Researchers Uncover Decades-Old Vulnerability in AMD Chips

The flaw, named "Sinkclose," allows attackers to embed malware deep within a computer's memory, posing significant challenges for detection and removal.

Security flaws in computer firmware, the underlying code that loads when a machine powers on and controls the booting of its operating system, have long been a target for hackers seeking a covert entry point. Typically, such vulnerabilities are found in the firmware of specific computer manufacturers. However, security researchers have now discovered a flaw that resides in the chips found in hundreds of millions of PCs and servers, posing a widespread threat.

At the Defcon hacker conference, Enrique Nissim and Krzysztof Okupski from the security firm IOActive are set to reveal a vulnerability in AMD chips, dubbed "Sinkclose." This flaw allows attackers to execute their own code within the highly privileged System Management Mode (SMM) of an AMD processor, which is meant to be reserved for a protected portion of its firmware. The researchers warn that this vulnerability affects nearly all AMD chips dating back to 2006, possibly even earlier.

Nissim and Okupski explain that for an attacker to exploit the Sinkclose flaw, they must already have deep access to an AMD-based PC or server. However, once access is obtained, the flaw enables them to plant malicious code even deeper. For machines equipped with the vulnerable AMD chips, attackers could install malware known as a “bootkit” that evades antivirus tools, remains hidden from the operating system, and grants the hacker full control over the machine's activities. The researchers note that for systems with certain faulty configurations, particularly in how a computer maker implemented AMD's Platform Secure Boot feature, detecting and removing such malware could be extremely difficult, potentially surviving even a reinstallation of the operating system.

"Imagine nation-state hackers or whoever wants to persist on your system. Even if you wipe your drive clean, it's still going to be there," says Okupski. "It's going to be nearly undetectable and nearly unpatchable." The only way to remove the malware, Okupski explains, would be to physically open the computer, connect directly to its memory chips with a hardware-based programming tool known as an SPI Flash programmer, and meticulously inspect the memory.

Nissim adds, "You basically have to throw your computer away."

In response, AMD acknowledged IOActive's findings, expressed gratitude to the researchers, and announced that it has released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products forthcoming. For its EPYC processors, which are designed for data-center servers, AMD stated that patches were issued earlier this year. The company, however, declined to provide specific details on how it plans to address the Sinkclose vulnerability or the exact timeline for patching affected devices.

In a background statement, AMD emphasized the complexity of exploiting the Sinkclose vulnerability, noting that a hacker would need access to a computer's kernel, the core of its operating system. AMD compared the technique to accessing a bank's safe-deposit boxes after bypassing its alarms, guards, and vault door.

Nissim and Okupski argue that while the exploit requires kernel-level access, such vulnerabilities are routinely exposed in Windows and Linux systems. They point out that state-sponsored hackers likely already possess the tools necessary to exploit these vulnerabilities, whether known or unknown. "People have kernel exploits right now for all these systems," says Nissim. "They exist and they're available for attackers. This is the next step."

The Sinkclose technique takes advantage of an obscure feature in AMD chips called TClose. TSeg, a safeguard in AMD-based machines, prevents operating systems from writing to a protected part of memory reserved for System Management Mode, known as System Management Random Access Memory (SMRAM). The TClose feature, however, allows compatibility with older devices by remapping other memory to SMRAM addresses. Nissim and Okupski discovered that they could use this TClose feature to trick the SMM code into executing their own code at the privileged SMM level.

"I think it's the most complex bug I've ever exploited," says Okupski.

The researchers, who specialize in low-level code security, began investigating AMD's architecture two years ago, noticing that it had received less scrutiny than Intel's, despite its growing market share. They found the critical TClose edge case by thoroughly examining AMD's documentation. "I think I read the page where the vulnerability was about a thousand times," says Nissim. "And then on one thousand and one, I noticed it." They reported the flaw to AMD in October last year and waited nearly ten months before disclosing it publicly to allow AMD time to prepare a fix.

For users, Nissim and Okupski recommend applying patches as soon as they become available. They expect that for Windows machines, the majority of affected systems, patches will be integrated into updates from computer manufacturers and distributed by Microsoft. Patches for servers, embedded systems, and Linux machines may require manual installation and vary depending on the Linux distribution.

Nissim and Okupski have agreed not to release any proof-of-concept code for their Sinkclose exploit for several months to give AMD more time to address the issue. Despite any attempts to downplay the difficulty of exploiting Sinkclose, the researchers urge users to apply patches promptly. Sophisticated hackers may have already discovered the technique or could do so after the findings are presented at Defcon.

"If the foundation is broken," says Nissim, "then the security for the whole system is broken."