AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Serious vulnerability discovered in AMD CPUs: invisible malware risk

Critical flaws put AMD CPUs at risk: how hackers can gain stealth, persistent access to your systems

A security vulnerability called Sinkclose has been affecting AMD CPUs since 2006, allowing access to the Ring -2 level. By exploiting the TClose feature, attackers can install persistent malware. AMD is releasing patches, but some models are still without updates.

This pill is also available in Italian language

A security vulnerability called Sinkclose has been identified in AMD CPUs released in 2006 and later, possibly earlier. Discovered by researchers Enrique Nissim and Krzysztof Okupski of IOActive, the flaw will be presented at the Defcon conference in a talk titled “AMD Sinkclose: Universal Ring-2 Privilege Escalation.” Tracked as CVE-2023-31315 and rated high severity with a CVSS score of 7.5, Sinkclose allows attackers with kernel privileges to gain access to the Ring-2 privilege level to install malware that is nearly undetectable.

The architecture of system privileges

The Ring -2 privilege level is associated with the System Management Mode (SMM) of CPUs, which is used for power management, hardware control, security, and other essential low-level operations. This level is isolated from the operating system to prevent attacks. If an attacker gains access to a system's kernel, they can execute code within the SMM. This would make it possible to install a bootkit, which would remain hidden and persistent even after the operating system is reinstalled. In some cases, removing a bootkit requires significant hardware intervention, such as connecting to the PC's memory with an SPI Flash programmer to inspect it and remove the malware.

Sinkclose Vulnerability Technical Details

The Sinkclose vulnerability exploits a shady feature in AMD chips called TClose, which is designed to provide backward compatibility with older devices. By manipulating this feature, researchers were able to get the processor to run their code at the SMM level. An attacker must already have access to a computer’s kernel to exploit the vulnerability, which involves bypassing multiple security barriers. AMD released a statement comparing this access to opening safety deposit boxes after getting past security guards and alarms at a bank. AMD is patching its platforms, but not all affected chips have received updates. CPUs not yet mentioned include the Zen 5-based Ryzen 9000 and Ryzen AI 300.

Consequences and measures to be taken

Researchers Nissim and Okupski waited 10 months before disclosing the vulnerability, giving AMD time to fix it. They will not release any proof-of-concepts for several months to allow for further fixes. While kernel-level access is required to exploit Sinkclose, kernel-level vulnerabilities are relatively common in Windows and Linux systems. Experts warn of potential threats from state-backed hacker groups, suggesting they already have tools to exploit this vulnerability. Users, especially businesses, are advised to implement fixes via firmware updates as soon as possible to mitigate the risks.

Follow us on Telegram for more pills like this

08/20/2024 09:01

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon