Friday, August 16th 2024
"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data. Researchers Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, have revealed that the vulnerability can be exploited through various methods, enabling attackers to extract confidential information from affected systems, including passwords and personal data. The issue is especially concerning, given that it is present in all AMD CPUs made in the last 18 years and their widespread use in both consumer and enterprise environments. However, to exploit this vulnerability, an attacker must possess access to system's kernel. Downloading of malware-infused files can trigger it, so general safety measures are recommended.
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August. No fixes are planned for 3000 series Ryzen CPUs. Workstation-grade CPUs have also received an update to mitigate this issue.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
Sources:
Wired, AMD
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
124 Comments on "Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
But seriously, please tell us how Intel engineered this to occur just now, 10 months later. I really, really want to know how they did it.
The laptop had a Core i7 9750H (TMK) Also had a GeForce GTX 1650.
A relief that I shouldn't have to panic now, because I don't just go ahead and let stuff run as administrator.
Somewhere, Occam's Razor is screaming.Yes. But that's where it ends without further evidence. Sometimes convenient scandals just happen.
and that machine can be compromised until the end of its life if it’s just used to spy
Did a cursory bit of research on the company, and couldn't find any obvious associations.
Corporate espionage isn't anything new. So, it's not a 'far fetched' thought to have.
-just... maybe, more inquisitive than accusative.
Bios updates are done through the Lenovo Commerical Vantage software which you launch then scan for update then when it finds a bios you install.
We do not ever allow bios updates over windows update for end user machines that is a nightmare waiting to happen that we plan to avoid.
None of our users have local admin rights!
Stop the insulting remarks about any group of people.
Just buy a 5800X, 5900X, or 5950X and sell the 3700X.
I did this move in 2021 after being on Zen 2 for 2 years and it was worth it. Sold my 3800X for $400 when I paid $440 for it 2 year prior. Zen 3 was a solid upgrade over 2 there was no reason to stay on Zen 2.
Why are there no jumpers or BIOS settings to prevent that when the user doesn't want it?
“Matisse” mitigation status has been updated to a target of 2024-08-20
www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
1) As mentioned before, Ryzen 4000 series is same Zen2 so no real excuse not to apply it to 3000 series also. Technically they could have made the distinction of laptop 4000 series but they didn't so targetting some Zen2 on the AM4 socket and not others seems to be purposely 'unhelpful'.
2) Some Ryzen 3000 series parts will still be under warranty and I'm sure a simple software fix to the BIOS to stop / validate SMM access requests properly is better than dealing with even a limited number of upset customers, or more likely OEMs - and lets face it, AMD still need to work hard to keep OEMs onside vs the Intel marketing / financing machine.
3) Having been included in the Windows 11 list of approved CPUs, I would expect there is some (probably not much) push from Microsoft for some solid support of these whilst they remain on that list.
In the end either way doesn't matter all that much because we're at the mercy of motherboard vendors actually packaging the update which may or may not happen. My board is yet to receive the 1.2.0.ca that fixes zenbleed and took 6 months to receive 1.2.0.c so I don't have a lot of hopes for this 1.2.0.cb, not in any decent timely manner at least.
I say "I think" because it seems impossible to get any load-bearing information on this. And the Defcon talk seems to have no public recording.
It's cool that AMD is saying 3000 series cpu will get the fix but reality is only x570 and maybe some b550 boards will ever get the bios update to apply the fix, and even then not all of them will. Platform longevity is not just every board being able to run every AM4 cpu, it needs to be bios updates as well.