"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006

[trsttte]

UEFI on flash card. It's about overdue and motherboard manufactures can save money on not having to implement bios flashback including the RGB buttons for them.

Let's go one step further and isolate microcode/agesa into seperate modules that can be flashed independently, so no one needs to wait for motherboards vendors to repackage the amd update.

It's cool that AMD is saying 3000 series cpu will get the fix but reality is only x570 and maybe some b550 boards will ever get the bios update to apply the fix, and even then not all of them will. Platform longevity is not just every board being able to run every AM4 cpu, it needs to be bios updates as well.

 

[unwind-protect]

This goes back to what a CubeOS developer said on a recent Chaos Communication Congress:

A secure computer can not have any place to store information at all. All software including firmware needs to be on externally verifiable (removable) media.

 

[Vincero]

So in ring -2 you can flash the code in the firmware that flashes the firmware?

Why are there no jumpers or BIOS settings to prevent that when the user doesn't want it?

Many many years ago, BIOS started to contain an option that was labelled as 'Anti-virus' which essentially did something similar, blocking such things due to the creation of viruses like the CIH which was designed to damage BIOS code. You also had options for 'OS install' which would block/allow boot sector modification so boot time viruses couldn't hide in that space.
Some boards may still have these settings, but as usual it will be poorly explained in the BIOS/UEFI interface and manual.

Let's go one step further and isolate microcode/agesa into seperate modules that can be flashed independently, so no one needs to wait for motherboards vendors to repackage the amd update.

It's cool that AMD is saying 3000 series cpu will get the fix but reality is only x570 and maybe some b550 boards will ever get the bios update to apply the fix, and even then not all of them will. Platform longevity is not just every board being able to run every AM4 cpu, it needs to be bios updates as well.

Unfortunately you'd also have to integrate the TPM / any encryption/key storage and authentication devices into this, as they are also programmable / vulnerable...

 

[jareklb]

Yes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.

The US Military is 100% using all gens of ryzen chips in environments like this. I personally upgraded over 30 systems for a very small squadron that were used for intelligence in ongoing missions.

 

[Visible Noise]

You can't just reflash it?

No. See my prior posts and link to CISA. Once UEFI is even potentially compromised it’s throw the pc into the dumpster time.

 

[Vincero]

No. See my prior posts and link to CISA. Once UEFI is even potentially compromised it’s throw the pc into the dumpster time.

Unless you can externally reflash/replace the chip. I don't care how good a malware may be, it would have to be pretty special to persist a full programmer wipe or replacement. Obviously gov/orgs can afford to do that, but individuals may be a bit more picky about tossing stuff unnecessarily.

 

[Visible Noise]

Unless you can externally reflash/replace the chip. I don't care how good a malware may be, it would have to be pretty special to persist a full programmer wipe or replacement. Obviously gov/orgs can afford to do that, but individuals may be a bit more picky about tossing stuff unnecessarily.

Who is going to be desoldering EEPROM chips from motherboards? Did you read the CISA link?

 

[Vincero]

Who is going to be desoldering EEPROM chips from motherboards? Did you read the CISA link?

I did read it - and as to answer your other question, there are people - as evidenced by the amount of press GPU repairers are getting for things that are still actually on sale.
Would I do it (or rather pay to get it done) for an A320 chipset motherboard... most probably not.
Would I do it for a limited edition X570 board that cost almost as much as an X3D CPU... yeah, possibly I would, especially if it's no longer on sale.

 

[Visible Noise]

I did read it

So then you read this bullet point

A device infected with this level of persistent malware basically needs to be thrown away rather than repaired.

If you know something CISA doesn’t please let them know.

 

[R-T-B]

Why are there no jumpers or BIOS settings to prevent that when the user doesn't want it?

There are typically protections against this, but thats exactly what this bug defeats.

No. See my prior posts and link to CISA. Once UEFI is even potentially compromised it’s throw the pc into the dumpster time.

