"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006 (2024)

');$('.tpu-fancybox-wrap').css('maxWidth', maxWidth);*/instance.$refs.stage.on('transitionend', function() {updateButtonPos(instance);});},onUpdate: updateButtonPos,afterShow: function(instance, slide) {updateButtonPos(instance);instance.$refs.inner.find('.fancybox-tpu-nav').show();},beforeClose: function(instance, slide) {instance.$refs.inner.find('.fancybox-tpu-nav').hide();},afterClose: function(instance, slide) {$('.tpu-fancybox-wrap').contents().unwrap();$('body').removeClass('tpu-fancybox-body-wrap')},baseTpl: '

',});});}loadjs.ready(['jquery', 'fancybox', 'swiper'], function() {attachLightbox('a[data-fancybox]');if ($(window).width()<600) {$('.imgcontainer').each(function() {var $this=$(this);if (($this.find('a').length==1) || ($this.find('a').length>7))return;$this.addClass('swiper-container');$this.find('a').addClass('swiper-slide').css('width', 'auto').wrapAll('

');new Swiper ($this.eq(0), { slidesPerView: 'auto', slidesPerGroup: 1, spaceBetween: 15, pagination: { el: '.swiper-pagination', clickable: true } });});}$('.newspost').on('click', '.spoiler > .button, .spoiler > a', function(e) {e.preventDefault();$(this).next('div').toggle();});$('.newspost').on('click', '.ispoiler', function(e) {e.preventDefault();$(this).find('div').css('filter', '');$(this).removeClass('ispoiler');});$('.contnt').on('click', '.newspoll_btn', function() {popup.Show('TechPowerUp Quick Poll','Loading...');$.get('/news-poll/options?id='+$(this).data('id'), function(data) {$('#popup_content').html(data);});});});

Friday, August 16th 2024

"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006 (1)

Updatedby

AleksandarK
Updated: Discuss (115 Comments)

A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data. Researchers Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, have revealed that the vulnerability can be exploited through various methods, enabling attackers to extract confidential information from affected systems, including passwords and personal data. The issue is especially concerning, given that it is present in all AMD CPUs made in the last 18 years and their widespread use in both consumer and enterprise environments. However, to exploit this vulnerability, an attacker must possess access to system's kernel. Downloading of malware-infused files can trigger it, so general safety measures are recommended.

The Sinkclose method exploits a little-known capability in AMD processors called TClose. This name is a blend of "TClose" and "Sinkhole," with the latter referring to a previous vulnerability found in Intel's System Management Mode in 2015. AMD chips employ a protective mechanism named TSeg, which blocks operating systems from accessing a specific memory area reserved for System Management Mode (SMM), known as System Management Random Access Memory (SMRAM). However, the TClose feature is designed to maintain backward compatibility with older hardware that might use the same memory addresses as SMRAM. It does this by remapping memory when activated. The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions. By doing so, they could deceive the SMM into retrieving altered data, enabling them to redirect the processor and run their own instructions with the high-level privileges of SMM. This technique essentially allows attackers to bypass standard security measures and execute malicious code at one of the most privileged levels of the processor, potentially compromising the entire system.

In response to the discovery, AMD has initiated a patching process for its critical chip lines, aiming to mitigate the risks associated with this flaw. The company works closely with hardware manufacturers and software developers to ensure that updates are deployed swiftly and effectively. Enrique Nissim and Krzysztof Okupski agreed not to publish any proof-of-concept code for the vulnerability to ensure that the patches aren't rushed and systems are not getting exploited. AMD already issued patched for most of its models, and you should check out the official website for your specific mitigation firmware update. The enterprise EPYC CPUs and Instinct accelerators have been a first-priority products with patches implemented in May, while consumer desktop/laptop 4000/5000/7000/8000 series CPUs received a fix in August.

No fixes are planned for 3000 series Ryzen CPUs

. Workstation-grade CPUs have also received an update to mitigate this issue.

Update 08:20 UTC: AMD confirmed that the Ryzen 3000 series "Matisse" processors are getting an update planned for August 20, 2024.

