CPU Vulnerability in AMD Processors Allows Malware to Infect

IT security experts Enrique Nissim and Krzysztof Okopski described and demonstrated a serious vulnerability in AMD processors on Saturday at Defcon 2024 in Las Vegas. It affects all AMD processors from at least the past 10 years (up to Ryzen 7000). The vulnerability affects hundreds of millions of AMD chips, which appear to be insecure without deep firmware changes and provide entry points for malware.

advertisement

The malware usually does not appear in the manufacturer’s firmware, but in the worst case it is activated as part of the boot process after the firmware has started. In this case, the vulnerability directly affects the processor level of computers or servers and is located before the subsequent system levels. The vulnerability is said to enable attackers to run programs in the so-called System Management Mode (SMM). This mode has special system privileges and allows the injected malware to hide from the operating system and other applications.

This vulnerability, also known as SinkClose, was discovered years ago by two security researchers at IOActive. Traditional malware defense methods cannot address this vulnerability. Such malware infections are difficult to detect and require significant effort to remove. Even reinstalling the operating system is not enough. This security hole can only be closed by updating the firmware at the hardware level.

AMD is working on bug fixes.

Naseem and Krzysztof Okopski left a few days ago. Hacker Conference Defcon 32 In Las Vegas for the public to explain the security issue and detailed description of the security issues in the framework Defcon Lecture For advertising. The two experts told Wired,AMD reported the vulnerability to them in October 2023. The two explained the long wait from the discovery of the bug to its publication by saying that they wanted to give AMD time to work on a fix.

In response to this announcement, AMD reassures that this vulnerability is very difficult to exploit. To do so, attackers would need to have access to the affected computers or servers in order to manipulate the devices and gain access to the kernel. AMD likens the SinkClose technique to the method of gaining access to secured bank vaults. But this hurdle does not matter if the devices are tampered with at an early stage, for example by fake companies that supply them. In similar cases, the affected computers have already been compromised before they are used for the first time.

Despite its undramatic classification of this vulnerability, AMD has now responded. Security Bulletin CVE-2023-31315 It is clear that firmware updates are planned for many Epyc, Athlon, and Ryzen CPUs, but not for all: the Ryzen 3000 series, for example, is not scheduled to receive any updates according to AMD’s current list. The October 2024 patches have been announced for other processors, and AMD is already providing the release numbers of the cleaned-up firmware versions for some of them. However, hardware manufacturers still have to include them in their packages as BIOS updates and customer outreach.

A similar bug led to the complete replacement of the Bundestag's computers in May 2015, heise online reported. At the time, attackers infected computers in the offices of several lawmakers with spyware, including those in Chancellor Angela Merkel's Bundestag office. Also Contributed by Bleeping Computer He cites several examples of similar cyberattacks where attackers gained access to devices. They used, among other things, vulnerabilities in anti-cheat tools, graphics drivers, security tool drivers, and many other kernel-level drivers.

(Osz)