Two IT security experts Enrique Nissim and Krzysztof Okupski described and presented a serious security gap in AMD processors on Saturday at Defcon 2024 in Las Vegas. It affects at least all AMD processors of the last 10 years (up to Ryzen 7000). The vulnerability affects millions of AMD chips, which are obviously vulnerable without deep changes at the firmware level and provide an entry point for malware.
Advertisement
The malware usually does not appear in the manufacturer’s firmware, but in the worst case it is activated as part of the boot process after the firmware is initialized. In this case, the vulnerability directly affects the processor level of the PC or server and precedes subsequent system levels. It is said that this vulnerability enables attackers to run software in the so-called System Management Mode (SMM). This mode has special system privileges and allows the injected malware to hide from the operating system and other applications.
Defqon 24: On the trail of Diablo cheatersTwo security researchers working at IOActive discovered this security gap, also known as SyncClose, years ago. Traditional malware protection methods cannot address this vulnerability. Such malware infections are difficult to detect and require considerable effort to remove. Even reinstalling the operating system is not enough. It is only possible to close this security gap through firmware updates at the hardware level.
AMD is working on bug fixes
Nissim and Krzysztof Okupski left a few days ago Hacker Conference Defcon 32 To clarify the security problem in Las Vegas to the public and to give a detailed description of the security problems within the framework Defcon Lectures to announce. Two experts told WiredAMD was notified of the security gap in October 2023. Both explained the long wait from the discovery of the bug to its publication by saying that they wanted to give AMD time to work on fixing it.
In response to this announcement, AMD reassuringly stressed that it is very difficult to exploit this vulnerability. To do this, attackers must have access to the corresponding PC or server to manipulate the hardware and gain kernel access. AMD compares the SyncClose technique to a method of accessing a secure bank locker. But this obstacle does not matter if the hardware has been manipulated at an early stage, for example through fake companies supplying it. In similar cases, the affected computers were damaged even before they were actually used for the first time.
Despite its unsubstantiated classification of this vulnerability, AMD has now responded. Security Bulletin CVE-2023-31315 shows that firmware updates are planned for many Epyc, Athlon and Ryzen CPUs, but not all: the Ryzen 3000 series, for example, is not scheduled to receive any updates according to AMD’s current list. Patches have been announced for October 2024 for other processors, and AMD is already giving version numbers of clean firmware versions for some of them. However, these will still have to be included by device manufacturers in their packages such as BIOS updates and delivered to customers.
As Heise Online reported, a similar error led to a complete replacement of the Bundestag’s hardware in May 2015. At that time, attackers infected the computers of several parliamentarians’ offices with spy software, including the computers of Chancellor Angela Merkel’s (CDU) Bundestag office. also A contribution from Bleeping Computer The report cites several examples of similar cyber attacks in which attackers gained access to hardware. They exploited security holes in, among other things, anti-cheat tools, graphics drivers, security tool drivers, and several other drivers at the kernel level.
(US)
Android: Jobs cut at Nova Launcher
