
Jun 3, 2008
Messages
673 (0.11/day)
Location
Pacific Coast
System Name Z77 Rev. 1
Processor Intel Core i7 3770K
Motherboard ASRock Z77 Extreme4
Cooling Water Cooling
Memory 2x G.Skill F3-2400C10D-16GTX
Video Card(s) EVGA GTX 1080
Storage Samsung 850 Pro
Display(s) Samsung 28" UE590 UHD
Case Silverstone TJ07
Audio Device(s) Onboard
Power Supply Seasonic PRIME 600W Titanium
Mouse EVGA TORQ X10
Keyboard Leopold Tenkeyless
Software Windows 10 Pro 64-bit
Benchmark Scores 3DMark Time Spy: 7695
He or she means that already having Kernel level access gives you the ability to wreak havoc, even if Sinkclose didn’t exist.
See reply above to same question.

One is lasting and avoids detection, the other not.

What is this logic? Because something that is bad already exists, something that is worse isn't bad?
 
Joined
Jun 20, 2024
Messages
268 (2.35/day)
Not a dumb question, but yes, at that point you already have lost. Biggest issue is with virtualization - if you can escape it all these CPU vulnerabilities can allow attacker to start moving around.
Hard to know if virtualisation would be an attack vector - accessing the SMM on many machines is at a 'system'/interrupt level, however in a virtual machine the hypervisor is pretending to be the system with fake hardware interrupts, etc., and I'd hope / expect there would be protections in place around this function (SMM goes back a looooong time) - normal apps / most OS functions would never likely need to access the SMM either so not sure even initialising the capability would even be virtualised. Potentially VMs with VT-d/IOMMU priviledges may be able to escape this, but that's assuming that access vector is exposed through that resource branch (which is unlikely...?).
Most modern uses of SMM for power management, device hotplugging, plug/play & IO/APIC stuff, would all be masked by the hypervisor in nearly every instance I can think of.

This would seem to be a vulnerability that is primarily exposed by the exploit needing to be executed by someone/something at the main OS level.
 
Last edited:
Joined
Dec 1, 2022
Messages
147 (0.22/day)
What is this logic? Because something that is bad already exists, something that is worse isn't bad?
No its because something worse is a moot point as if someone attacks at ring 0, the user is already compromised, though either is unlikely unless if the user is clicking on suspicious links.
 
Last edited:
Top