AMD's 'Sinkclose' vulnerability affects hundreds of millions of processors

AMD’s response:

Sinkclose = TClose + Sinkhole.
With that vulnerability attacker with ring 0 (kernel) privileges can write code to SPI Flash to get ring -2 (ring ‘minus 2’) privileges.
No patches for old CPUs. No info about Bristol Ridge CPUs (2 - 4 Excavator CPU cores for AM4).

CVE:

https://www.cve.org/CVERecord?id=CVE-2023-31315

From researchers:

https://ioactive.com/event/def-con-talk-amd-sinkclose-universal-ring-2-privilege-escalation/

DEF CON® 32 Hacking Conference Talks

AMD Sinkclose: Universal Ring -2 Privilege Escalation

Saturday at 12:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo :computer:, Exploit :beetle:, Tool :hammer_and_wrench:

Enrique Nissim Principal Security Consultant at IOActive

Krzysztof Okupski Associate Principal Security Consultant at IOActive


THG:

“Wired”:

SUSE:

https://bugzilla.suse.com/show_bug.cgi?id=1229069

1 Like

For desktops: AM4 Ryzen 4000 series have remedy.
Good news from AMD: it will add protection for Matisse (some 3000 series) desktops:

Revisions

Revision Date Description
2024-08-14 “Matisse” mitigation status has been updated to a target of 2024-08-20
2024-08-09 Initial publication
1 Like

The newest CPUs probably have protection since release (AM5 8000 & 9000 series).

Ryzen Summit Ridge (AM4 1000 series) may get remedy via new microcode because it is similar to EPYC Naples and Snowy Owl.

For Family 17h (Zen, Zen+, Zen 2) new firmware is available for CPUs 0x8 0xF 0x0 0x1 ( Naples, Whitehaven, Summit Ridge, Snowy Owl) and 0x8 0xF 0x3 0x1 ( Rome, Castle Peak).
To get new microcode install new package ‘ucode-amd’ from 20240809. It is available for TW, expected for Leap (15.5 & 15.6).

Location of files:
for Leap /lib/firmware/amd-ucode
for TW /usr/lib/firmware/amd-ucode

Supposedly EPYC Naples & friends microcode:
Old:
Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
New:
Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f Length=3200 bytes

Supposedly EPYC Rome & friends microcode:
Old: Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107a Length=3200 bytes
New: Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c Length=3200 bytes

Please, if you have Ryzen 1000 series upgrade TW with dup and post
inxi -aCz

1 Like

You can get microcode update via BIOS update. For AM4 you need AMD AGESA Combo V2PI 1.2.0.Cb (2024-07-30). Right now 1.2.0.Ca is available.
Updates for some CPUs will be available in October 2024.
AMD promises support for old EPYC and embedded CPUs because of LTS.

AMD Picasso: support for mobile CPUs is planned, no support for desktop ones.
No support for Zen+ CPUs: Pinnacle Ridge & Colfax.
Support for desktops - since Matisse ( 3000 series, Zen 2 based, not 3200G/3400G).

Zen 3 and Zen 4 are of Family 19h, updates are available.

1 Like

Some CPU microcodes:

It uses CPUID number, which is distinct from family numbers used by AMD microcode binaries. Use cpuid or CPU-X utilities to get CPUID and another info.

Utility to extract info from microcode binaries (which is also available in Readme file):

Additional info:

https://wiki.archlinux.org/title/Microcode

https://wiki.gentoo.org/wiki/Microcode

https://wiki.gentoo.org/wiki/AMD_microcode#Microcode_firmware_files

Chromebooks are unaffected, because

this issue is not applicable to Chromebooks, or any devices running coreboot – the CVE is with the UEFI SMM mode access, which does not exist on Chromebooks.

New ucode-amd is available with some updates.

Does this imply that this only affects UEFI boot? Sounds like using Legacy/MBR would prevent the exploit.

UEFI systems are affected. Old non-UEFI systems are unaffected.
Legacy boot has its own drawbacks, but not that one.
CSM mode on UEFI systems: status unknown.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.