'Sinkclose' Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections (wired.com) 57
An anonymous reader quotes a report from Wired: Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it. At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.
Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot -- which the researchers warn encompasses the large majority of the systems they tested -- a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system. Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: "You basically have to throw your computer away." In a statement shared with WIRED, AMD said it "released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon."
The company also noted that it released patches for its EPYC processors earlier this year. It did not answer questions about how it intends to fix the Sinkclose vulnerability.
Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot -- which the researchers warn encompasses the large majority of the systems they tested -- a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system. Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: "You basically have to throw your computer away." In a statement shared with WIRED, AMD said it "released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon."
The company also noted that it released patches for its EPYC processors earlier this year. It did not answer questions about how it intends to fix the Sinkclose vulnerability.
once again (Score:1, Interesting)
Re: (Score:1)
That might actually teach them some fucking security smarts. Let it happen. Life hurts.
Re:once again (Score:4, Insightful)
It's basically a "bad guy" trope that has appeared in countless uninspired movies. "Once the world experiences the consequences of their desires/ignorance/sins/stupidity/whatever .. humankind will rise out of the ashes and the new civilization will be like .. basically good/smarter/nicer or something!"
You get a big old eye roll and pat on the head from me.
Re: (Score:3)
Heh, I (re)watched "Constantine" a couple days ago; in it, Gabriel (the half-breed angel) had exactly the same discourse.
It's stupid as fuck.
Re: (Score:2, Interesting)
It's basically a "bad guy" trope that has appeared in countless uninspired movies. "Once the world experiences the consequences of their desires/ignorance/sins/stupidity/whatever .. humankind will rise out of the ashes and the new civilization will be like .. basically good/smarter/nicer or something!"
You get a big old eye roll and pat on the head from me.
If your argument is literally "No, we as a human species DO NOT actually learn from our mistakes", then maybe we really just deserve to permanently fuck ourselves over and go extinct.
Re: (Score:3)
You first. Leave the rest of us out of your plans.
Re: (Score:2)
I am not talking of any plans. I am talking of who deserves what. If you publicly admit to not learning from mistakes, dying out of extinction is precisely what you deserve. You admit to being dumb as brick, why should your genes perpetuate?
Re: (Score:2)
Re: (Score:2)
"You're right, the random non-techie people who really know nothing about how computers work should have their machines exploited, data stolen, and persistent malware installed so they can be taught a lesson that you clearly dont yourself understand ..."
Why? It's EXACTLY how I learned about computers starting at the age of 6. And now? Nothing can touch my systems. I've had not one single piece of malware in over 20 years, with one exception - I got a piece of ransomware thanks to a pal trying to fix my 'bro
Re: (Score:2)
With a security vulnerability as widespread as this, we probably would have ended up with outages so bad that it would have made the Crowdstrike incident look like a picnic. Fixing this one wouldn't have been as easy as rebooting the system, either... in many cases, it would require hardware replacement.
If you ended up getting stuck in an airport for 3 days or denied medical care as the result of your insane disclosure policy, you'll probably ended up thinking otherwise.
Re: (Score:2)
By that definition, everything is garbage.
Re: (Score:3)
if that was intended to be a demonstration of how the mind of a child works .. congratulations
Re: once again (Score:2)
Before you do that, let me clean the dust off my trusty MicroVAX box, so I could have some working computing hardware after the companies "stop making crap products". Because, you know, every current CPU has these shenanigans built-in: secure boot UEFI, system management mode, AMD PSP, Intel IME and whatnot.
Re:once again (Score:4, Insightful)
People love to talk about "free markets" but this is anything but. A space where only manufacturer signed code can run is the best place to hide malware. Because only the manufacturer can fix it by design, and everyone else even if they have the skill required is completely dependent on the manufacturer's willingness to patch their SKU. A real free market would have plenty of options available for patches that wouldn't come from some manufacturer who's only concern is whether or not their next garbage SKU is found out before it reaches the market.
The worst thing they ever did was declare a section of your device their personal playground that you the owner were forbidden from inspecting or altering.
Meaning we need 'right to repair'... (Score:2)
I think you were heading here anyway, but just to be explicit...
Manufacturers should release enough information and tools for users to continue fixing their own devices, and to share those fixes, after the manufacturer has stopped updating or supporting a device. That feels like the minimum we should start at... because then manufacturers won't do anything, but claim they're still supporting things, to not release information.
How I first read your post was 'there should be no limit on code that is install
Re: (Score:2)
No, what actually needs to happen is a complete ban on these kinds of hidden places in the silicon where only manufacturer code can run.
Sure, and let's go back to the days of 486 dx33 speeds because you think a modern processor is capable of functioning without management code on it. /s
Re: (Score:2)
> not to make garbage and customers not to buy garbage
Impossible.
X86/X64 is garbage. The whole architecture is designed to be insecure. We use it everywhere; we constantly patch it.
We could stop making this security trash if we dumped it for a new security focused architecture. All current OS's will also be dumped, as no OS today is designed with that new architecture in mind.
It would be a tidal shift in OS design and hardware design and it will be a BIG change. It won’t look or work like what
Ha! (Score:3)
Joke's on you... I only use 2004 AMD chips in all my machines!
Use it for cracking (Score:4, Interesting)
Use this to crack widevine, 4k bluray, any encryption that relies on trusting the hardware to be predictable
Re: Use it for cracking (Score:2)
What MPAA produced these days is such a garbage that it's probably not worth the effort.
