EDIT 26-06-2025 8:30am ET:AMD has told Tom’s Hardware that it will not patch all of the impacted processors for this vulnerability. You canread more about the chips that will not be patched here.
Original article:
‘Sinkclose’ is the name of a recently discovered majorsecurityvulnerability that affects virtually all of AMD’s processors released since 2006. This flaw allows attackers to deeply infiltrate a system, making it extremely difficult to detect or remove malicious software. The issue is so severe that, in some cases, it may be easier to abandon an infected machine than to repair it, reportsWired.
There is good news, though: since it has not been discovered for 18 years, it likely hasn’t been used. Also, AMD ispatchingits platforms to protect them, though not all affected processors have received a patch yet.
Sinkclose evades antiviruses and persists even after OS reinstall
The Sinkclose vulnerability allows hackers to execute code within the System Management Mode (SMM) of AMD processors, a highly privileged area typically reserved for critical firmware operations. To exploit this flaw, attackers must first gain access to a system’s kernel, which isn’t easy, but it is possible. However, the system must already have been compromised by some other attack.
Once this access is secured, the Sinkclose vulnerability allows the perpetrators to install bootkit malware that evades detection by standard antivirus tools, remaining nearly invisible within the system and can persist even after the operating system is reinstalled.
The vulnerability leverages an ambiguous feature in AMD chips known as TClose, which is meant to maintain compatibility with older devices. By manipulating this feature, the researchers were able to redirect the processor to execute their own code at the SMM level. This method is complex but provides attackers with deep and persistent control over the system.
Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
Security researchers Enrique Nissim and Krzysztof Okupski from IOActive identified the Sinkclose vulnerability. They will present it at the Defcon conference tomorrow.
“To take advantage of the vulnerability, a hacker has to already possess access to a computer’s kernel, the core of its operating system,” an AMD statement issued toWiredreads. AMD likens the Sinkhole technique to gaining access to a bank’s safe deposit boxes after already getting past its alarms, guards, and vault door.
Impacts a wide range of AMD CPUs
The Sinkclose flaw impacts a wide range of AMD processors used in client PCs, servers, and embedded systems. Unfortunately, AMD’s latest Zen-based processors with the platform Secure Boot feature not properly implemented by a computer maker or motherboard producers are especially vulnerable in the sense that it is harder to detect malware installed in AMD’s secure enclave.
The researchers waited 10 months before disclosing the vulnerability to give AMD more time to address it. AMD has acknowledged the vulnerability andbegun releasing mitigation options for affected products, including its EPYC datacenter and Ryzen PC processors. Patches for some products have already been issued, with more expected soon. However, AMD has not yet disclosed how it will address the vulnerability across all affected devices.
Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.
