"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006

[INFERNUS]

I don't think the average gamer, who maybe bought their PC pre-built and only wants to play games and maybe stream are even going to even acknowledge this BIOS update.
Hell, I'm pretty sure most never even updated their BIOS once, so these patches from AMD fall on deaf ears. I'm just putting it out there. As for myself, I'm using a ASRock x470 Taichi BIOS 5.10 with a 5800X3D. The newest BIOS is 10.13 (beta) I'm not going to even touch any beta BIOS, plus the newer ones after mine had some issues I read on Reddit with people saying their PC will not post with BIOS 10.10 or 10.11 (beta). Also just read this on the ASRock forum "x470 Taichi bricked after update to 10.10" yeah I'm not going to update anymore. I should because I umm torrent things But I just don't trust any more updates, I will take my chances. If anyone was interested on the BIOS issues here is the forum post: https://forum.asrock.com/forum_posts.asp?TID=34491&title=x470-taichi-bricked-after-update-to-10-10

 

[Visible Noise]

The media made the stink about it at the same time

You understand AMD just disclosed this right? Should it be ignored by the media because it offends you? Hint - this is big news. The media should cover it.

But seriously, please tell us how Intel engineered this to occur just now, 10 months later. I really, really want to know how they did it.

 

[Hecate91]

do you know what's going on w intel right?

The timing of these researchers releasing this news is very coincidental with what is happening with Intel.

dual bios is doable. even routers have that... my meraki has a rapid failover in case the other is corrupted or doesn't boot it boots from the prev version.

I'd like to see dual bios as a standard on boards, though mobo makers seem to cheap out on features which should only cost a few cents like a POST code display or physical power and reset buttons on the board.

ppl should have rejected those anti cheats to begin with they were always a bad idea and people were too desperate to play some games they complied.

Agreed, the anti-cheats spying at a kernel level is only punishing the legit players, I refuse to play some games with how sketchy the anti-cheat system is with some of them requiring TPM enabled.

 

[Visible Noise]

I don't think the average gamer, who maybe bought their PC pre-built and only wants to play games and maybe stream are even going to even acknowledge this BIOS update.

Prebuilts get their BIOS updates over Windows Update.

 

[INFERNUS]

Prebuilts get their BIOS updates over Windows Update.

Hmmm, I would not trust this at all LOL. As I posted if that BIOS has an issue and you can't boot you need to send the whole PC back.

 

[RJARRRPCGP]

IIRC, the pre-10th-gen CSME bug, had "remote code execution" and was rated "critical". I was urgently finding a BIOS update for a new laptop I used to have, but there was no update in 2020, so I got another Ryzen PC. That was how I got the A320 build in another room (it came with a Ryzen 5 2600 (Pinnacle Ridge) (Zen+) and now has the Ryzen 7 3700X (Matisse) (Zen 2) ) The BIOS is flashed to at least a version from 2023, IIRC, so it should take a Ryzen 5 5600/X.

The laptop had a Core i7 9750H (TMK) Also had a GeForce GTX 1650.

A relief that I shouldn't have to panic now, because I don't just go ahead and let stuff run as administrator.

 

[Visible Noise]

Hmmm, I would not trust this at all LOL. As I posted if that BIOS has an issue and you can't boot you need to send the whole PC back.

Trust it or not, it’s the default for prebuilt PCs. Dell, HP, Lenovo, etc all will automatically update their bios without any intervention from the user.

 

[R-T-B]

The media made the stink about it at the same time

So the media is complicit now?

Somewhere, Occam's Razor is screaming.

The timing of these researchers releasing this news is very coincidental with what is happening with Intel.

Yes. But that's where it ends without further evidence. Sometimes convenient scandals just happen.

 

[INFERNUS]

Found this on laptopmag website "A hacker must have already gained access to a PC or server to exploit the System Management Mode controls, which is one reason AMD is downplaying the concern. In a background statement to Wired, AMD company compared the Sinkclose method to "accessing a bank's safe-deposit boxes after already bypassing its alarms, the guards, and vault door." I think for the most part the average home user has nothing to worry about.

 

[Visible Noise]

So the media is complicit now?

Somewhere, Occam's Razor is screaming.

That’s how it is with these guys, it’s never AMD’s fault.

 

[kondamin]

Found this on laptopmag website "A hacker must have already gained access to a PC or server to exploit the System Management Mode controls, which is one reason AMD is downplaying the concern. In a background statement to Wired, AMD company compared the Sinkclose method to "accessing a bank's safe-deposit boxes after already bypassing its alarms, the guards, and vault door." I think for the most part the average home user has nothing to worry about.

Yeah laptop magazine is wrong, someone just needs to install malicious software unknowingly, once.

and that machine can be compromised until the end of its life if it’s just used to spy

 

[LabRat 891]

The timing of this whole thing is sus...

Intel hired them to cover up the 1314gate

The thought had occured.
Did a cursory bit of research on the company, and couldn't find any obvious associations.

Corporate espionage isn't anything new. So, it's not a 'far fetched' thought to have.
-just... maybe, more inquisitive than accusative.

 

[Clockmaster77]

I have a Ryzen7 3700X and I was planning to have it for some years to come, because, having 16 threads, was nearly (I said nearly) an high end consumer CPU when I bought it in late 2020. In these days AMD said it will not release SinkClose patches for 3000 series. This thing happens just after INTEL is in severe crisis due to crashing new processors, and this is at least suspicious. Now that I have to, in a reasonably distant future (because I am not a millionaire) change newly all my MOTHERBOARD, CPU AND MEMORY thank to this, I'll surely don't choose nor AMD than INTEL. And this because I hope in that future there will be new, more reliable vendors like (maybe) NVIDIA or other ARM (i hope) based sellers also in the consumer/low price market.