Sources:Wired, AMD

Related News

  • Tags:
  • AMD
  • CPU
  • Intel
  • RAM
  • Research
  • SMM
  • SMR
  • SMRAM
  • vulnerability
  • Jul 23rd 2024 Intel Statement on 13th and 14th Gen Core Instability: Faulty Microcode Causes Excessive Voltages, Fix Out Soon (387)
  • Feb 4th 2024 AMD Readies X870E Chipset to Launch Alongside First Ryzen 9000 "Granite Ridge" CPUs (216)
  • Apr 16th 2020 AMD Ryzen 4000 Series "Vermeer" CPUs to be Compatible with B450 Motherboards (58)
  • Jan 26th 2024 More AMD Ryzen 9000 "Zen 5" Desktop Processor Details Emerge (85)
  • Jun 18th 2024 Retailers Leaked AMD Zen 5 Release Date and Prices (29)
  • Jun 2nd 2024 AMD Outs Ryzen 5000XT Processors for Socket AM4, an 8-year Old Socket (213)
  • Jun 12th 2024 AMD Says Ryzen 9000 Series Won't Beat 7000X3D Series at Gaming (141)
  • Jul 8th 2024 AMD is Becoming a Software Company. Here's the Plan (139)
  • Jul 26th 2024 Intel Will Not Recall Failing 13th and 14th Gen CPUs (262)
  • Jul 31st 2024 Ryzen 9000-series Pricing Leak Ahead of Launch (75)
Add your own comment
#1
mb194dc

Yes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.

#2
mtosev

I hope that the fix won't affect the performance of these chips.

#3
ncrs
The security experts discovered that they could manipulate this TClose remapping function using only standard operating system permissions

Just to clarify, "standard operating system permissions" means administrative access. In this context "standard" means ring 0 in the x86 nomenclature, while SMM itself is often described as ring -2.

AMD was made aware of this vulnerability before revealing it; however, time is still required to implement the fix.

In the AMD security bulletin linked in the news it clearly states that microcode fix has been already released in May 2024, but only for EPYCs and Instinct APUs.
Fixed consumer firmware will come later this year.

mtosevI hope that the fix won't have a performance penalty.

It's unlikely since the fix for EPYCs was already in use for a few months.

#4
gs020p

Yepp till Intel stock did not crash AMD issues never got highlighted. We as users will always be played by state to use our data in the name of hackers.

#5
ty_ger
mb194dcYes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.

I don't understand this sort of flippant response. People install malicious software every day via social engineering. This is another exploit that allows slightly malicious software to become very malicious. There is no reason to downplay its potential until it is fixed.

#6
azrael

A bit miffed that the 3000 (and also 1000 and 2000) series won't get a patch. Thinking about desktop chips, of course.

#7
john_

Time to replace those old Opteron servers.
Or maybe

to exploit this vulnerability, an attacker must possess access to system's kernel

not.

azraelA bit miffed that the 3000 (and also 1000 and 2000) series won't get a patch. Thinking about desktop chips, of course.

AMD does have a habit of not supporting hardware that is still in the market. I am not sure if the old(10-15 years ago) AMD was doing it, but today's AMD does.
I mean, Vega is not getting the same upgrades as RDNA2/3 chips, but it's still on the market, in the form of the iGPU in many AMD chips.
3000(Zen 2) series is still selling as mobile chips and desktop chips. Under new names as part of mobile 7000 series, or as part of the 4000 desktop APUs.

#8
kondamin
mb194dcYes and you need kernel level access to exploit it, i.e installing a compromised driver or something like that.

The concern for your average user is less than zero.

If a threat actor has that kind of access they can do much worse than just this exploit. I guess governments or people running missions critical intelligence or military infrastructure could be concerned. I'd also guess there are zero of these first gen ryzen chips being used in such places anyway.

The concern for your average user with administrator privileges, which is like 99.9% of home users is very much there.
Especially if they use pirated software or cheat software which makes you turn off your anti virus software
I've even seen legitimate printer drivers trigger antivirus warnings forcing me to turn off protection to be able to install the device.

So, yes it's important this patch gets pushed and I hope it happens automatically trough a windows update or something so tech illiterate's machines get patched too.

#9
LabRat 891

I'm guessing the first unaffected uArch is K8?
Phenom/K10 was introduced in 2006, iirc.

#10
Naito

Where humans exist, errors exist.

#11
Frick

Fishfaced Nincompoop

kondaminThe concern for your average user with administrator privileges, which is like 99.9% of home users is very much there.

Can you even run Windows 10/11 as admin by default?

#12
Bwaze

"No fixes are planned for 3000 series Ryzen CPUs."

I wonder why such an arbitrary cut-off date for relatively recent product? There wasn't much incentive for Ryzen 3000 users to upgrade, so I think they are still very common?

