Serious vulnerability discovered in AMD CPUs: invisible malware risk
Critical flaws put AMD CPUs at risk: how hackers can gain stealth, persistent access to your systems
A security vulnerability called Sinkclose has been affecting AMD CPUs since 2006, allowing access to the Ring -2 level. By exploiting the TClose feature, attackers can install persistent malware. AMD is releasing patches, but some models are still without updates.
A security vulnerability called Sinkclose has been identified in AMD CPUs released in 2006 and later, possibly earlier. Discovered by researchers Enrique Nissim and Krzysztof Okupski of IOActive, the flaw will be presented at the Defcon conference in a talk titled “AMD Sinkclose: Universal Ring-2 Privilege Escalation.” Tracked as CVE-2023-31315 and rated high severity with a CVSS score of 7.5, Sinkclose allows attackers with kernel privileges to gain access to the Ring-2 privilege level to install malware that is nearly undetectable.
The architecture of system privileges
The Ring -2 privilege level is associated with the System Management Mode (SMM) of CPUs, which is used for power management, hardware control, security, and other essential low-level operations. This level is isolated from the operating system to prevent attacks. If an attacker gains access to a system's kernel, they can execute code within the SMM. This would make it possible to install a bootkit, which would remain hidden and persistent even after the operating system is reinstalled. In some cases, removing a bootkit requires significant hardware intervention, such as connecting to the PC's memory with an SPI Flash programmer to inspect it and remove the malware.
Sinkclose Vulnerability Technical Details
The Sinkclose vulnerability exploits a shady feature in AMD chips called TClose, which is designed to provide backward compatibility with older devices. By manipulating this feature, researchers were able to get the processor to run their code at the SMM level. An attacker must already have access to a computer’s kernel to exploit the vulnerability, which involves bypassing multiple security barriers. AMD released a statement comparing this access to opening safety deposit boxes after getting past security guards and alarms at a bank. AMD is patching its platforms, but not all affected chips have received updates. CPUs not yet mentioned include the Zen 5-based Ryzen 9000 and Ryzen AI 300.
Consequences and measures to be taken
Researchers Nissim and Okupski waited 10 months before disclosing the vulnerability, giving AMD time to fix it. They will not release any proof-of-concepts for several months to allow for further fixes. While kernel-level access is required to exploit Sinkclose, kernel-level vulnerabilities are relatively common in Windows and Linux systems. Experts warn of potential threats from state-backed hacker groups, suggesting they already have tools to exploit this vulnerability. Users, especially businesses, are advised to implement fixes via firmware updates as soon as possible to mitigate the risks.
Follow us on Telegram for more pills like this08/20/2024 09:01
Marco Verro