CPU vulnerability in AMD processors allows malware infections

The two IT security experts Enrique Nissim and Krzysztof Okupski described and presented a serious security vulnerability in AMD processors at Defcon 2024 in Las Vegas on Saturday. At least all AMD processors from the last 10 years (up to Ryzen 7000) are affected. The vulnerability affects hundreds of millions of AMD chips, which are apparently insecure without in-depth changes at firmware level and offer gateways for malware.

Malware does not normally appear in a manufacturer's firmware, but in the worst case activates itself during the boot process after firmware startup. In this case, the vulnerability directly affects the processor level of PCs or servers and is located before subsequent system levels. Attackers should be able to use the vulnerability to execute software in system management mode (SMM). This mode has special system rights and allows infiltrated malware to hide from the operating system and other applications.

The two security researchers working at IOActive discovered this vulnerability, also known as sinkclose, years ago. Conventional methods of malware defense cannot eliminate this vulnerability. Such a malware infection is difficult to detect and can only be removed with considerable effort. Even reinstalling the operating system is not enough. It is only possible to close this security gap via a firmware update at hardware level.

AMD is working on bug fixes

Nissim and Krzysztof Okupski went public a few days before the Defcon 32 hacker conference in Las Vegas to clarify the security problem and announce the detailed description of the security problems as part of the Defcon presentation. The two experts told Wired that AMD was informed of the vulnerability as early as October 2023. They explained the long wait from the discovery of the bug to its publication by saying that they wanted to give AMD time to work on a fix.

In the reactions to this announcement, AMD reassuringly emphasizes that it is very difficult to exploit this vulnerability. Attackers must have access to the affected PCs or servers to manipulate the hardware and gain kernel access. AMD compares the Sinkclose technique to a method of accessing the safe deposit boxes of a secure bank. However, this hurdle is irrelevant if the hardware is manipulated at an early stage, for example via bogus delivery companies. In fact, in similar cases, the affected computers were compromised in advance before first use.

Despite the undramatic classification of this vulnerability, AMD has now reacted. The security bulletin CVE-2023-31315 shows that firmware updates are planned for many Epyc, Athlon and Ryzen CPUs, but not for all: the Ryzen 3000 series, for example, is not due to receive any updates according to AMD's current list. Patches for other processors have been announced for October 2024, and AMD has already named the version numbers of some of the updated firmware versions. However, these still have to be incorporated by the device manufacturers into their packages, such as BIOS updates, and reach customers.

A similar error led to the complete replacement of the Bundestag's hardware in May 2015, as reported by heise online. At the time, attackers had infected computers in numerous MPs' offices with spyware, including computers in the Bundestag office of Chancellor Angela Merkel (CDU). An article by Bleeping Computer also cites several examples of similar cyberattacks in which attackers gained access to the hardware. They used vulnerabilities in anti-cheat tools, graphics drivers, drivers for security tools and numerous other drivers at kernel level, among other things.

(nie)