The 'Sinkclose flaw' is a deep-system vulnerability that has existed for 18 years. However, it is not easy to exploit.
Researchers have found a vulnerability in AMD CPUs that allows access to the deepest parts. The 'Sinkclose flaw' allows attackers who already have kernel-level privileges to modify SMM settings, even with protections enabled.
Attackers could exploit the flaw to install malware which would be virtually undetectable and extremely difficult for users to remove. AMD has begun to release fixes for some of these chips (via Bleeping Computer) as it is not easy to gain kernel access.
Researchers Enrique Nissim, Krzysztof OKupski and IOActive presented their findings to the Def Con security conference held in Las Vegas this past weekend.
To exploit the flaw, attackers would need to first gain kernel access via a different attack. This level of system privilege is known as a Ring 0 and opens the heart of the computer to further attacks. If successful, the attacker could then enable Ring -2 permissions to install a bootkit that compromises master boot record. This means that even a reinstall of OS would not be able to remove it.
System Management Mode (SMM), one of the most advanced operating modes on an x86 architecture, is used by BIOS/UEFI to control system hardware and run some OEM-designed proprietary code. Once compromised, no anti-malware or antivirus program will be able detect malicious code running deep within the system. To detect it, the user would need to physically connect to CPU to scan memory for malware.
AMD has released a notice detailing the vulnerability of the chips, along with firmware fixes which are being provided to OEMs to update BIOS to fix the flaw. AMD has told Tom's Hardware, "There are some older products which are outside our software support period."
AMD's latest processors have been updated to remove this vulnerability. While Kernel-level access to a system is difficult for an attacker to achieve, it is not impossible. If you own an AMD processor and haven't upgraded the BIOS recently, you should check with your motherboard manufacturer to ensure you're up to date.
Home users shouldn't worry about this, as it's likely that the target is a data center system or machine that holds very sensitive information.
AMD's latest Zen 5 processors, such as the Ryzen 5 and Ryzen 7 9700X, are not on the list. This is because they use the latest BIOS revisions that already have the fix applied. This flaw is not easy to exploit, but it can still make a system vulnerable to malicious actors. The usual advice is to keep your BIOS updated and your antivirus up to date to prevent attacks.
Comments