Nah, just get out a ch341a and a cheap SOIC8 clip.

Of course, I know what I am doing. Most won't. So valid.

 

[Vincero]

So then you read this bullet point

A device infected with this level of persistent malware basically needs to be thrown away rather than repaired.

If you know something CISA doesn’t please let them know.

Well if you condense everything down to a statement that says 'Basically', then 'basically' you might as well toss any monitors connected to the infected PC/device via USB or Displayport connectors, network switches/routers... basically anything that might have communicated with it over a packet interface that has programmable firmware...

It's a generalised statement which may well be true for some devices where the integrated firmware is stored within microcontrollers that may be too hard to replace. Arguably something could exploit the UEFI vulnerability to deploy payloads to other integrated devices such as firmware of an SSD (the most likely concern), the LAN chip, etc., but that would be reliant upon a vulnerability existing within that potential configuration - most UEFI systems use UEFI software modules loaded into the BIOS image to control LAN chips for PXE boot, etc., and SSDs are easily replaced, and with the current generation of systems SSDs are cheaper than some mediocre motherboards.

BUT, in reality, the odds are good that a majority of normal motherboards could be salvaged by replacing a chip (or two with dual-BIOS) which contains pretty much all the UEFI data. Thanks to fTPM, there isn't even a TPM chip that could be vulnerable - you get to clear both the UEFI and fTPM persistant storage areas in one hit.

Again, for sure governments would errr on the side of caution and have the resources to send a whole office block of devices to the dump and replace them all, which is who CISA guidance is primarily aimed at.

Nah, just get out a ch341a and a cheap SOIC8 clip.

Of course, I know what I am doing. Most won't. So valid.

How much do you charge...?

 

[R-T-B]

How much do you charge...?

Last firmware job was 30 bucks an hour, probably double that with inflation if its a simple job. Of course finding time these days is another matter.

 

[trieste15]

MSI released a fix for my B45 mobo. However, I use a Ryzen 3600, is the fix meant for Ryzen 5xxx CPUs in this case?

 

[_roman_]

Shame on AMD for that

Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.

Ryzen 1000 is heavily faulty by design. Ryzen 2000 technology based or newer should have gotten an update.

--

On a sitenote I'm kinda happy to have thrown away the B550 / Ryzen 5800x box which I bought late. I bought that at nearly end of life product cycle. wifi bug / boost bug ... too annoying.

I estimate more firmware and design Issues in the future. I estimate less fixes for known faults.

--

As far as I know not everything is reprogrammed by a UEFI update. I doubt ASUS or MSI have any open documentation on which memory section are the serial numbers, mac addresses, windows license and other stuff.
I'm kinda sure, when you overwrite the hole chip you end up with no mac address for your network interface cards and other nonsense you do not want.

I do agree a proper usb programmer on a secure plattform with a proper software you can easily overwrite those "uefi / bios" chips. Most likely there will be public available datasheets for the pinout for those chips.

--

When there are no updates or delayed updates the long term support of AM4 or AM5 is basically than a fraud. When AM4 does not get any updates for those mainboard chipssets and processors, the hole marketing AM4 bubble is just a fraud.

Platform longevity is not just every board being able to run every AM4 cpu, it needs to be bios updates as well.

You mean long term security fixes for the common operating systems.

 

[mb194dc]

The US Military is 100% using all gens of ryzen chips in environments like this. I personally upgraded over 30 systems for a very small squadron that were used for intelligence in ongoing missions.

When you think about it though, with kernel access you don't even need this exploit to flash the bios anyway. Plenty of tools to do that. A threat actor with the level of sophistication to get that far won't need this exploit anyway.

 

[R-T-B]

When you think about it though, with kernel access you don't even need this exploit to flash the bios anyway. Plenty of tools to do that. A threat actor with the level of sophistication to get that far won't need this exploit anyway.

I mean, yes, but no. Secure boot if it's on thwarts pretty much any bios mod these days, including malware.

