Security researchers at IOActive have uncovered a significant vulnerability in AMD processors that could allow malicious actors to install persistent, hard-to-detect malware capable of surviving even a complete system formatting.
The vulnerability, dubbed “Sinkclose,” exploits a feature within AMD CPUs’ System Management Mode (SMM). This mode, designed to handle critical system-wide functions such as power management and hardware control, operates with elevated permissions independently of the main operating system.
Key points about the Sinkclose vulnerability:
- Exploitation Method: Malicious actors can potentially exploit the SMM to install malware directly into the CPU firmware, bypassing the operating system entirely.
- Due to its location in the CPU firmware, the malware can survive traditional removal methods, including complete system formatting.
- The malware’s unique placement makes it difficult for conventional antivirus software to detect.
- IOActive researchers noted that this semiconductor-level problem appears to have gone unnoticed for nearly two decades.
The discovery of Sinkclose raises severe concerns about the security of systems using affected AMD processors. It highlights the need for more robust security measures at the hardware level and underscores the importance of ongoing security research into fundamental computer architecture.
AMD has not yet released an official statement regarding the Sinkclose vulnerability. However, the cybersecurity community anticipates that the company must develop and distribute firmware updates to address this issue.
AMD already has a fix ready
AMD has been working on a solution for the “Sinkclose” vulnerability since it was first reported to the company in October. Last week, AMD started rolling out the fix to Ryzen and EPYC processors, but the update’s availability will depend on motherboard manufacturers and Microsoft.
AMD acknowledged the issue’s seriousness but reassured users that exploiting the flaw is quite difficult. This has been supported by IOActive researchers, who explained that the vulnerability involves a little-known AMD feature called TClose. An attacker would need physical access to the computer and the ability to manipulate the kernel to exploit it.
However, IOActive warns that while these requirements may prevent most hackers, they are not enough to stop highly skilled attackers, such as those backed by governments.
