"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006

[Chrispy_]

Ring -2 could theoretically avoid detection forever and not be eliminated so easily. Almost no one will think that they will have something operating at that level that a bios reflash is necessary.

Oh, I've been BIOS flashing compromised systems for almost two decades. Rootkits that can survive a disk wipe and OS reinstall have been around since Sony's silly rootkit scandal of 2005 hit mainstream media and even global broadcast TV news. Anyone not considering rootkits is ignorant of basic security vulnerabilities and that means they should hand over the job to someone with a clue; they're unfit to do it themselves.

I barely have a clue, but that's why I hire people whose sole job it is to be on top of this stuff.

 

[ty_ger]

No its because something worse is a moot point as if someone attacks at ring 0, the user is already compromised, though either is unlikely unless if the user is clicking on suspicious links.

Unlikely? It happens all the time! You want that driver that no one has any more. Or that program. You are hacking around with some hardware or some software. You get it from the only source you can find. A forum. Discord. Github. Wherever. Someone has the answer to your problem. You want it. It seems like your only option. So you click the buttons when it asks you for permission. And now you are compromised.

This is super common. Not unlikely at all.

Being compromised is one thing. Being compromised, undetectable by antivirus, and still compromised after a drive wipe and reinstall is another thing.

No one understands the definition of worse. lol

One is bad. The other is worse. A lot worse.

Oh, I've been BIOS flashing compromised systems for almost two decades. Rootkits that can survive a disk wipe and OS reinstall have been around since Sony's silly rootkit scandal of 2005 hit mainstream media and even global broadcast TV news. Anyone not considering rootkits is ignorant of basic security vulnerabilities and that means they should hand over the job to someone with a clue; they're unfit to do it themselves.

I barely have a clue, but that's why I hire people whose sole job it is to be on top of this stuff.

According to available information, this is primarily a consumer problem at this point. We're not talking about hiring people and having experts. The most extreme thing most consumers can imagine is wiping their drive and starting over.

 

[unwind-protect]

This vulnerability would allegedly give them Ring -2 access. That's where you can do lasting damage without detection.

How, specifically?

(not directed at you in particular, it is just a bit unclear. I hope the DefCon talk will clear things up)

 

[mb194dc]

Unlikely? It happens all the time! You want that driver that no one has any more. Or that program. You are hacking around with some hardware or some software. You get it from the only source you can find. A forum. Discord. Github. Wherever. Someone has the answer to your problem. You want it. It seems like your only option. So you click the buttons when it asks you for permission. And now you are compromised.

This is super common. Not unlikely at all.

Being compromised is one thing. Being compromised, undetectable by antivirus, and still compromised after a drive wipe and reinstall is another thing.

No one understands the definition of worse. lol

One is bad. The other is worse. A lot worse.


According to available information, this is primarily a consumer problem at this point. We're not talking about hiring people and having experts. The most extreme thing most consumers can imagine is wiping their drive and starting over.

If the user is this stupid, this exploit is definitely the least of their concerns. They'll be compromised over and over again regardless of if they're running a AMD, Intel or any other CPU.

 

[ty_ger]

How, specifically?

(not directed at you in particular, it is just a bit unclear. I hope the DefCon talk will clear things up)

It is alleged. And apparently corroborated by AMD. We don't know the details at this point, because patches are still in development.

If the user is this stupid, this exploit is definitely the least of their concerns. They'll be compromised over and over again regardless of if they're running a AMD, Intel or any other CPU.

What a fantasy world you must live in.


Regardless, one is bad. The other is worse. Detectable by antivirus vs not. Non-persistent vs persistent.

Flippant.


Is this some silly brand loyalist thing?

The question was 'why is this bad/worse?'. And then, when you respond to that answer with 'i don't care because of some other reason', why are you even in this topic?

Nihilist?


When RGB software does this, it's the end of the world with software we should never need to use in the first place (I agree). When it's a native CPU problem, oh, what's the big deal? The world sucks anyway.

 

[chrcoluk]

Why would installing programs require admin privilegies? If I launch CMD it does not have that.

Depends where it is installed.

