>AMD is warning about a high-severity CPU vulnerability named SinkClose that impacts multiple generations of its EPYC, Ryzen, and Threadripper processors. The vulnerability allows attackers with Kernel-level (Ring 0) privileges [that is, device drivers] to gain Ring -2 privileges and install malware that becomes nearly undetectable.
>Ring -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system's Kernel.
>The Ring -2 privilege level is associated with modern CPUs' System Management Mode (SMM) feature. SMM handles power management, hardware control, security, and other low-level operations required for system stability.
>Due to its high privilege level, SMM is isolated from the operating system to prevent it from being targeted easily by threat actors and malware.
>Tracked as CVE-2023-31315 and rated of high severity (CVSS score: 7.5), the flaw was discovered by IOActive Enrique Nissim and Krzysztof Okupski, who named privilege elevation attack 'Sinkclose.'
>Full details about the attack will be presented by the researchers at tomorrow in a DefCon talk titled "AMD Sinkclose: Universal Ring-2 Privilege Escalation."
>The researchers report that Sinkclose has passed undetected for almost 20 years, impacting a broad range of AMD chip models.
>Ring -2 is isolated and invisible to the OS and hypervisor, so any malicious modifications made on this level cannot be caught or remediated by security tools running on the OS.
>Okupski told Wired that the only way to detect and remove malware installed using SinkClose would be to physically connect to the CPUs using a tool called a SPI Flash programmer and scan the memory for malware.
Access to Ring 0 on Windows is trivial:
>[...] Advanced Persistent Threat (APT) actors, like the North Korean Lazarus group, have been using BYOVD (Bring Your Own Vulnerable Driver) techniques or even leveraging zero-day Windows flaws to escalate their privileges and gain kernel-level access.
>Ransomware gangs also use BYOVD tactics, employing custom EDR killing tools they sell to other cybercriminals for extra profits.
>The notorious social engineering specialists Scattered Spider have also been spotted leveraging BYOVD to turn off security products.
>These attacks are possible via various tools, from Microsoft-signed drivers, anti-virus drivers, MSI graphics drivers, bugged OEM drivers, and even game anti-cheat tools that enjoy kernel-level access.
Whose lucky Russian \ Chinese state APT group will pounce on this to create another bootkit?
https://www.bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/
:nes_fire: Third Man :nes_fire: /
npub1cz…0avfl
2024-08-10 06:14:32
Author Public Key
npub1cz2qnqe6guf0hgujuyneyj4f9k344wn4qd4aj8raj9rpys064rcs70avflSeen on
wss://relay.momostr.pinkPublished at
2024-08-10 06:14:32Event JSON
{
"id": "04ee7050ade2686a6a4405709c917a5910b41780171e743bcae9f6cf4d314070",
"pubkey": "c09409833a4712fba392e127924aa92da35aba75036bd91c7d91461241faa8f1",
"created_at": 1723270472,
"kind": 1,
"tags": [
[
"proxy",
"https://poa.st/objects/4b655c96-5e5e-40d9-96e5-67628da0200b",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://poa.st/objects/4b655c96-5e5e-40d9-96e5-67628da0200b",
"pink.momostr"
],
[
"-"
]
],
"content": "\u003eAMD is warning about a high-severity CPU vulnerability named SinkClose that impacts multiple generations of its EPYC, Ryzen, and Threadripper processors. The vulnerability allows attackers with Kernel-level (Ring 0) privileges [that is, device drivers] to gain Ring -2 privileges and install malware that becomes nearly undetectable.\n\n\u003eRing -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system's Kernel.\n\n\u003eThe Ring -2 privilege level is associated with modern CPUs' System Management Mode (SMM) feature. SMM handles power management, hardware control, security, and other low-level operations required for system stability.\n\n\u003eDue to its high privilege level, SMM is isolated from the operating system to prevent it from being targeted easily by threat actors and malware.\n\n\u003eTracked as CVE-2023-31315 and rated of high severity (CVSS score: 7.5), the flaw was discovered by IOActive Enrique Nissim and Krzysztof Okupski, who named privilege elevation attack 'Sinkclose.'\n\n\u003eFull details about the attack will be presented by the researchers at tomorrow in a DefCon talk titled \"AMD Sinkclose: Universal Ring-2 Privilege Escalation.\"\n\n\u003eThe researchers report that Sinkclose has passed undetected for almost 20 years, impacting a broad range of AMD chip models.\n\n\u003eRing -2 is isolated and invisible to the OS and hypervisor, so any malicious modifications made on this level cannot be caught or remediated by security tools running on the OS.\n\n\u003eOkupski told Wired that the only way to detect and remove malware installed using SinkClose would be to physically connect to the CPUs using a tool called a SPI Flash programmer and scan the memory for malware.\n\nAccess to Ring 0 on Windows is trivial:\n\n\u003e[...] Advanced Persistent Threat (APT) actors, like the North Korean Lazarus group, have been using BYOVD (Bring Your Own Vulnerable Driver) techniques or even leveraging zero-day Windows flaws to escalate their privileges and gain kernel-level access.\n\n\u003eRansomware gangs also use BYOVD tactics, employing custom EDR killing tools they sell to other cybercriminals for extra profits.\n\n\u003eThe notorious social engineering specialists Scattered Spider have also been spotted leveraging BYOVD to turn off security products.\n\n\u003eThese attacks are possible via various tools, from Microsoft-signed drivers, anti-virus drivers, MSI graphics drivers, bugged OEM drivers, and even game anti-cheat tools that enjoy kernel-level access.\n\nWhose lucky Russian \\ Chinese state APT group will pounce on this to create another bootkit?\n\nhttps://www.bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/",
"sig": "72d2ce8d99c781332601810f363d7935a4d61c07236da9037e43714b7b7cf6f2364bc9e1d297552f993bc5907557184b0ecdd1e05932fa3240026928e7e5042e"
}