Home > News

AMD will not patch some CPUs vulnerable to new ‘virtually undetectable’ Sinkclose exploit

AMD's security patch for Sinkclose does not include older processors.
Last Updated on August 12, 2024
Sinkclose exploit
PC Guide is reader-supported. When you buy through links on our site, we may earn an affiliate commission. Read More
You can trust PC Guide: Our team of experts use a combination of independent consumer research, in-depth testing where appropriate - which will be flagged as such, and market analysis when recommending products, software and services. Find out how we test here.

Researchers have recently disclosed a massive security vulnerability that has existed on pretty much every AMD CPU since 2006. Dubbed Sinkclose, this flaw allows attackers to penetrate deep into a system making it very difficult to remove or detect any malicious software. Since this type of malware can persist after OS re-installations, it might be easier to get new hardware than it would be to try and remove it. AMD is reportedly already working on a fix and has begun to roll out patches.

However, if you’re on an older consumer AMD CPU, like the Ryzen 1000 – 3000 for example, you might be left vulnerable to this attack. But unless you’re holding data of vast significance, it’s unlikely that you’ll become a specific target.

AMD told TomsHardware “There are some older products that are outside our software support window.” which means that AMD doesn’t plan to fix the issue on Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models. According to TomsHardware. So if you’re holding maximum security information, and you’re on one of these processors, you might want to consider an upgrade. Lookily some of the Ryzen 9000 series just launched.

Full list of AMD CPUs that will be patched

According to that same TomsHardware article, here is a full list of AMD processors that will be patched to fix the Sinkclose vulnerability.

Data Center

  • 1st Gen AMD EPYC (Naples)
  • 2nd Gen AMD EPYC (Rome)
  • 3rd Gen AMD EPYC (Milan/Milan-X)
  • 4th Gen AMD EPYC (Genoa/Genoa-X/Bergamo/Siena)
  • AMD Instinct MI300A

Embedded

  • AMD EPYC Embedded 3000
  • AMD EPYC Embedded 7002
  • AMD EPYC Embedded 7003
  • AMD EPYC Embedded 9003
  • AMD Ryzen Embedded R1000
  • AMD Ryzen Embedded R2000
  • AMD Ryzen Embedded 5000
  • AMD Ryzen Embedded 7000
  • AMD Ryzen Embedded V1000
  • AMD Ryzen Embedded V2000
  • AMD Ryzen Embedded V3000

Desktop

  • AMD Ryzen 5000 Series (Vermeer/Cezanne)
  • AMD Ryzen 7000 Series (Raphael) X3D
  • AMD Ryzen 4000 Series with Radeon Graphics (Renoir)
  • AMD Ryzen 8000 Series with Radeon Graphics (Phoenix)

HEDT

  • AMD Ryzen Threadripper 3000 Series (Castle Peak)
  • AMD Ryzen Threadripper 7000 Series (Storm Peak)

Workstation

  • AMD Ryzen Threadripper PRO (Castle Peak)
  • AMD Ryzen Threadripper PRO 3000WX (Chagall)

Mobile

  • AMD Athlon 3000 Series with Radeon Graphics (Dali/Pollock)
  • AMD Ryzen 3000 Series with Radeon Graphics (Picasso)
  • AMD Ryzen 4000 Series with Radeon Graphics (Renoir)
  • AMD Ryzen 5000 Series with Radeon Graphics (Cezanne/Barcelo)
  • AMD Ryzen 6000 Series with Radeon Graphics (Rembrandt)
  • AMD Ryzen 7020 Series with Radeon Graphics (Mendocino)
  • AMD Ryzen 7030 Series with Radeon Graphics (Barcelo-R)
  • AMD Ryzen 7035 Series with Radeon Graphics (Rembrandt-R)
  • AMD Ryzen 7040 Series with Radeon Graphics (Phoenix)
  • AMD Ryzen 7045 Series (Dragon Range)
  • AMD Ryzen with Radeon Graphics (Hawk Point)

As you can see, the Ryzen 9000 series CPUs are not featured on this list, meaning they may have already been patched before launch.

How does the Sinkclose exploit work?

Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, are the ones who discovered this bug, and ill explain what they told Wired recently; I’ll sprinkle in some of my understanding to make all this mess a little more digestible.

To put it into more manageable terms, the Sinkclose exploit allows attackers to execute malicious code in the SMM of AMD processors (System Management Mode), this is a highly privileged area in which basically anything can be done without much resistance from administrative checks. SMM is usually used for firmware operations, which is critical to system operation. It’s not all bad news though, for hackers to take advantage of this vulnerability, they must first gain access to the system’s kernel, which is difficult but not impossible.

Once the kernel is infiltrated by the bad actor, a bootkit can be installed. This is a special type of malware that can evade detection by antivirus software, as it’s pretty much invisible to the OS. Not only that, but it gives the hackers full access to survey your system, everything it does, and everything it has on it. This kind of malware will persist operating system reinstalls. You’d need a special kind of hardware-based programming tool known as an SPI flash programmer (Serial Peripheral Interface) to comb through the memory and purge the bootkit manually.

The specific area of compromise comes from an obscure feature of AMD chips known as TClose. In AMD-based systems, a safeguard named TSeg usually prevents the system from writing to protected memory reserved for SMM known as System Management Random Access memory (SMRAM). TClose, which exists to keep compatibility with older devices that use the same memory address inside SMRAM, was able to be used to read malicious code from the memory. This is because TClose remaps memory pointers to those SMRAM addresses we mentioned earlier for older devices. (older devices want to read specific instructions from memory, and TClose directs them to where they need to be).

Using the TClose memory remapping feature against it, malicious data that has been tampered with was able to be loaded from the memory via SMM. This further allowed to processor to be redirected and execute malicious code at the same SMM privilege level. Translation; very bad.

Thankfully, the team at IOActive waited 10 months to publish after notifying AMD of the issue, to allow it time to resolve the issues.

Are you affected?

Unless you hold state secrets, then probably not. But it’d be wise to implement the patch just to be sure. Since nobody has discovered this flaw in over 18 years, it’s likely nobody has really used it. But that’s not to say that nobody out there knows about it. The last thing a potential bad actor would do is disclose their way into users’ systems. That’s how things get patched.

Practice internet safety, don’t download anything suspicious, and for god’s sake, you don’t need Norton.

Jack Howarth, a Tech Writer at PC Guide, is deeply passionate about technology. He started his journey during college, earning an Extended Diploma in ICT, and CompTIA A+ later in life.