AMD’s ‘Sinkclose’ vulnerability affects hundreds of millions of processors, enables data theft — AMD begins patching issue in critical chip lines, more to follow

‘Sinkclose’ is the name of a recently discovered major security vulnerability that affects virtually all of AMD’s processors released since 2006. This flaw allows attackers to deeply infiltrate a system, making it extremely difficult to detect or remove malicious software. The issue is so severe that, in some cases, it may be easier to abandon an infected machine than to repair it, reports Wired

There is good news, though: since it has not been discovered for 18 years, it likely hasn’t been used. Also, AMD is patching its platforms to protect them, though not all affected processors have received a patch yet.  

Sinkclose evades antiviruses and persists even after OS reinstall

The Sinkclose vulnerability allows hackers to execute code within the System Management Mode (SMM) of AMD processors, a highly privileged area typically reserved for critical firmware operations. To exploit this flaw, attackers must first gain access to a system’s kernel, which isn’t easy, but it is possible. However, the system must already have been compromised by some other attack. 

Once this access is secured, the Sinkclose vulnerability allows the perpetrators to install bootkit malware that evades detection by standard antivirus tools, remaining nearly invisible within the system and can persist even after the operating system is reinstalled.  

The vulnerability leverages an ambiguous feature in AMD chips known as TClose, which is meant to maintain compatibility with older devices. By manipulating this feature, the researchers were able to redirect the processor to execute their own code at the SMM level. This method is complex but provides attackers with deep and persistent control over the system. 

Security researchers Enrique Nissim and Krzysztof Okupski from IOActive identified the Sinkclose vulnerability. They will present it at the Defcon conference tomorrow.  

“To take advantage of the vulnerability, a hacker has to already possess access to a computer’s kernel, the core of its operating system,” an AMD statement issued to Wired reads. AMD likens the Sinkhole technique to gaining access to a bank’s safe deposit boxes after already getting past its alarms, guards, and vault door. 

Nissim and Okupski point out that although exploiting Sinkclose requires kernel-level access, vulnerabilities at this level are frequently discovered in Windows and Linux systems. They suggest that advanced state-sponsored hackers likely already have the tools to exploit these kinds of vulnerabilities. According to researchers, kernel exploits are readily available, making Sinkclose the next step for attackers. To remove the malware, one would need to open the computer, connect to a specific part of its memory using an SPI Flash programmer, carefully inspect the memory, and then remove the malware.

Impacts a wide range of AMD CPUs

The Sinkclose flaw impacts a wide range of AMD processors used in client PCs, servers, and embedded systems. Unfortunately, AMD’s latest Zen-based processors with the platform Secure Boot feature not properly implemented by a computer maker or motherboard producers are especially vulnerable in the sense that it is harder to detect malware installed in AMD’s secure enclave.

The researchers waited 10 months before disclosing the vulnerability to give AMD more time to address it. AMD has acknowledged the vulnerability and begun releasing mitigation options for affected products, including its EPYC datacenter and Ryzen PC processors. Patches for some products have already been issued, with more expected soon. However, AMD has not yet disclosed how it will address the vulnerability across all affected devices. 

The researchers caution that the vulnerability represents a significant risk, and users should not delay in implementing any available fixes to protect their systems. Nissim and Okupski stress the importance of applying these patches as soon as they become available, despite the difficulty in exploiting the ‘backdoor.’ They argue that sophisticated state-sponsored hackers could already possess the means to exploit this vulnerability, making timely updates crucial to maintaining system security.