Security researchers have discovered a vulnerability that affects almost all AMD CPUs, allowing access to some of the deepest parts of the chip. Named ‘Sinkclose’, the flaw allows attackers that already have kernel-level access to modify SMM (System Management Mode) settings even with existing protections enabled.
Attackers could use the flaw to install malware that would be virtually undetectable, and extremely difficult to remove. However, gaining kernel access in the first place is no easy task, and AMD has already begun releasing fixes for some of the affected chips (via Bleeping Computer).
The vulnerability was discovered by researchers Enrique Nissim and Krzysztof Okupski, two researchers from security services firm IOActive, who presented their findings at this year’s Def Con security conference in Las Vegas over the weekend.
Exploiting the flaw would require attackers to first establish kernel access on a target machine via a different attack method. This level of system access is defined as a Ring 0 privilege and essentially opens up the heart of the system to further attack. If successful, an attacker could then enable Ring -2 privileges to install an undetectable bootkit that compromises the master boot record, meaning that even an OS reinstall would be unable to remove it.
System Management Mode (SMM) is one of the deepest operating modes of an x86 architecture chip and is intended to be used by the BIOS/UEFI for power management, system hardware control and some proprietary OEM-designed code. Once compromised, no antivirus or anti-malware program would be able to detect malicious code running this deep in the heart of the system. To detect it, a user would have to physically connect to the CPU to scan the memory for malware.
AMD has released an advisory notice detailing chips vulnerable to the attack, along with firmware fixes that are being provided to OEMs for BIOS updates to fix the flaw. However, Ryzen 3000, 2000 and 1000 series chips will not receive updates, as AMD told Tom’s Hardware that “there are some older products that are outside our software support window.”
Many of AMD’s most recent processors have already received updates to remove the vulnerability. It’s worth noting that while Kernel-level system access is very difficult to achieve for a would-be-attacker, it’s not impossible—so if you own an AMD CPU and haven’t updated the BIOS in a while, it’d be worth checking with your motherboard manufacturer to make sure you’re completely up-to-date.
Still, it’s data center systems and machines holding very sensitive information that would likely be the targets here, so home users shouldn’t be too concerned.
AMD’s latest Zen 5 9000 series processors like the Ryzen 5 9600X and Ryzen 7 9700X are not included on the list, presumably as they’re using the latest BIOS revisions with the fix already applied. While this flaw might be difficult to leverage, it’s still a pretty nasty way for a system to fall prone to malicious actors, so the usual advice applies—keep your BIOS up-to-date, and your antivirus in tip-top condition to prevent attacks in the first place.