Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Sinkclose. Show all posts

Experts Find Sinkclose Bug in Millions of AMD Processors, Hard to Patch

Experts Find Sinkclose Bug in Millions of AMD Processors, Hard to Patch

A recently found major security flaw called 'Sinkclose' impacts virtually all of the AMD's processors released since 2006. The vulnerability allows threat actors to deeply infiltrate into a system, making it difficult to identify and eliminate the malicious software. According to experts, the problem is serious, in some cases, it would be easier to just dump the system than to fix it.

About Sinkclose Bug

But there is a good side to it, since the flaw has not been found for 18 years, chances are it hasn't been exploited. Additionally, AMD is patching its platforms to protect the affected processors, however, not all have received a patch yet. See this list for full details.

Sinkclose is known for escaping anti-viruses and persistence even after reinstalling OS. The bug allows threat actors to execute code within AMD processors' SMM (System Management System), a privileged region kept for critical firmware operations. To use the flaw, threat actors must first gain access to the system's kernel, a difficult task, but doable. But the system must already have been targeted by some other attack.

Persistent Threat

After securing the access, the Sinkclose vulnerability lets the attackers install bootkit malware that escapes detection by antivirus tools, staying hidden within the system and persists even after re-installing the OS.

The flaw uses a feature in AMD chips called TClose, which maintains compatibility with older devices. By exploiting this feature, the experts could redirect the processor to execute their code at the SMM level. The process is complicated but lets attackers with access and control over the device.

Flaw Needs Kernel-level Access

Cybersecurity experts Krzysztof Okupski and Enrique Nissim from IOActive found the Sinkclose vulnerability, they will present it at the Defcon conference."To take advantage of the vulnerability, a hacker has to already possess access to a computer's kernel, the core of its operating system," AMD said to Wired.

Experts highlight that although the Sinkclose exploit needs kernel-level access, the flaws at this level are found in Linux and Windows systems. Advanced state-sponsored hackers might already have what it takes to exploit these flaws. 

Experts suggest kernel exploits are readily available, which makes Sinkclose the second stage for the threat actors. To eliminate the malware, one must open the computer and connect to a particular part of its memory using an SPI Flash programmer, inspect the memory with caution, and then remove the malware.