Security flaws in computer firmware have long been a significant concern, particularly because this deep-seated code controls the system’s boot process and is a prime target for stealthy cyberattacks.
Typically, such vulnerabilities are confined to specific devices, but researchers have uncovered a critical flaw in AMD processors that spans hundreds of millions of PCs and servers. This flaw, which has persisted for decades, could allow malware to embed itself so deeply within a computer’s memory that it might be easier to discard the affected device than to cleanse it.
The vulnerability, dubbed “Sinkclose” by security researchers Enrique Nissim and Krzysztof Okupski of IOActive, is set to be presented at the Defcon hacker conference.
This flaw enables attackers to execute their code within the System Management Mode (SMM) of AMD processors, a highly privileged area meant to be reserved for a protected section of the firmware. The flaw affects nearly all AMD chips produced since 2006, making it a widespread and significant security issue.
Exploiting the Sinkclose vulnerability requires hackers to have substantial access to a system initially. However, once they achieve this, they can plant malware deep within the system, creating what’s known as a “bootkit.”
This type of malware is particularly insidious because it evades detection by antivirus software and is invisible to the operating system. Moreover, on systems with certain misconfigurations, this malware could be nearly impossible to detect or remove, potentially surviving even after the operating system is reinstalled.
The removal of such deeply embedded malware is an extremely complex and difficult process. According to the researchers, it would involve physically accessing the computer’s memory chips using specialized hardware tools to manually remove the threat.
The complexity of this process makes it more practical, in some cases, to discard the infected computer altogether, as the malware would be almost impossible to eradicate.
AMD has acknowledged the Sinkclose vulnerability and has expressed its appreciation to IOActive for their research. The company has already released mitigation measures for some of its products, such as the AMD EPYC datacenter and AMD Ryzen PC products, with more fixes expected to be released soon.
However, AMD has not provided specific details on how it plans to address the vulnerability across all affected devices or given a clear timeline for when these fixes will be available.
Although AMD points out that exploiting the Sinkclose flaw is challenging—requiring attackers to have kernel-level access—the researchers argue that this access is not as difficult to obtain as it may seem.
Vulnerabilities that allow for kernel-level access in Windows and Linux systems are regularly exposed, and sophisticated attackers likely already possess the tools needed to exploit Sinkclose once they have initial access to a system.
The Sinkclose technique leverages an obscure feature in AMD chips known as TClose. This feature is intended to maintain compatibility with older devices but inadvertently allows attackers to manipulate memory addresses, tricking the processor into executing their code within the highly privileged SMM level.
The discovery of this vulnerability came after the researchers spent extensive time studying AMD’s documentation, ultimately leading to a breakthrough after months of meticulous analysis.
To mitigate the risk posed by the Sinkclose vulnerability, users are advised to apply patches as soon as they become available. For Windows systems, these patches are expected to be included in future updates distributed by Microsoft, while servers, embedded systems, and Linux machines may require more manual updates.
Although the researchers have agreed to delay the release of their proof-of-concept code to allow AMD time to issue fixes, they emphasize the importance of patching systems promptly, as sophisticated hackers could potentially develop similar exploits.
