AMD Exclusive … Bootkit. Meet Sinkclose.

The Bastard Offspring Of Sinkhole And TClose

Sadly backwards compatibility has struck again, this time with an attack leveraging AMD’s TClose feature, which is designed to ensure compatibly with ancient devices that use the same memory addresses as SMRAM.  The reason it has remained is mostly because of System Management Mode which allows your UEFI to talk with TPM, automatically shut down an overheating CPU, USB legacy support and a variety of other system functions that run before the OS wakes up.  It has existed since 386 systems were a thing, and if not properly implemented and secured can be leveraged to infect a machine in such a way as to make it almost impossible to fix.

Almost every AMD chip, EPYC and consumer alike, could be vulnerable to Sinkclose if left unpatched.  Many AMD platforms already have Platform Initialization firmware updates available, though there is a delay for many embedded EPYC solutions.  The good news, such as it is, is that an attacker has to have already gained access to the OS kernel on a machine to be able to use Sinkhole and trick a system into executing malicious code at the highly privileged SMM level.  This is sadly not impossible to achieve but does limit the ability for nefarious actors to leverage the exploit, regardless you should patch as soon as possible.

If a system is infected, the only solution apart from tossing the motherboard is to grab a SPI Flash programmer, connect it to the memory on the motherboard and meticulously scrub the contents.