AMD recently released firmware updates to address a significant vulnerability that has existed in its EPYC data center processors and Ryzen processors for nearly two decades. This vulnerability, known as the SinkClose flaw, was discovered by researchers from IOActive and poses a serious threat to millions of devices worldwide that have AMD chips.
The SinkClose vulnerability is similar to the Memory Sinkhole issue identified in Intel processors several years ago. It allows attackers to exploit a privilege escalation vulnerability in the processor’s System Management Mode (SMM), which is even more privileged than the kernel-level mode. If successfully exploited, this flaw would enable attackers to implant malware on a system that would be extremely difficult to detect and remove.
According to IOActive, the SinkClose vulnerability is nearly impossible to fix on computers that are not configured correctly, which unfortunately applies to the majority of systems. In properly configured systems, this vulnerability could lead to the installation of persistent malware known as bootkits that are highly resistant to removal.
AMD has acknowledged the severity of this vulnerability, stating that it provides attackers with ring0 access to potentially modify the SMM, even if SMM Lock is enabled. This could lead to arbitrary code execution and compromise the security of the system. SMM is a mode on AMD chips that handles low-level system management functions and executes code from a segregated block of memory called system management random access memory (SMRAM).
Researchers Enrique Nissim and Krzysztof Okupski from IOActive discovered a way to bypass the protections in place to prevent SMM exploitation by leveraging a legacy feature called TClose in AMD chips. This flaw would allow attackers to insert malware deep within a system, making it invisible to traditional security measures and endpoint detection mechanisms.
While the SinkClose vulnerability presents a serious risk, AMD has emphasized that exploiting it requires a high level of understanding of the chip architecture, something that only sophisticated threat actors or nation-state adversaries are likely to possess. Additionally, AMD has pointed out that attackers with the necessary skills to execute an SMM bypass attack would already have significant control over the compromised system.
To address this vulnerability, AMD has released mitigation options for its EPYC data center products and Ryzen PC products. A comprehensive list of impacted products and mitigation strategies can be found in AMD’s product security bulletin. Despite the potential dangers posed by the SinkClose flaw, AMD reassures users that with the proper security measures and updates in place, the risk of exploitation can be significantly reduced.
In conclusion, the discovery and remediation of the SinkClose vulnerability in AMD processors highlight the ongoing challenges in ensuring the security of modern processor designs. By promptly addressing such vulnerabilities and providing mitigation options, chip manufacturers like AMD play a crucial role in safeguarding the integrity and security of computing devices worldwide.