 

[Makaveli]

Trust it or not, it’s the default for prebuilt PCs. Dell, HP, Lenovo, etc all will automatically update their bios without any intervention from the user.

I manage many Lenovo's laptops at work.

Bios updates are done through the Lenovo Commerical Vantage software which you launch then scan for update then when it finds a bios you install.

We do not ever allow bios updates over windows update for end user machines that is a nightmare waiting to happen that we plan to avoid.

None of our users have local admin rights!

 

[95Viper]

Stick to the topic.
Stop the insulting remarks about any group of people.

 

[R-T-B]

I have a Ryzen7 3700X and I was planning to have it for some years to come, because, having 16 threads, was nearly (I said nearly) an high end consumer CPU when I bought it in late 2020. In these days AMD said it will not release SinkClose patches for 3000 series. This thing happens just after INTEL is in severe crisis due to crashing new processors, and this is at least suspicious. Now that I have to, in a reasonably distant future (because I am not a millionaire) change newly all my MOTHERBOARD, CPU AND MEMORY thank to this, I'll surely don't choose nor AMD than INTEL. And this because I hope in that future there will be new, more reliable vendors like (maybe) NVIDIA or other ARM (i hope) based sellers also in the consumer/low price market.

You aren't going to find a vendor that does not have hardware security bugs these days.

 

[Super Firm Tofu]

I have a Ryzen7 3700X and I was planning to have it for some years to come, because, having 16 threads, was nearly (I said nearly) an high end consumer CPU when I bought it in late 2020. In these days AMD said it will not release SinkClose patches for 3000 series. This thing happens just after INTEL is in severe crisis due to crashing new processors, and this is at least suspicious. Now that I have to, in a reasonably distant future (because I am not a millionaire) change newly all my MOTHERBOARD, CPU AND MEMORY thank to this, I'll surely don't choose nor AMD than INTEL. And this because I hope in that future there will be new, more reliable vendors like (maybe) NVIDIA or other ARM (i hope) based sellers also in the consumer/low price market.

Why?

Just buy a 5800X, 5900X, or 5950X and sell the 3700X.

 

[Makaveli]

Why?

Just buy a 5800X, 5900X, or 5950X and sell the 3700X.

The longer you wait on doing these in socket upgrades the less value you get when selling older parts.

I did this move in 2021 after being on Zen 2 for 2 years and it was worth it. Sold my 3800X for $400 when I paid $440 for it 2 year prior. Zen 3 was a solid upgrade over 2 there was no reason to stay on Zen 2.

 

[unwind-protect]

So in ring -2 you can flash the code in the firmware that flashes the firmware?

Why are there no jumpers or BIOS settings to prevent that when the user doesn't want it?

 

[S-TKUC]

The information was updated on August 14.

“Matisse” mitigation status has been updated to a target of 2024-08-20

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

 

[azrael]

Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.

Who'd have thunk it...

 

[Vincero]

Who'd have thunk it...

Actually not surprised for 3 reasons:

1) As mentioned before, Ryzen 4000 series is same Zen2 so no real excuse not to apply it to 3000 series also. Technically they could have made the distinction of laptop 4000 series but they didn't so targetting some Zen2 on the AM4 socket and not others seems to be purposely 'unhelpful'.
2) Some Ryzen 3000 series parts will still be under warranty and I'm sure a simple software fix to the BIOS to stop / validate SMM access requests properly is better than dealing with even a limited number of upset customers, or more likely OEMs - and lets face it, AMD still need to work hard to keep OEMs onside vs the Intel marketing / financing machine.
3) Having been included in the Windows 11 list of approved CPUs, I would expect there is some (probably not much) push from Microsoft for some solid support of these whilst they remain on that list.

 

[trsttte]

Time to replace those old Opteron servers.
Or maybe

not.


AMD does have a habit of not supporting hardware that is still in the market. I am not sure if the old(10-15 years ago) AMD was doing it, but today's AMD does.
I mean, Vega is not getting the same upgrades as RDNA2/3 chips, but it's still on the market, in the form of the iGPU in many AMD chips.
3000(Zen 2) series is still selling as mobile chips and desktop chips. Under new names as part of mobile 7000 series, or as part of the 4000 desktop APUs.

To be fair those rehashed zen2 (4000, 5000, 7000, whatever) were different than 3000 in their classification, those are still supported. Now they released an update that 3000 series will also be supported, good, but in reality they should also support 2000 and 1000 series as they all use the same socket and motherboards - the microcode update will be a bios update after-all

In the end either way doesn't matter all that much because we're at the mercy of motherboard vendors actually packaging the update which may or may not happen. My board is yet to receive the 1.2.0.ca that fixes zenbleed and took 6 months to receive 1.2.0.c so I don't have a lot of hopes for this 1.2.0.cb, not in any decent timely manner at least.

 

[A Computer Guy]

My 3950x is still a workhorse of a CPU. Glad AMD changed their minds and will provide an update.

What people are missing is because of the incompleteness of this article.

This vulnerability - which AMD themselves have rated as high severity - allows undetectable persistence of UEFI malware. Once that occurs it’s throw out the machine time.

You can't just reflash it?

Kinda feels like we need a ROM bios with basic recovery features as a fallback, and a secondary flashable BIOS that can be wiped from orbit by the ROM BIOS. Or will that not even work?

UEFI on flash card. It's about overdue and motherboard manufactures can save money on not having to implement bios flashback including the RGB buttons for them.

 

[unwind-protect]

You can't just reflash it?

I think that the point here is that you can replace the firmware portion that does the flashing. So you would future forward always be flashing with an infected flasher that could manipulate the image to flash.

I say "I think" because it seems impossible to get any load-bearing information on this. And the Defcon talk seems to have no public recording.