Re: (Score:2)
What's the MPAA? Are you under the impression that the only movies in the world are made by Americans?
Re: (Score:3)
Every Xbox and PlayStation of the last two generations uses AMD CPUs. If this SMM exploit can be introduced to them then it can be an unpatchable jailbreak.
Re: (Score:2)
Maybe not unpatchable. It sounds like they can update the console's firmware mitigate the flaw, so unless you can already run arbitrary code very early in the boot process you won't be able to exploit it on current firmware... Assuming they implemented the fixes.
Typically you need current firmware to play online, but if you just want to jailbreak then it may work if you can find an arbitrary code exploit.
2006? (Score:1)
So most processors with mulitcore and GPU optimizations....?
How deep is "deep" for access? (Score:3)
This gets me wondering how much access one needs. Does this mean having unconstrained root, having access to kernel space, or maybe even just being able to execute code as a user? Saying "deep" really doesn't mean much, because that can easily just mean that someone ran a binary with an elevated or sudo command prompt, and now the code can run as root or LOCALSYSTEM without worry.
I'm guessing unconstrained root or LOCALSYSTEM.
Re:How deep is "deep" for access? (Score:5, Insightful)
Pre-OS-loader Re:How deep is "deep" for access? (Score:1)
If you can overwrite the firmware that runs before the OS loads, or better yet overwrite the microcode, you've got more control than anything that loads later.
Re: (Score:3)
Lower level than the kernel. Bios level.
Re: (Score:2)
Re: (Score:2)
Most people don't have multiple layers of security for data at rest on their devices. If you can get code execution as them, you have access to pretty much anything of value that the user added to the system. Taking advantage of that access is likely to be noticed. Especially on corporate networks, or if you want to deploy ransomware. Which reveals your presence and burns whatever access you had.
The remaining 1% is just the raw
Re: (Score:2)
This root kit after
Re: (Score:2)
I guess my 1090T stays retired. (Score:2, Interesting)
I recently retired an AM3 board with a Phenom II x6 1090T from being my daily driver, but was somewhat looking for another case/PSU to house it so I can retire some even less powerful hardware. I guess I'll just let it lie and get some RAM for the X99 board I also have laying around (with a 5700K on it).
AI (Score:1)
So I guess this need root permissions? (Score:3)
At that time you can simply re-flash the bios with malware and most people would not know the difference.
Re: (Score:2)
As a side-note, I have done SPI reflashing in circuit. Any decent PC shop should be able to do it.
Re: (Score:3)
First you gotta get completely pwned.
Then you might stay completely pwned without knowing it.
well duh
Hacking rarely involves just one vulnerability (Score:2)
Re: (Score:2)
First you gotta get completely pwned.
Then you might stay completely pwned without knowing it.
Re: (Score:2)
That depends in whether detecting this is hard. If it opens network connections or accepts them, it may not actually be hard to detect.
Re: (Score:2)
I'm not saying this is impossible, but it sounds like you would
1) Need to get a foothold
2) find a way to escalate to root
3) install your bootkit
4) cover your tracks on how you got in so you remain undetected
If there is any network monitoring going on, you would hopefully notice odd behavior out of the compromised box and shut that down. If your network is secured enough, you wouldn't even fall victim or you would prevent the compromised box from communicating with the outside via unauthorized channels.
Seems
Re: (Score:2)
Something like that. A high-effort specialized attack somewhat lacking an actual use-case. I doubt we will see it in the wild.
Re: (Score:2)
Indeed, but why target a very specific subset of hardware and firmware limited to a single manufacturer producing hundreds of varied products, when you can instead target a very commonly available centralised exploit across literal millions of machines?
You don't go out of the way to flash BIOS for the same reason people don't go out of their way to attack Linux machines: Effort vs attackable victims is just too high to be worthwhile.
Re: (Score:2)
Well, maybe. This would still mean that your actual backdoor code works across most machines you attack. The exploit may be portable, but that does not mean you can do the same attack based on it.
But this whole attack only makes sense if the victim got compromised on root level, and did a cleanup without changing the hardware and you want to re-compromise them after that. That probably gives you much less than just running whatever you do to get root against more computers. I doubt we will see this in the w
CIAA (Score:3)
Reactive security (Score:2)
OpenBSD demonstrated that a more proactive assault on software security flaws could produce better security, an approach that is only otherwise pursued in the most critical of software, and not always then. And, evidently, not pursued in consumer hardware at all.
We've a steady accumulation of tools for evaluating logic, but it's still fairly primitive and rarely covered in any depth at university.
With the planet dangerously fractured by partisanship, paranoia, and state-sponsored cyberwarfare (where the too
Huh (Score:2)
For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot
So it's like communism, the problem is just that it was (always, everywhere) implemented wrong ...
Comment removed (Score:4, Informative)
They honestly can't just reflash good code? (Score:2)
I'm curious... Yes, I know a hardware flashing device would be more secure, but could a flash of malware infected BIOS code really block another flash of safe BIOS code through the normal means?
Thinking more... I guess if the flashing process was b0rkened, that might be how. To always keep an area unchanged, or apply a break again. Probably fragile to attempt, but it might be hard to recover from (again needing the hardware SPI programmer).