Friday, August 16th 2024
"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data. Researchers Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, have revealed that the vulnerability can be exploited through various methods, enabling attackers to extract confidential information from affected systems, including passwords and personal data. The issue is especially concerning, given that it is present in all AMD CPUs made in the last 18 years and their widespread use in both consumer and enterprise environments. However, to exploit this vulnerability, an attacker must possess access to system's kernel. Downloading of malware-infused files can trigger it, so general safety measures are recommended.
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August. No fixes are planned for 3000 series Ryzen CPUs. Workstation-grade CPUs have also received an update to mitigate this issue.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
Sources:
Wired, AMD
The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.
Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.
124 Comments on "Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006
A secure computer can not have any place to store information at all. All software including firmware needs to be on externally verifiable (removable) media.
Some boards may still have these settings, but as usual it will be poorly explained in the BIOS/UEFI interface and manual.Unfortunately you'd also have to integrate the TPM / any encryption/key storage and authentication devices into this, as they are also programmable / vulnerable...
Would I do it (or rather pay to get it done) for an A320 chipset motherboard... most probably not.
Would I do it for a limited edition X570 board that cost almost as much as an X3D CPU... yeah, possibly I would, especially if it's no longer on sale.
Of course, I know what I am doing. Most won't. So valid.
It's a generalised statement which may well be true for some devices where the integrated firmware is stored within microcontrollers that may be too hard to replace. Arguably something could exploit the UEFI vulnerability to deploy payloads to other integrated devices such as firmware of an SSD (the most likely concern), the LAN chip, etc., but that would be reliant upon a vulnerability existing within that potential configuration - most UEFI systems use UEFI software modules loaded into the BIOS image to control LAN chips for PXE boot, etc., and SSDs are easily replaced, and with the current generation of systems SSDs are cheaper than some mediocre motherboards.
BUT, in reality, the odds are good that a majority of normal motherboards could be salvaged by replacing a chip (or two with dual-BIOS) which contains pretty much all the UEFI data. Thanks to fTPM, there isn't even a TPM chip that could be vulnerable - you get to clear both the UEFI and fTPM persistant storage areas in one hit.
Again, for sure governments would errr on the side of caution and have the resources to send a whole office block of devices to the dump and replace them all, which is who CISA guidance is primarily aimed at.How much do you charge...? :p
--
On a sitenote I'm kinda happy to have thrown away the B550 / Ryzen 5800x box which I bought late. I bought that at nearly end of life product cycle. wifi bug / boost bug ... too annoying.
I estimate more firmware and design Issues in the future. I estimate less fixes for known faults.
--
As far as I know not everything is reprogrammed by a UEFI update. I doubt ASUS or MSI have any open documentation on which memory section are the serial numbers, mac addresses, windows license and other stuff.
I'm kinda sure, when you overwrite the hole chip you end up with no mac address for your network interface cards and other nonsense you do not want.
I do agree a proper usb programmer on a secure plattform with a proper software you can easily overwrite those "uefi / bios" chips. Most likely there will be public available datasheets for the pinout for those chips.
--
When there are no updates or delayed updates the long term support of AM4 or AM5 is basically than a fraud. When AM4 does not get any updates for those mainboard chipssets and processors, the hole marketing AM4 bubble is just a fraud.You mean long term security fixes for the common operating systems.
The response was much faster than I expected, but it is not yet available for the X570.
asrock.com/support/index.asp?cat=bBIOS
There seems to be an update to AMD's information as well.
AMD AM4 AGESA Combo V2 PI 1.2.0.Cc
www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
I just patched the LogoFail exploit last month...
I do not know of any articles regarding problems with the update.
I don't have much faith in AsRock's beta BIOS so I will wait for the official version.
The update link is on GG's website. It should not be a beta version, right?
Update AMD AGESA 1.2.0.Cc for fix Sinkclose Vulnerability of AMD processors (SMM Lock Bypass)
www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
This update was unexpected.
Since it's an update to an older CPU, the motherboard manufacturer doesn't seem to be proactive.
Has anyone found a BIOS that supports this update?
My motherboard was not applicable.
Looks like latest is an Aug '24 Beta w/ 1.2.0.Cc AGESA.
I'd e-mail AsRock about it. AM4 is still a fully supported platform, after all.
The B550 doesn't support "Raven Ridge" or "Pinnacle Ridge," so the update probably won't come.
Apart from my main PC, I own multiple motherboards, and as far as I checked, there was no update for "ComboAM4PI 1.0.0.C".
・AsRock B450M-HDV
・AsRock Fatal1ty X370 Gaming K4
・AsRock DeskMini A300 (A300M-STX)
I have a Dell Inspiron 5575 Ryzen 5 2500U laptop, but I have given up on updating the BIOS.
Motherboard manufacturers often provide support for DIY PCs, but I feel that they do not support this for notebook PCs or handheld PCs such as GPD.
At least for the GPD Win Max2 (6800U) that I own, the latest BIOS is December 22, 2022.