AMD Issues Updates for Silicon-Level SinkClose Processor Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


AMD Issues Updates for Silicon-Level SinkClose Processor Flaw


The vulnerability has been around for nearly 20 years and gives sophisticated attackers a way to bury virtually undetectable bootkits on devices with EPYC and Ryzen microprocessors.



AMD has issued firmware updates to address a nearly two-decades-old silicon-level vulnerability it its EPYC data center processors and its line of Ryzen processors for PCs and embedded systems.
The flaw affects a component in the processor for protecting System Management Mode (SMM), an execution mode so protected in the processor that it is even more privileged than kernel-level mode. Researchers from IOActive who discovered the privilege escalation vulnerability described it as an unpatchable issue that, if exploited, would allow an attacker to implant malware on a system that would be almost impervious to removal attempts.
Hundreds of millions of devices worldwide currently have AMD chips that contain the vulnerability.
The SinkClose vulnerability, as IOActive researchers have dubbed it, is somewhat similar to
Memory Sinkhole
, an SMM-bypass vulnerability in Intel Sandy Bridge and prior processors that security researcher Christopher Domas disclosed at a Black Hat presentation in 2015. Domas has also uncovered
other hardware level vulnerabilities
in Intel chips.
The vulnerability is nearly impossible to fix in computers that arent configured correctly — which is the case for most systems, IOActive said in a statement. In properly configured systems, the vulnerability could lead to malware infections — known as bootkits — that are nearly impossible to detect.
AMD itself has described the vulnerability as an issue that gives attackers who already have ring0 — or kernel level — access to an affected system a way to potentially modify the SMM even if SMM Lock, a feature for preventing unauthorized SMM modifications, is turned on. Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMM Lock is enabled, potentially leading to arbitrary code execution,
the chip vendor said
.
SMM is a mode on AMD chips for
low-level system management functions
. It only executes code from a segregated block of memory called system management random access memory, or SMRAM. AMD chips implement a memory controller called TSeg to protect access to SMRAM.
However, IOActive researchers Enrique Nissim and Krzysztof Okupski found a way to overcome these protections and get SMM to essentially execute code of their choice from outside the SMRAM. They did this by leveraging a feature called TClose that AMD incorporated into its chips for backward compatibility with a legacy memory management feature. Dumas SinkHole flaw involved a similar legacy feature in Intel chips.
Nissim and Okupski determined an attacker could use the SinkClose flaw to drop malware deep enough — and persistent enough — inside a system to make it invisible to the operating system, the hypervisor, and to all endpoint detection mechanisms. In a talk at the DEF CON hacker conference on Aug. 10, the researchers described the vulnerability as something a remote attacker would be able to exploit. However, an adversary would need an in-depth understanding of AMD chip architecture — something that only a nation-state-level would likely possess — to be able to exploit it.
AMD itself has contended by way of background context that an attacker with the level of access required to exploit the SinkClose vulnerability would already have the ability to read, modify, erase, and snoop on everything on the computer. In addition, someone with operating system kernel-level access can also disable security mechanisms and prevent a computer from booting.
This is akin to having the knowledge to break into a safe deposit box at the bank, AMD noted in an email to Dark Reading. In the real world, to get to the box, a burglar must first get past the alarms, the guards, the vault door and its own locks, clearly not an easy task.
An attacker with the skills and knowledge to execute an SMM bypass attack could install malware of the sort IOActive has warned about. But it wouldnt be the first time attackers have deployed such malware, AMD said by way of background, pointing to the
Lojax firmware-level rootkit
from 2018. While this malware may be stealthy, it is not invisible or impossible to remediate.
AMD has released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, the chipmaker said. A full list of impacted products and mitigation options is available in our
product security bulletin
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
AMD Issues Updates for Silicon-Level SinkClose Processor Flaw