If the binaries are dumped in the user profile path (which is becoming increasingly common) no UAC elevation required. If you want them in Program Files, then you need elevation. The reason for this is Program Files has a security boundary to write to the location which should make it harder to tamper with binaries. User profile folder was originally intended just for data. Programs already installed in Program Files that need to update themselves without elevating get round it via a background service they install.

 

[csendesmark]

....if only nsa did not ask AMD and Intel to leave loopholes in their CPUs....

 

[jpvalverde85]

There are Zen2 processors that will get the upgrade (series 4000, mobile series 5300, 5500, 5700, mobile series 3000 is even Zen1+), Zen1 server is supported too (another platform), so the negative for Zen1/Zen2 desktop AM4 even when the BIOS could be updated isn't for validation issues, feels more for planned obsolescence than anything else. Shady.

 

[Daven]

What a fantasy world you must live in.

I think you are still not understanding the point others are trying to make but I could be wrong. This exploit is so deep into the computer that other more easier ways are available to take over a computer. Most of those easier ways are blocked from exploitation but vulnerable computers still exist that do not require the Sinkclose exploit. The other commenters are saying that unaware users are more vulnerable to these easier exploits; therefore Sinkclose is more academic right now and just another possible avenue of exploiting a computer and not the end of secure computing as the shock and awe media would have us believe otherwise.

 

[ty_ger]

I don't think that I am missing the point.

This vulnerability is deeper. Point
The other stuff is normal stuff that happens every day. This is worse, harder to detect, and harder to get rid of. Point

Take an existing Ring 0 exploit. Change it to Ring -2. Why is that worse? If Ring 0 is so bad, why would an attacker want lower? These are hypothetical questions, of course. Answer them, and you have your answer.

 

[redeye]

so amd processors… PS5, PS4 have AMD processors… and everyone is worried that their system is pwned… but, is it not a good thing?, because now you can jail break your PS5, or PS4 Right?… and it is not fixable… so the Sinkclose vulnerability will allow games to be easily stolen on the PC and PS5… no?.

if not, why is everyone doing the “doom and gloom” posting?

 

[NSX05]

Stupid of AMD to omit a fix for the Ryzen 3000 series.

 

[Easo]

This would seem to be a vulnerability that is primarily exposed by the exploit needing to be executed by someone/something at the main OS level.

In which case - you have already lost and this vulnerability is not really that critical.

 

[Vincero]

Yeah, because Intel have never had an SMM security issue... oh, hang on they have... could be worse, with Intel ME you could also have an additional attack vector offering fully fledged in-built remote access across a network even if the OS isn't running...

When you also factor in the employee headcount difference between AMD and Intel, and amount of staff Intel can dedicate to every facet of a product from security to design, it is actually quite amazing these issues crop up so often.

 

[Makaveli]

Yes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.

What about games that install Anti cheat with Kernel level access?

Stupid of AMD to omit a fix for the Ryzen 3000 series.

A good time to upgrade Zen 3 is cheap and in socket replacement no need for even a windows reinstall.

 

[Zendou]

What about games that install Anti cheat with Kernel level access?


Nice trolling.

Team blue still dealing with silicon degradation don't you have something better to do with your time?


A good time to upgrade Zen 3 is cheap and in socket replacement no need for even a windows reinstall.

So whataboutism, whataboutism, and just give the company more money for an additional product they may refuse to update like your current one.

Not the best solutions, but hey it is the internet, you get to try to dunk on people without addressing the spirit of the criticism.

 

[Mr. Perfect]

AMD Ryzen™ 7000 Series Desktop Processors
ComboAM5PI 1.2.0.1 (2024-08-07)

Time to keep an eye out for BIOS updates with 1.2.0.1. Manufacturers just got 1.2.0.0a out the door with the 9000 series launch.

 

[Palindrome]

What I'm reading is that I can now force my brother to ditch Zen+ in favour of Zen 3. Hopefully AGESA update ships quickly for my Zen 4 and 3 systems.

 

[Chrispy_]

Take an existing Ring 0 exploit. Change it to Ring -2. Why is that worse? If Ring 0 is so bad, why would an attacker want lower? These are hypothetical questions, of course. Answer them, and you have your answer.

