Researchers at IOActive have discovered a critical security vulnerability that has been present in hundreds of millions of AMD processors since 2006. Nicknamed “SinkClose”, the vulnerability allows attackers to execute malicious code in one of the most privileged modes of the processor, known as System Management Mode (SMM), which should be reserved only for specific, protected parts of the firmware.
If this flaw is exploited, it can make removing malware extremely difficult and may require a complete wipe of the computer.
Weakness details
Exploiting this flaw could allow hackers to plant a file boot set – A type of malware that integrates into the system from startup, becoming practically invisible to the operating system and antivirus tools.
The flaw takes advantage of an obscure feature of AMD processors known as “TClose.” This feature, combined with a protection mechanism called “TSeg,” prevents operating systems from writing to a protected portion of memory known as “System Management Random Access Memory” (SMRAM). However, by exploiting the memory remapping performed by “TClose,” hackers can redirect SMM code to execute malicious commands.
The discovery was made by Enrique Nissim and Krzysztof Okupski, who plan to present the flaw at the Defcon hacker conference. According to the researchers, Sink Close affects almost all AMD processors released in nearly two decades.
Impact and difficulty of correction
Although the Sink Close exploit requires the attacker to actually have access to the operating system kernel, researchers warn that attacks of this type are common on Windows and Linux systems, highlighting the severity of the flaw. On devices with specific configurations, such as those found in AMD’s Platform Secure Boot, the malware can be more difficult to detect and remove, even after a complete reinstall of the operating system.
In a memo, AMD acknowledged the flaw and said it had already rolled out mitigation options for its EPYC products, which target servers and data centers, and for its Ryzen processors, which are used in personal computers. The company also noted that updates for embedded products, such as industrial devices and automotive, would be rolled out soon.
However, AMD has not provided details on how it intends to patch the vulnerability on all affected devices.
Recommendation for users
To protect themselves, users are advised to apply security updates provided by their manufacturers immediately. In the case of Windows systems, fixes are expected to be incorporated into future operating system updates. For Linux servers and systems, updates can be more fragmented and require manual actions.
Despite the complexity of the SinkClose vulnerability, IOActive warns that sophisticated hackers can quickly find ways to exploit this vulnerability, making a fix urgent for all affected systems.
Stay inside!
A technology journalist for nearly 20 years, he writes texts, articles, columns and reviews and has experience covering some of the world’s biggest tech events, such as BGS, CES, Computex, E3 and IFA.