What is the 'SinkClose' vulnerability?

The 'SinkClose' vulnerability, tracked as CVE-2023-31315, is a high-severity CPU flaw affecting multiple generations of AMD's EPYC, Ryzen, and Threadripper processors. Discovered by IOActive researchers Enrique Nissim and Krzysztof Okupski, this vulnerability could allow attackers with kernel-level (Ring 0) privileges to escalate to Ring -2 privileges, giving them control over the System Management Mode (SMM) of the CPU.

Which AMD processors are affected by the 'SinkClose' vulnerability?

The affected AMD processors include multiple generations of EPYC, Ryzen, Threadripper, Athlon, and AMD Instinct models. Specific models affected include EPYC 1st to 4th generations, Embedded 3000, 7002, 7003, 9003, R1000, R2000, 5000, 7000 series; Ryzen Embedded V1000, V2000, V3000, 3000, 4000, 5000, 7000, 8000 series; Threadripper 3000 and 7000 series including Threadripper PRO; Athlon 3000 series Mobile; and AMD Instinct MI300A series.

What are the potential risks associated with the 'SinkClose' vulnerability?

The 'SinkClose' vulnerability could allow attackers to escalate from kernel-level (Ring 0) privileges to Ring -2 privileges, gaining control over the System Management Mode (SMM) of the CPU. This could enable them to disable security features, install persistent malware that is undetectable and survives OS reinstalls, and bypass critical security mechanisms.

How can the 'SinkClose' vulnerability be mitigated?

AMD has released patches to mitigate the 'SinkClose' vulnerability for EPYC and Ryzen desktop and mobile CPUs. Users are strongly advised to apply these patches as soon as possible to reduce the risk. Additional patches for embedded CPUs are expected soon.

How long has the 'SinkClose' vulnerability existed?

The 'SinkClose' vulnerability has existed undetected for nearly 20 years before it was discovered by security researchers from IOActive.

Advisory

Researchers report on "SinkClose" flaw in AMD CPUs enabling install of persistent malware

published: Aug. 9, 2024

Take action: Not a terribly urgent patch, but still a wise update - especially if you are in an industry that can be targeted by state sponsored hackers who have an interest of persisting in your systems for a long time. It's a firmware level update, so back up your data and run the firmware update

Learn More

AMD has issued a patch regarding a high-severity CPU vulnerability known as "SinkClose," which affects multiple generations of its EPYC, Ryzen, and Threadripper processors.

The flaw, tracked as CVE-2023-31315 (CVSS score 7.5), was discovered by security researchers Enrique Nissim and Krzysztof Okupski from IOActive. The vulnerability has existed undetected for nearly 20 years and could potentially allow attackers with kernel-level (Ring 0) privileges to escalate to Ring -2 privileges, gaining control over the System Management Mode (SMM) of the CPU.

While the exploit requires that a hacker has already compromised the current OS, it could enable attackers to disable security features and install virtually undetectable persistent malware on affected devices that would persist even if the OS is reinstalled.

Ring -2 is a highly privileged level associated with modern CPUs' System Management Mode, which manages low-level operations such as power management, hardware control, and security, and is typically isolated from the operating system to prevent tampering. The SinkClose vulnerability, however, allows malicious actors to modify SMM settings even when the SMM Lock is enabled, bypassing this critical security mechanism.

The affected AMD CPU models include:

EPYC: 1st to 4th generations, Embedded 3000, 7002, 7003, 9003, R1000, R2000, 5000, and 7000 series.
Ryzen: Embedded V1000, V2000, V3000, 3000, 4000, 5000, 7000, 8000 series, and the corresponding Mobile versions.
Threadripper: 3000 and 7000 series, including Threadripper PRO.
Athlon: 3000 series Mobile (Dali, Pollock).
AMD Instinct: MI300A series.

AMD has already released mitigations for EPYC and Ryzen desktop and mobile CPUs, with further patches for embedded CPUs expected soon.

AMD advises users to apply the latest patches as soon as possible to mitigate the risk associated with this vulnerability.

Update - as of 21st of August 2024, AMD has reversed its initial decision and will provide a patch for Ryzen 3000 desktop processors to address the Sinkclose vulnerability, though older processors will not receive a fix. The Sinkclose vulnerability affects most AMD processors from the past 18 years, including Ryzen and Epyc chips.

Researchers report on "SinkClose" flaw in AMD CPUs enabling install of persistent malware

Read More
Hackers abuse outdated D-Link routers for botnets
VMware releases patch for Workstation, Fusion and ESXi …
Google releases November 2024 Android Update, fixes actively …
Critical security vulnerability patched in qBittorrent
Active GithHub Phishing campaign impersonating GitHub Recruitment