#13
kondamin
FrickCan you even run Windows 10/11 as admin by default?

sure you can, just because it's tied to a cloud account doesn't take away your admin privileges.
you wouldn't be able to install office 365 is you weren't

#14
Frick

Fishfaced Nincompoop

kondaminsure you can, just because it's tied to a cloud account doesn't take away your admin privileges.
you wouldn't be able to install office 365 is you weren't

Why would installing programs require admin privilegies? If I launch CMD it does not have that.

#15
Vincero
Bwaze"No fixes are planned for 3000 series Ryzen CPUs."

I wonder why such an arbitrary cut-off date for relatively recent product? There wasn't much incentive for Ryzen 3000 users to upgrade, so I think they are still very common?

I am even more confused as the Ryzen 4000 APUs are using Zen2 cores which normal desktop Ryzen 3000 CPUs also use. Maybe because 3000 series APUs are not Zen2 based they saved confusion by excluding the entire 3000 lineup... seems odd/dumb, especially as they qualify for the whole BS around Win11 compatibility.

FrickWhy would installing programs require admin privilegies? If I launch CMD it does not have that.

Not until you run a command that does and then you get the UAC prompt...

#16
Crackong
to exploit this vulnerability, an attacker must possess access to system's kernel

I don't think anyone having access to your kernel really needs to use an vulnerability anymore.

#17
ty_ger
CrackongI don't think anyone having access to your kernel really needs to use an vulnerability anymore.

Why not? Kernel access just needs social engineering. That happens all the time. That will "only" give them Ring 0 access. This vulnerability would allegedly give them Ring -2 access. That's where you can do lasting damage without detection.

#18
Chrispy_

Dumb question;

Once a bad actor has kernel access, isn't the whole system already 100% exploitable, 100% compromised at that point, no matter what?

Ring 0 access is already a total system loss, time for a system wipe involving a BIOS reflash and then bootup from an external drive to secure-erase the original disk. The fact this gives attackers even more access is a moot point, no?

#19
ty_ger
Chrispy_Dumb question;

Once a bad actor has kernel access, isn't the whole system already 100% exploitable, 100% compromised at that point, no matter what?

Ring 0 access is already a total system loss, time for a system wipe involving a BIOS reflash and then bootup from an external drive to secure-erase the original disk. The fact this gives attackers even more access is a moot point, no?

No. A threat can operate quietly in Ring 0 theoretically for a while, but once found out, it can be detected and eliminated. You gave an example of how it could be eliminated. But let's be real: almost no one is going to do a bios flash.

Ring -2 could theoretically avoid detection forever and not be eliminated so easily. Almost no one will think that they will have something operating at that level that a bios reflash is necessary.

#20
Daven
ty_gerWhy not? Kernel access just needs social engineering. That happens all the time. That will "only" give them Ring 0 access. This vulnerability would allegedly give them Ring -2 access. That's where you can do lasting damage without detection.

He or she means that already having Kernel level access gives you the ability to wreak havoc, even if Sinkclose didn’t exist.

#21
Easo
Chrispy_Dumb question;

Once a bad actor has kernel access, isn't the whole system already 100% exploitable, 100% compromised at that point, no matter what?

Ring 0 access is already a total system loss, time for a system wipe involving a BIOS reflash and then bootup from an external drive to secure-erase the original disk. The fact this gives attackers even more access is a moot point, no?

Not a dumb question, but yes, at that point you already have lost. Biggest issue is with virtualization - if you can escape it all these CPU vulnerabilities can allow attacker to start moving around.

#22
ty_ger
DavenHe or she means that already having Kernel level access gives you the ability to wreak havoc, even if Sinkclose didn’t exist.

See reply above to same question.

One is lasting and avoids detection, the other not.

What is this logic? Because something that is bad already exists, something that is worse isn't bad?

#23
Vincero
EasoNot a dumb question, but yes, at that point you already have lost. Biggest issue is with virtualization - if you can escape it all these CPU vulnerabilities can allow attacker to start moving around.

Hard to know if virtualisation would be an attack vector - accessing the SMM on many machines is at a 'system'/interrupt level, however in a virtual machine the hypervisor is pretending to be the system with fake hardware interrupts, etc., and I'd hope / expect there would be protections in place around this function (SMM goes back a looooong time) - normal apps / most OS functions would never likely need to access the SMM either so not sure even initialising the capability would even be virtualised. Potentially VMs with VT-d/IOMMU priviledges may be able to escape this, but that's assuming that access vector is exposed through that resource branch (which is unlikely...?).
Most modern uses of SMM for power management, device hotplugging, plug/play & IO/APIC stuff, would all be masked by the hypervisor in nearly every instance I can think of.

