An Argentinian discovered a failure in all processors of AMD manufactured from at least 2006 to the present, which gives more privileges to a hacker to take control of another's computer. Enrique Nissim, systems engineer from UTN, together with his Polish colleague Krzysztof Okupski, presented the research results at DEF CON, the world's largest hacker conference, which he attended. Clarion.
This is a problem in a specific sector of the processor (CPU)the core component of any computer, be it a laptop, desktop, phone, or even the “embedded” systems that come in other devices like cars.
From the moment the user turns on the device, the CPU executes a series of instructions in a certain order: Nissim, who works for the security company IOActive, found this flaw by reading the technical documentation, he wrote with Okupski exploitation method (exploited) and reported it to AMD. They called it “SinkClose” and affects all models from 2006 to present.
Vulnerabilities are common among technology companies, and it's not uncommon for outside researchers to uncover these issues. The problem usually occurs when these defects fall into the hands of hackers: For now, Nissim has not published the step-by-step decision.
“The name is a play on words because in 2015 a researcher named Christopher Domas presented a vulnerability in Intel processors at Black Hat and DEF CON and called it 'The Memory Sinkhole.' It's a very similar attack, albeit with different conditions. Of course I knew what to name it, I used the first part “Sink Hole” and since the bug is in a function of the processor called TClose, I combined the word 'Close' with 'Sink'”, he explained in dialogue with this medium.
“Once I found it, I let it go for a few months until I could demonstrate it and then I sent them a report last October. AMD took it up and we discussed the impact. At first it was thought that can be exploited with physical presence only, ie with the attacker in front of the team But no: with more research, we show that it is not necessary to be in front of the team to exploit it.
Due to the large number of devices it affects, AMD issued an official statement acknowledging the problem and making sure a patch to fix it is on the way.
Although Intel dominates the processor market, AMD has gained a lot of ground in the last decade and there are many users of these products.
Enrique Nissim (left), Argentinian researcher, together with his colleague Krzysztof Okupski. Photo: Juan BrodersenWhat it's like to fail: the technical explanation
The vulnerability runs in what is known as “low level” In computing: While Windows, Android or iOS are usually the operating systems with which the user usually interacts, before they are executed, a number of processes run. That is, between the time the user presses the ON button to turn on the equipment and can use it, the BIOS intervenes, which is a “firmware” (low-level software) that provides the basics for the operating system to boot (or “boot”).
Nissim explained the vulnerability step by step Clarion: “The machine's BIOS is that part that is responsible for booting the hardware, memory, list of all devices, and once it has a global map of everything in the hardware, it passes control to the operating system 'loader' to load Windows, Linux, whatever”.
“Now, one of the steps the firmware takes before passing control to the 'loader' is prepare a reserved memory area to put special code which will be executed as long as the computer is running. This is called System Management Mode (SMM) and it is like a runtime extension of the firmware,” he added.
“If you split the execution process of a computer into two, you have the startup (boot) part and the runtime part, which is what the user sees when they're already running their applications (Office, a browser, whatever). Once the system boots, the BIOS stops running. However, there is additional code in memory that is protected and runs with higher privileges than the operating system: this is EMShe continued.
The system management mode thus constitutes a mode of operation of a device with elevated privilege levels. This means that in this case a user can execute instructions at a low level, a “ring” as they technically say, very close to the processor.
“SSM is another execution mode within the x86 architecture [el set de instrucciones del equipo] and it shouldn't because it's a specialized firmware code managed by the laptop or PC vendor. Well: with this vulnerability, you can run arbitrary code in this mode” Nissim concluded.
It affects all Ryzen models, the company's flagship product. AMD photoAlthough to exploit this vulnerability you must already have access to the computer – through another vulnerability or malware – what's interesting about the discovery is that it can allow an attacker to do something very valuable from their point of view: persist in a team.
“The code running in SMM is totally invisible to an antivirus or anti-cheat engine. Even if someone wants to run a cheat in a video game, they could use this. But in many cases an attacker wants to persist on a machine, and for that you need an access level rather than an execution level in core [el núcleo del sistema operativo]” he adds.
“On modern systems with all the protections in place, tapping system management mode gives the option to install a bootkit in the same way. If the system is moderately misconfigured, an implant can be installed in firmware, in flash: in this case, don't get rid of it without even uninstalling the OS, you almost have to throw away the processor,” he explained. A bootkit is a malicious program that aims to infect a computer's boot.
How was the discovery and what impact does it have on the user?
Krzysztof Okupski exhibits at DEF CON. Photo: Juan BrodersenNissim, from Resistencia, Chaco, studied Systems Engineering at UTN and lives in Orlando, Florida since 2023. “I've always programmed, sold software to classmates for class projects. I started working at an IT solutions company, then I moved to Core Security”, a founding cyber security company in Argentina. He then worked at Intel and now works at IOActive, a cybersecurity company in Seattle.
The 34-year-old researcher found the vulnerability while doing research for IOActive. Once he detected it, he worked with his colleague Krzysztof Okupski, a Pole who has lived in Spain for six years, to develop the exploit. When these flaws are detected, researchers usually contact the companies to alert you of vulnerability.
“We were doing research based on AMD platforms, at first we started to notice that there wasn't much research because everything was focused on Intel. There were many public tools that detect bad configurations in systems, but for Intel, then we decided to bring the state of the art to AMD,” explained Nissim who lives in the United States
“If you like, the bug was visible in the 2006 whitepaper,” he added. A vulnerability of this length and scope is not that common, which makes the discovery particularly interesting because of the ramifications it could have once it is made public. “We estimate that hundreds of millions of chips are affected“, he ventured.
Lisa Su, president and CEO of AMD, during the presentation of the third generation in 2019. Photo: ReutersAMD has taken a good share of the market, historically dominated by Intelin the last decade with its star product: Ryzen, which is characterized by the fact that it is highly sought after by gamers for its price-quality ratio and has already been around for five generations. The Sinkhole bug not only affects these processors, but also those used in servers (EPYC)y Threadripperoriented towards research and machine learning.
“I don't know if this was exploited by attackers or not, I wrote a working exploit with my colleague Krzysztof, who lets you run anything you want in this SSM. We haven't released it yet because we're talking to AMD and we'll wait a few more weeks,” he added.
The bug already has CVE (the system used for recording vulnerabilities, Common Vulnerabilities and Exposures) and AMD spoke, in statements to the specialized press Wired: “We launched mitigation options for AMD EPYC and AMD Ryzen products, with mitigations for embedded systems coming soon.”
Nissim, for his part, insists that the value of this vulnerability to an attacker is to gain persistence on a computer, something highly sought after by state-sponsored hackers and advanced threats with technical firepower known as APTs (Advanced Persistent Threats).
The talk at DEF CON drew applause from attendees after the researchers provided a technical demonstration to demonstrate the exploit in action. The list of affected chips can be seen on AMD's official website.
The DEF CON conference will soon be available for viewing online.