Friday, August 16th 2024
"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data. Researchers Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, have revealed that the vulnerability can be exploited through various methods, enabling attackers to extract confidential information from affected systems, including passwords and personal data. The issue is especially concerning, given that it is present in all AMD CPUs made in the last 18 years and their widespread use in both consumer and enterprise environments. However, to exploit this vulnerability, an attacker must possess access to system's kernel. Downloading of malware-infused files can trigger it, so general safety measures are recommended.
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August. No fixes are planned for 3000 series Ryzen CPUs. Workstation-grade CPUs have also received an update to mitigate this issue.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
Sources:
Wired, AMD
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
124 Comments on "Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
This is super common. Not unlikely at all.
Being compromised is one thing. Being compromised, undetectable by antivirus, and still compromised after a drive wipe and reinstall is another thing.
No one understands the definition of worse. lol
One is bad. The other is worse. A lot worse.According to available information, this is primarily a consumer problem at this point. We're not talking about hiring people and having experts. The most extreme thing most consumers can imagine is wiping their drive and starting over.
(not directed at you in particular, it is just a bit unclear. I hope the DefCon talk will clear things up)
Regardless, one is bad. The other is worse. Detectable by antivirus vs not. Non-persistent vs persistent.
Flippant.
Is this some silly brand loyalist thing?
The question was 'why is this bad/worse?'. And then, when you respond to that answer with 'i don't care because of some other reason', why are you even in this topic?
Nihilist?
When RGB software does this, it's the end of the world with software we should never need to use in the first place (I agree). When it's a native CPU problem, oh, what's the big deal? The world sucks anyway.
If the binaries are dumped in the user profile path (which is becoming increasingly common) no UAC elevation required. If you want them in Program Files, then you need elevation. The reason for this is Program Files has a security boundary to write to the location which should make it harder to tamper with binaries. User profile folder was originally intended just for data. Programs already installed in Program Files that need to update themselves without elevating get round it via a background service they install.
This vulnerability is deeper. Point
The other stuff is normal stuff that happens every day. This is worse, harder to detect, and harder to get rid of. Point
Take an existing Ring 0 exploit. Change it to Ring -2. Why is that worse? If Ring 0 is so bad, why would an attacker want lower? These are hypothetical questions, of course. Answer them, and you have your answer.
if not, why is everyone doing the “doom and gloom” posting?
When you also factor in the employee headcount difference between AMD and Intel, and amount of staff Intel can dedicate to every facet of a product from security to design, it is actually quite amazing these issues crop up so often.
Not the best solutions, but hey it is the internet, you get to try to dunk on people without addressing the spirit of the criticism.
Let's say someone steals your car, takes it for a joyride and wrecks it. That's the kernel-level exploit.
As they get out of the burning car, they steal the sunglasses you had in the glovebox. That's the higher-privilege exploit that wasn't possible unless they'd already gained access to your car.
Either way, you've lost your sunglasses and the sunglasses are the least of your worries. If their ultimate goal in the first place was to steal your sunglasses then the lock on the glovebox really wasn't the biggest hurdle.
www.cvedetails.com/vendor/238/Intel.html
Doesn't help some are of dubious origin.The point was "what about software that gets installed with ring0 access that you effectively need to trust but with poor / no oversight"I think the reason why people are concerned is that you have 2 main tiers of system exploit; 1) you loose control of the software but there is limited scope to damage anything else, or 2) you loose control of the software and they can also permanently infect the hardware. This falls in to tier 2.
Again, fanboys and uninformed people will act in an incredulous way when informed that this isn't exactly a new risk itself - remember back when people were finding out about the CIH virus... fun times.
That said, the potential for abuse is worse. Its why "hardware security" is a bad idea encapsulated.
AMD and Intel both working against the second hand market and product longevity. Completely by accident of course…….
Intel: Your second hand PC might have a faulty CPU, that starts to fail due to mysterious degradation.
AMD: Your second hand PC might be compromised in a stealth mode, where no clean OS reinstall will help you.