Researchers Uncover Vulnerability in AMD Processors
Researchers from Ioactive revealed a vulnerability (CVE-2023-31315) in AMD processors that allows for privileged local access to the system. This vulnerability enables the configuration of System Management Mode (SMM, Ring -2) to be changed, even when the SMM Lock blocking mechanism is turned on. Additionally, it potentially allows for code execution at the SMM level, providing unlimited access to all system memory.
The vulnerability, known as Sinkclose, is caused by improper verification of Model Specific Registers (MSR). The SMM area, designated for physical memory pages with restricted access, can be circumvented through manipulation of specific MSR registers, despite the activation of SMM Lock mode.
The exploit can escalate privileges from the zero protection ring, where the operating system’s kernel operates. This can be utilized to persistently maintain presence after exploiting other system vulnerabilities or employing social engineering tactics. Due to the lack of monitoring and control over code execution at the SMM level, attackers can modify firmware, embed hidden malicious code, bypass boot stage verification, and evade integrity checks of hypervisors.
The vulnerability affects a range of AMD processors including Epyc (1-4 generations), Ryzen (R1000, R2000, 3000-8000, V1000, V2000, V3000), Athlon 3000, and Threadripper Pro. Microcode updates to mitigate the vulnerability have been released for mobile and desktop EPYC and RYZEN CPUs, with updates for built-in CPU models scheduled for October. To remove malicious code injected through an SMM attack, memory must be cleared using a physically connected SPI Flash programmer.