AMD's 'Sinkclose' vulnerability affects hundreds of millions of processors, enables data theft — AMD begins patching issue in critical chip lines, more to follow

News
By
published

Almost cannot be fixed, say researchers.

AMD
(Image credit: AMD)

EDIT 8/11/2024 8:30am ET: AMD has told Tom's Hardware that it will not patch all of the impacted processors for this vulnerability. You can read more about the chips that will not be patched here.

Original article:

'Sinkclose' is the name of a recently discovered major security vulnerability that affects virtually all of AMD's processors released since 2006. This flaw allows attackers to deeply infiltrate a system, making it extremely difficult to detect or remove malicious software. The issue is so severe that, in some cases, it may be easier to abandon an infected machine than to repair it, reports Wired

There is good news, though: since it has not been discovered for 18 years, it likely hasn't been used. Also, AMD is patching its platforms to protect them, though not all affected processors have received a patch yet.  

Sinkclose evades antiviruses and persists even after OS reinstall

The Sinkclose vulnerability allows hackers to execute code within the System Management Mode (SMM) of AMD processors, a highly privileged area typically reserved for critical firmware operations. To exploit this flaw, attackers must first gain access to a system's kernel, which isn't easy, but it is possible. However, the system must already have been compromised by some other attack. 

Once this access is secured, the Sinkclose vulnerability allows the perpetrators to install bootkit malware that evades detection by standard antivirus tools, remaining nearly invisible within the system and can persist even after the operating system is reinstalled.  

The vulnerability leverages an ambiguous feature in AMD chips known as TClose, which is meant to maintain compatibility with older devices. By manipulating this feature, the researchers were able to redirect the processor to execute their own code at the SMM level. This method is complex but provides attackers with deep and persistent control over the system. 

Security researchers Enrique Nissim and Krzysztof Okupski from IOActive identified the Sinkclose vulnerability. They will present it at the Defcon conference tomorrow.  

"To take advantage of the vulnerability, a hacker has to already possess access to a computer's kernel, the core of its operating system," an AMD statement issued to Wired reads. AMD likens the Sinkhole technique to gaining access to a bank's safe deposit boxes after already getting past its alarms, guards, and vault door. 

Nissim and Okupski point out that although exploiting Sinkclose requires kernel-level access, vulnerabilities at this level are frequently discovered in Windows and Linux systems. They suggest that advanced state-sponsored hackers likely already have the tools to exploit these kinds of vulnerabilities. According to researchers, kernel exploits are readily available, making Sinkclose the next step for attackers. To remove the malware, one would need to open the computer, connect to a specific part of its memory using an SPI Flash programmer, carefully inspect the memory, and then remove the malware.

Impacts a wide range of AMD CPUs

The Sinkclose flaw impacts a wide range of AMD processors used in client PCs, servers, and embedded systems. Unfortunately, AMD's latest Zen-based processors with the platform Secure Boot feature not properly implemented by a computer maker or motherboard producers are especially vulnerable in the sense that it is harder to detect malware installed in AMD's secure enclave.

The researchers waited 10 months before disclosing the vulnerability to give AMD more time to address it. AMD has acknowledged the vulnerability and begun releasing mitigation options for affected products, including its EPYC datacenter and Ryzen PC processors. Patches for some products have already been issued, with more expected soon. However, AMD has not yet disclosed how it will address the vulnerability across all affected devices. 

The researchers caution that the vulnerability represents a significant risk, and users should not delay in implementing any available fixes to protect their systems. Nissim and Okupski stress the importance of applying these patches as soon as they become available, despite the difficulty in exploiting the 'backdoor.' They argue that sophisticated state-sponsored hackers could already possess the means to exploit this vulnerability, making timely updates crucial to maintaining system security. 

See more CPUs News
Anton Shilov
Anton Shilov
Contributing Writer

Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.

63 Comments Comment from the forums
  • Marlin1975
    "To exploit this flaw, attackers must first gain access to a system's kernel, which isn't easy, but it is possible. However, the system must already have been compromised by some other attack. "

    So in other words, a nothing burger.
    Reply
  • nightbird321
    Yes, hackers can do bad things after they already have complete control of your computer.
    Reply
  • jeremyj_83
    Marlin1975 said:
    "To exploit this flaw, attackers must first gain access to a system's kernel, which isn't easy, but it is possible. However, the system must already have been compromised by some other attack. "

    So in other words, a nothing burger.
    Correct
    Reply
  • mhmarefat
    They suggest that advanced state-sponsored hackers likely already have the tools to exploit these kinds of vulnerabilities.
    How about the states themselves? Some states do not even need to sponsor any hackers as they already have implemented backdoors inside ALL AMD and Intel CPUs since 2006. Intel Management Engine and AMD Secure Technology are both backdoors in complete NSA control (see here). And BTW, these operate completely independent of the OS and all they require is an internet connection. (See for example NotebookCheck, me_cleaner, even US controlled wikipedia)

    As Intel has confirmed the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables most of ME's functions, and was intended to be available only in machines produced for specific purchasers like the US government
    So spare me this BS fearmongering. Suddenly ppl are worried about data theft.
    Reply
  • edzieba
    nightbird321 said:
    Yes, hackers can do bad things after they already have complete control of your computer.
    Persistent rootkits (as this enables) are far more insidious. Format the drive, reinstall the OS, even swap to a brand new drive? the malware install persists. Pop the CPU out of an infected system and install it in a new system? The new system is infected.
    A single threat actor adding a rootkit to CPUs before reselling on eBay (or any other supply chain vulnerable to 3rd party insertion, such as Amazon fulfilment) could gain root access to as many boxes as they can ship CPUs, with no trivial way for end users to identify the infection, let alone remove it.

    Management-engine persistent malware is particularly nasty to deal with.

    Plus, AMD have decided to straight up NO FIX PLANNED the Ryzen 3000 series, so if you own one then no fix for you.
    Reply
  • stuff and nonesense
    “Plus, AMD have decided to straight up NO FIX PLANNED the Ryzen 3000 series, so if you own one then no fix for you.”

    Not a justification, the 3000 series chips are 5 years old, 2 full generations. Chips to replace them from the 5000 series are inexpensive.
    My guess is that AMD reckon that there aren’t enough 3000 series chips in use now and it’s a potential way to sell some more 5000 parts.
    Reply
  • Gururu
    Good reminder on vulnerabilities we face in general. Nothing is safe, particularly among state sponsored threats which could give a darn about the actual user information but can use a network attached workstation to terrible effect. Thanks for the reporting.
    Reply
  • jakegg0926gg
    Is this like saying "if a robber has broken into your house, he can steal some of your stuff"?
    Reply
  • vanadiel007
    Well, we do have secure boot so that should allow us to boot securely, right?

    So yes, security is as secure as the key to your door.
    Reply
  • bluvg
    AMD likens the Sinkhole technique to gaining access to a bank's safe deposit boxes after already getting past its alarms, guards, and vault door.
    No, it's worse than that. It's like getting past all those things and allowing the installation of a secret door to the vault so that even if the bank kicks the thief out of the building, gets more guards, and upgrades the alarms, the thief can let themselves right back in directly to the vault, past the guards, without triggering any of the alarms.
    Reply