AMD Warns of High-Severity CPU Vulnerability ‘SinkClose’

August 9, 2024

AMD has issued a warning about a serious CPU vulnerability named SinkClose, affecting its EPYC, Ryzen, and Threadripper processors. This flaw allows threat actors with Kernel-level (Ring 0) privileges to escalate to Ring -2 privileges and install virtually undetectable malware. Ring -2 is one of the highest privilege levels on a computer, operating above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system's Kernel.

The Ring -2 privilege level is associated with the System Management Mode (SMM) feature of modern CPUs. SMM handles essential low-level operations such as power management, hardware control, and security, which are crucial for system stability. Given its high privilege level, SMM is isolated from the operating system to protect it from being easily targeted by threat actors and malware.

The vulnerability, tracked as CVE-2023-31315 and rated of high severity (CVSS score: 7.5), was discovered by IOActive's Enrique Nissim and Krzysztof Okupski. They named the privilege elevation attack 'Sinkclose.' The researchers have revealed that Sinkclose has been undetected for almost two decades, impacting a wide range of AMD chip models.

The SinkClose flaw allows threat actors with Kernel-level access to alter System Management Mode settings, even when SMM Lock is enabled. This vulnerability could be exploited to disable security features and implant persistent, virtually undetectable malware on a device. Ring -2 is isolated and invisible to the OS and hypervisor, so any malicious changes made at this level cannot be detected or remedied by security tools operating on the OS.

According to AMD's advisory, a range of models are affected by this vulnerability. AMD has already released mitigations for its EPYC and AMD Ryzen desktop and mobile CPUs, with further fixes for embedded CPUs to be released later. Kernel-level access is a prerequisite for executing the Sinkclose attack, which AMD has noted in a statement, emphasizing the challenge in exploiting CVE-2023-31315 in real-world scenarios.

However, IOActive has countered this by stating that kernel-level vulnerabilities, while not widespread, are not uncommon in sophisticated attacks. Advanced Persistent Threat (APT) actors, like the North Korean Lazarus group, have been known to use BYOVD (Bring Your Own Vulnerable Driver) techniques or even exploit zero-day Windows flaws to escalate their privileges and gain kernel-level access. Ransomware gangs and social engineering specialists like Scattered Spider also use BYOVD tactics.

Given these factors, Sinkclose could pose a significant threat to organizations using AMD-based systems, particularly from state-sponsored and sophisticated threat actors, and should not be overlooked.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.