This would seem to be a vulnerability that is primarily exposed by the exploit needing to be executed by someone/something at the main OS level.

#24
Hecate91
ty_gerWhat is this logic? Because something that is bad already exists, something that is worse isn't bad?

No its because something worse is a moot point as if someone attacks at ring 0, the user is already compromised, though either is unlikely unless if the user is clicking on suspicious links.

#25
Chrispy_
ty_gerRing -2 could theoretically avoid detection forever and not be eliminated so easily. Almost no one will think that they will have something operating at that level that a bios reflash is necessary.

Oh, I've been BIOS flashing compromised systems for almost two decades. Rootkits that can survive a disk wipe and OS reinstall have been around since Sony's silly rootkit scandal of 2005 hit mainstream media and even global broadcast TV news. Anyone not considering rootkits is ignorant of basic security vulnerabilities and that means they should hand over the job to someone with a clue; they're unfit to do it themselves.

I barely have a clue, but that's why I hire people whose sole job it is to be on top of this stuff.

Add your own comment
"Sinkclose" Vulnerability Affects Every AMD CPU Dating Back to 2006 (2024)

FAQs

What is the new AMD vulnerability? ›

The “Sinkclose” flaw allows an infected PC to run unchecked code on an AMD Ryzen processor in System Management Mode, bypassing checks in Windows and even most BIOS and UEFI setups. The issue was discovered by researchers from IOActive and shown off at Defcon.

What is the AMD chip security flaw? ›

A critical security flaw known as "Sinkclose" (CVE-2023-31315) has been identified in all AMD processors dating back to 2006, potentially affecting hundreds of millions of devices worldwide. This vulnerability allows malicious actors to exploit the chip architecture, leading to unauthorized access to sensitive data.

What is the Intel and AMD vulnerability? ›

Intel CPUs from the 6th to 11th generations are said to be vulnerable. The AMD vulnerability is characteristic of the Zen 2 chips. Like the Intel chips, the AMD Zenbleed vulnerability exploits speculative execution operations, which conventionally allows parallel execution of instructions to improve performance.

What is the greatest risk of AMD? ›

Risk factors for AMD include being 50 and older, smoking, having high blood pressure and eating a diet high in saturated fat. Although there is no cure for AMD, there are treatment options that may prevent or slow the progression of the disease.

What is the threat of AMD? ›

When AMD is released into the environment, it can pollute both groundwater and surface water. Its effects are devastating as it leaches into aquifers or flows into rivers and streams. It sterilises soils and contaminates food crops, puts fauna and flora at risk, and is dangerous to human health.

How did Intel fall behind AMD? ›

A massive efficiency edge for AMD

Intel has had to sacrifice power efficiency to keep pace, and the gap between Intel and AMD is now a mile wide. In Tom's Hardware's review of AMD's Ryzen 9950X, Intel's 14900K used nearly 30% more power in some cases.

Is Intel losing to AMD? ›

"We anticipate that the company (Intel) will continue to lose share to AMD as its manufacturing roadmap is tepid compared to that of the leading-edge player," Mosesmann said in a client note.

Why is AMD beating Intel? ›

While Intel focused on creating a single CPU, AMD made chipsets. It created multiple chipsets that acted as a single CPU, instead of one big chip. This redesign was what set the stone for AMD to gain leadership in the industry. They were also well-accepted in the market as they offered advanced products for half price.

Is zen bleed serious? ›

While Zenbleed is a significant threat, it's just one example of a larger category known as transient execution CPU vulnerabilities. These vulnerabilities exploit speculative execution mechanisms in modern processors.

What is the new FortiOS vulnerability? ›

On Tuesday, Fortinet also warned of multiple medium-severity stack-based buffer overflow vulnerabilities (collectively tracked as CVE-2023-46720) in FortiOS that could be exploited for arbitrary code execution via crafted CLI commands. FortiOS versions 7.2. 8 and 7.4.

What CPUs are affected by Zenbleed? ›

This hardware fault affects all processors within the AMD Zen 2 family, from the server oriented EPYC line, to the Ryzen and Threadripper 3000 series for desktops, Ryzen 4000U/H and 5000U series for laptops and more.

Is Ryzen 5 3600 affected by Zenbleed? ›

The Zenbleed exploit significantly impacts the security of systems running AMD's Zen 2 processors, including popular CPUs like the Ryzen 5 3600 and the entire Zen 2 product stack. The exploit allows attackers to steal data from any software on an impacted system.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Roderick King

Last Updated:

Views: 5964

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.