Researchers from IOActive have discovered a critical vulnerability in AMD processors that allows hackers to introduce virtually uninstallable malware. The problem affects millions of computers and servers around the world, Wired reports.
A vulnerability dubbed Sinkclose was discovered in the system management mode (SMM) of AMD processors. This mode has high privileges and is designed to perform critical system functions. Attackers can use Sinkclose to inject malicious code into the deepest layers of the firmware by changing the SMM configuration, making it nearly impossible to detect and remove.
Enrique Nissim and Krzysztof Okupski of IOActive, who discovered the vulnerability, plan to talk about it in detail at the Defcon hacker conference tomorrow. According to them, Sinkclose affects almost all AMD processors released since 2006, and possibly earlier.
The researchers warn that hackers would need a certain level of access to an AMD-based computer or server to exploit the vulnerability, but then Sinkclose would give them the ability to inject malicious code even deeper. On most tested systems where the Platform Secure Boot security feature is not properly implemented, a virus installed through Sinkclose will be almost impossible to detect and eliminate, even after reinstalling the operating system.
«Imagine that hackers from intelligence agencies or someone else want to gain a foothold in your system. Even if you completely wipe the hard drive, the virus will still remain,” Okupski says. According to him, the only way to remove such a virus is to physically connect to the computer’s memory using an SPI Flash programmer and carefully scan it. “The worst case scenario is that you just have to throw the computer away,” Nissim sums up.
In a statement to Wired, AMD confirmed the IOActive find, thanking the researchers and saying that it has already released patches for EPYC and Ryzen processors, and patches for embedded systems will be released soon. However, AMD did not disclose details about how exactly the Sinkclose vulnerability will be fixed and for which devices.
At the same time, AMD emphasizes the difficulty of exploiting this vulnerability, since to exploit it, an attacker must have access to the operating system kernel. However, Nissim and Okupski counter that for experienced hackers, gaining such access is not a problem, thanks to regularly appearing bugs in Windows and Linux.
Researchers warn that after the presentation at Defcon, although details of the exploit will not be published, experienced hackers may be able to guess how the technology works, so users are advised to install AMD patches as soon as they become available.