AMD Exclusive … Bootkit. Meet Sinkclose.

Source: Ars Technica AMD Exclusive … Bootkit.  Meet Sinkclose.

The Bastard Offspring Of Sinkhole And TClose

Sadly backwards compatibility has struck again, this time with an attack leveraging AMD’s TClose feature, which is designed to ensure compatibly with ancient devices that use the same memory addresses as SMRAM.  The reason it has remained is mostly because of System Management Mode which allows your UEFI to talk with TPM, automatically shut down an overheating CPU, USB legacy support and a variety of other system functions that run before the OS wakes up.  It has existed since 386 systems were a thing, and if not properly implemented and secured can be leveraged to infect a machine in such a way as to make it almost impossible to fix.

Almost every AMD chip, EPYC and consumer alike, could be vulnerable to Sinkclose if left unpatched.  Many AMD platforms already have Platform Initialization firmware updates available, though there is a delay for many embedded EPYC solutions.  The good news, such as it is, is that an attacker has to have already gained access to the OS kernel on a machine to be able to use Sinkhole and trick a system into executing malicious code at the highly privileged SMM level.  This is sadly not impossible to achieve but does limit the ability for nefarious actors to leverage the exploit, regardless you should patch as soon as possible.

If a system is infected, the only solution apart from tossing the motherboard is to grab a SPI Flash programmer, connect it to the memory on the motherboard and meticulously scrub the contents.

“I think it's the most complex bug I've ever exploited,” says Okupski.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!