 

[S-TKUC]

A beta BIOS update is now available for AsRock B550 and A520 motherboards.

The response was much faster than I expected, but it is not yet available for the X570.

ASRock > Support

asrock.com

There seems to be an update to AMD's information as well.

2024-08-20	Added additional PI mitigation for “Matisse”
2024-08-19	Update: Mitigation for “Matisse” is now available

AMD AM4 AGESA Combo V2 PI 1.2.0.Cc

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

 

[plumbertp]

A beta BIOS update is now available for AsRock B550 and A520 motherboards.

The response was much faster than I expected, but it is not yet available for the X570.

ASRock > Support

asrock.com

There seems to be an update to AMD's information as well.

2024-08-20	Added additional PI mitigation for “Matisse”
2024-08-19	Update: Mitigation for “Matisse” is now available

AMD AM4 AGESA Combo V2 PI 1.2.0.Cc

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

About to update the bios till I read about some users having some problems with this update. Has GG fixed the problem yet?

 

[RaceT3ch]

Damn it, another BIOS update?
I just patched the LogoFail exploit last month...

 

[S-TKUC]

About to update the bios till I read about some users having some problems with this update. Has GG fixed the problem yet?

I have not tried this BIOS update yet.
I do not know of any articles regarding problems with the update.
I don't have much faith in AsRock's beta BIOS so I will wait for the official version.

 

[plumbertp]

I have not tried this BIOS update yet.
I do not know of any articles regarding problems with the update.
I don't have much faith in AsRock's beta BIOS so I will wait for the official version.

Thanks.

The update link is on GG's website. It should not be a beta version, right?

Update AMD AGESA 1.2.0.Cc for fix Sinkclose Vulnerability of AMD processors (SMM Lock Bypass)

 

[S-TKUC]

When I checked AMD's official information again, there was an update on October 30th.

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

Revision Date	Description
2024-10-30	Added AM4PI mitigation for “Picasso”, “Raven Ridge”, “Pinnacle Ridge”

This update was unexpected.
Since it's an update to an older CPU, the motherboard manufacturer doesn't seem to be proactive.

Has anyone found a BIOS that supports this update?
My motherboard was not applicable.

 

[LabRat 891]

When I checked AMD's official information again, there was an update on October 30th.

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

Revision Date	Description
2024-10-30	Added AM4PI mitigation for “Picasso”, “Raven Ridge”, “Pinnacle Ridge”

This update was unexpected.
Since it's an update to an older CPU, the motherboard manufacturer doesn't seem to be proactive.

Has anyone found a BIOS that supports this update?
My motherboard was not applicable.

Looks like latest is an Aug '24 Beta w/ 1.2.0.Cc AGESA.
I'd e-mail AsRock about it. AM4 is still a fully supported platform, after all.

 

[S-TKUC]

View attachment 371620
Looks like latest is an Aug '24 Beta w/ 1.2.0.Cc AGESA.
I'd e-mail AsRock about it. AM4 is still a fully supported platform, after all.

I apologize for the misleading text.

The B550 doesn't support "Raven Ridge" or "Pinnacle Ridge," so the update probably won't come.

Apart from my main PC, I own multiple motherboards, and as far as I checked, there was no update for "ComboAM4PI 1.0.0.C".
・AsRock B450M-HDV
・AsRock Fatal1ty X370 Gaming K4
・AsRock DeskMini A300 (A300M-STX)

 

[S-TKUC]

Updated CPU support list does not include MOBILE - AMD Ryzen “Raven Ridge”.
I have a Dell Inspiron 5575 Ryzen 5 2500U laptop, but I have given up on updating the BIOS.

Motherboard manufacturers often provide support for DIY PCs, but I feel that they do not support this for notebook PCs or handheld PCs such as GPD.
At least for the GPD Win Max2 (6800U) that I own, the latest BIOS is December 22, 2022.