I'm openly aware that I'm somewhere in the Dunning-Kruger valley of despair when it comes to security vulnerabilities, but I don't see how this vulnerability can be exploited unless worse things have already happened to effectively write-off the system entirely.

Let's say someone steals your car, takes it for a joyride and wrecks it. That's the kernel-level exploit.
As they get out of the burning car, they steal the sunglasses you had in the glovebox. That's the higher-privilege exploit that wasn't possible unless they'd already gained access to your car.

Either way, you've lost your sunglasses and the sunglasses are the least of your worries. If their ultimate goal in the first place was to steal your sunglasses then the lock on the glovebox really wasn't the biggest hurdle.

 

[NSX05]

AMD : Products and vulnerabilities, CVEs

AMD products and CVEs, security vulnerabilities, affecting the products with detailed CVSS, EPSS score information and exploits

www.cvedetails.com

Intel : Products and vulnerabilities, CVEs

Intel products and CVEs, security vulnerabilities, affecting the products with detailed CVSS, EPSS score information and exploits

www.cvedetails.com

 

[R-T-B]

Yes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.

This, basically. Good summary. I'd also expect 0 performance impact from patching this.

I hope that the fix won't affect the performance of these chips.

It shouldn't.

I don't understand this sort of flippant response. People install malicious software every day via social engineering. This is another exploit that allows slightly malicious software to become very malicious. There is no reason to downplay its potential until it is fixed.

This is also true but at the same time, it is healthy to remind people not to panic.

 

[Vincero]

What about games that install Anti cheat with Kernel level access?

They are the worst kind... usually used by companies with crap coding to stop modders/cheaters... what trust can you put in them??
Doesn't help some are of dubious origin.

So whataboutism, whataboutism

The point was "what about software that gets installed with ring0 access that you effectively need to trust but with poor / no oversight"

I'm openly aware that I'm somewhere in the Dunning-Kruger valley of despair when it comes to security vulnerabilities, but I don't see how this vulnerability can be exploited unless worse things have already happened to effectively write-off the system entirely.

Let's say someone steals your car, takes it for a joyride and wrecks it. That's the kernel-level exploit.
As they get out of the burning car, they steal the sunglasses you had in the glovebox. That's the higher-privilege exploit that wasn't possible unless they'd already gained access to your car.

Either way, you've lost your sunglasses and the sunglasses are the least of your worries. If their ultimate goal in the first place was to steal your sunglasses then the lock on the glovebox really wasn't the biggest hurdle.

I think the reason why people are concerned is that you have 2 main tiers of system exploit; 1) you loose control of the software but there is limited scope to damage anything else, or 2) you loose control of the software and they can also permanently infect the hardware. This falls in to tier 2.

Again, fanboys and uninformed people will act in an incredulous way when informed that this isn't exactly a new risk itself - remember back when people were finding out about the CIH virus... fun times.

 

[R-T-B]

Oh, I've been BIOS flashing compromised systems for almost two decades. Rootkits that can survive a disk wipe and OS reinstall have been around since Sony's silly rootkit scandal of 2005 hit mainstream media and even global broadcast TV news. Anyone not considering rootkits is ignorant of basic security vulnerabilities and that means they should hand over the job to someone with a clue; they're unfit to do it themselves.

I barely have a clue, but that's why I hire people whose sole job it is to be on top of this stuff.

Rootkits are not the same as ring -2. They typically cannot survive a reinstall.

 

[Vincero]

In which case - you have already lost and this vulnerability is not really that critical.

Its 'critical' in terms of direct impact - its impossible to class it based on risk as everyone works differently. For sure the risk is high of someone inadvertently loading it. For those with locked down devices and effective endpoint security, the risk is probably quite low, but the impact wouldn't be any different if it somehow was triggered.

 

[R-T-B]

so amd processors… PS5, PS4 have AMD processors… and everyone is worried that their system is pwned… but, is it not a good thing?, because now you can jail break your PS5, or PS4 Right?… and it is not fixable… so the Sinkclose vulnerability will allow games to be easily stolen on the PC and PS5… no?.

if not, why is everyone doing the “doom and gloom” posting?

There certainly are some fun things you could do with this.

That said, the potential for abuse is worse. Its why "hardware security" is a bad idea encapsulated.