Friday, August 16th 2024
"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data. Researchers Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, have revealed that the vulnerability can be exploited through various methods, enabling attackers to extract confidential information from affected systems, including passwords and personal data. The issue is especially concerning, given that it is present in all AMD CPUs made in the last 18 years and their widespread use in both consumer and enterprise environments. However, to exploit this vulnerability, an attacker must possess access to system's kernel. Downloading of malware-infused files can trigger it, so general safety measures are recommended.
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August. No fixes are planned for 3000 series Ryzen CPUs. Workstation-grade CPUs have also received an update to mitigate this issue.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
Sources:
Wired, AMD
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
124 Comments on "Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
Although, it is pretty bad they drop support for 3000 and below, admitedly, but thats an AMD exclusive thing, pretty much...
This vulnerability - which AMD themselves have rated as high severity - allows undetectable persistence of UEFI malware. Once that occurs it’s throw out the machine time.
Doesn't affect Comet Lake and later.
The current AMD bug found, only affects ring-0 access.
AMD have said they probably will not offer updates for R3000 chips but I suspect it's more likely a case of getting little interest from motherboard/system OEM's also, and at the end of the day, nearly every AM4 motherboard would need to have the BIOS updates offered to fix this so why not just roll the patch to cover them also...??
To their credit, Intel did actually do patches for the Spectre/Meltdown CPU microcode all the way back to Nehalem (1st gen Core-i3/5/7 from 2008/2009) but the lazy motherboard manufacturers did nothing for them - I can count on one hand the amount of BIOS updates for systems that old that appeared - in the consumer/enthusiast components mainstream the newest platform I ever saw with BIOS updates for it was Haswell (LGA1150) - anything Ivy Bridge or earlier with patches is pretty rare.
www.cisa.gov/news-events/news/call-action-bolster-uefi-cybersecurity-now
For this one it's:
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Which Translating it means, Attack Vector is Local, Attack Complexity is High, Privileges Required is High, User Interaction is None, Scope is Changed, Confidentiality Impact is High, Integrity Impact is High and Availability Impact is High.
While the attack is hard to execute, the impact of a successful execution is very high which is why it ends up with being a serious threat.
If I am not mistaken, I don`t think there has ever really been a Spectre and Meltdown exploit in the wild too, but everyone rushed to fix those. Spectre allowed you to read any memory at something like kilobytes per second(I don't remember if it could modify it too).
Intel hired them to cover up the 1314gate
Arguably, you could have a removable TPM/BIOS chip seeing as both have a 'secure enclave' which could be rewritten via unknown malicious means - if mistakingly removed as long as it's restored back to the board/boot device it would work as normal.
Meltdown was a shockingly easy form of privledge escalation. The only reason it wasn't exploited more was widespread patching.
congrats, you’ve left me speechless.
Hell, I'm pretty sure most never even updated their BIOS once, so these patches from AMD fall on deaf ears. I'm just putting it out there. :D As for myself, I'm using a ASRock x470 Taichi BIOS 5.10 with a 5800X3D. The newest BIOS is 10.13 (beta) I'm not going to even touch any beta BIOS, plus the newer ones after mine had some issues I read on Reddit with people saying their PC will not post with BIOS 10.10 or 10.11 (beta). Also just read this on the ASRock forum "x470 Taichi bricked after update to 10.10" yeah I'm not going to update anymore. I should because I umm torrent things ;) But I just don't trust any more updates, I will take my chances. If anyone was interested on the BIOS issues here is the forum post: forum.asrock.com/forum_posts.asp?TID=34491&title=x470-taichi-bricked-after-update-to-10-10