A Sinkclose vulnerability, which has been detected in AMD processors for decades, lets hackers obtain access to some of the most privileged areas of a computer.
It allows malware to infiltrate a computer’s memory so deeply that, in many situations, it could be quicker to destroy the device than disinfect it.
The vulnerability allows hackers to execute their code in one of an AMD processor’s most privileged modes, known as System Management Mode (SMM), which is intended to be reserved only for a certain, protected portion of its firmware.
Researchers at IOActive warn that the issue impacts almost all AMD processors manufactured since 2006, and probably even before.
Overview of the AMD Sinkclose Vulnerability
With a CVSS base score of 7.5, the high-severity vulnerability has been identified as CVE-2023-31315.
According to AMD’s security advisory, Improper validation in a model-specific register (MSR) could allow a malicious program with ring0 access to change the SMM configuration while the SMI lock is active, potentially leading to arbitrary code execution.
The memory controller stops allowing access to SMRAM, the unique area of physical memory allocated to the SMM when a CPU hasn’t entered SMM.
IOActive researchers, however, discovered a method around this lock by utilizing specific MSR registers offered by AMD CPUs, which are reachable from ring 0 and aren’t read-only even when the SmmLock flag is set. This issue was reported by Krzysztof Okupski and Enrique Nissim of IOActive.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Researchers point out that to take advantage of the defect, hackers would need to have reasonably deep access to an AMD-based PC or server, but the Sinkclose vulnerability would still enable them to insert their malicious code much deeper.
“An attacker could infect the computer with malware known as a “bootkit” that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity”, IOActive researchers warn.
The researchers warn that a malware infection installed via Sinkclose maybe even more difficult to detect or remove from a system if the computer maker implemented AMD’s Platform Secure Boot security feature incorrectly.
These systems comprise the vast majority of the systems they tested. The malware may even survive an operating system reinstallation.
“Imagine nation-state hackers or whoever wants to persist on your system. Even if you wipe your drive clean, it’s still going to be there,” says Okupski.
“It’s going to be nearly undetectable and nearly unpatchable.”
According to Okupski, the only ways to remove malware from a computer are to open the case, physically connect to a specific area of the memory chips using a hardware programming tool called SPI Flash programmer, and thoroughly search the memory.
After admitting to the issue, AMD claims to have released mitigation options for Ryzen PC and data center products, and mitigations for AMD embedded products will be available soon. The firm has also released the full list of affected chips.
AMD has released mitigation options for the majority of its recent processors, encompassing all iterations of EPYC data center processors, the newest Threadripper models, and Ryzen processors. However, the company has chosen not to extend these updates to its Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access