AMD has recently updated their security measures to tackle the “Sinkclose” vulnerability across its processor range, but there’s a catch: older, yet widely-used chips won’t be patched. This vulnerability, which was unearthed by researchers at IOActive, impacts processors made as far back as 2006 and could let attackers access systems without detection.
Despite AMD offering mitigation options for most of its modern processors, including all versions of EPYC data center processors, the most recent Threadripper models, and all Ryzen processors, the company has opted not to update the Ryzen 1000, 2000, and 3000 series processors or the Threadripper 1000 and 2000 models.
These older processors, which are still utilized by numerous consumers, will continue to be vulnerable. The decision to forego updates for these older models prompts concerns regarding the security of systems that are still operating these chips.
“AMD’s choice to leave out older processors from the ‘Sinkclose’ vulnerability updates could harm consumer trust and company loyalty,” explained Arjun Chauhan, a senior analyst at Everest Group. “Businesses that rely on these aging but still-in-demand processors might feel overlooked, yielding discontent and possibly leading them to pivot towards competitors who offer extended support cycles.”
AMD’s latest Ryzen 9000 and Ryzen AI 300 series processors are not affected by the current security updates, suggesting that these models might have already addressed the vulnerability during manufacturing.
AMD advises users of its older processor models to adhere to standard security practices, given that these models lack a specific patch, leaving them potentially more susceptible to cyber threats. The exploit, known as “Sinkclose,” requires kernel access and is typically linked to highly skilled, possibly state-sponsored attackers, prompting users to remain observant.
“Older AMD processors without patches are more prone to high-risk attacks that can grant attackers the highest level of system privileges, posing substantial risks to businesses,” commented Chauhan. “The persistence of this vulnerability across OS reinstalls and its ability to circumvent conventional security methods pose significant threats to data security and system functionality. The compromise of features like Secure Boot could lead to massive disruptions, data leaks, and higher costs for maintenance in corporate settings.”
“Despite its gravity, this vulnerability requires complex, kernel-level access, which limits its exploitation to highly skilled hackers. This limits its immediate impacts,” noted Neil Shah, VP for research and partner at Counterpoint Research.
“This should give AMD some plan to strategize and offer some upgrade solutions with OEM and channel partners for systems where it might not be technically feasible or viable to offer a firmware patch,” he said.
The vulnerability, termed AMD Sinkclose by IOActive, is classified as high severity. It allows for a privilege escalation from ring 0 (the OS kernel) to ring -2, which is the most privileged execution level on a computer.
Although this bug has existed in AMD chips for over a decade, it has yet to be exploited, or at least there is no documented evidence of such incidents. Nonetheless, its detection paves the way for potential malicious exploitations. Worse yet, the company has not committed to patching all systems affected by this vulnerability.
This perception of insufficient security support could lead to negative media coverage and diminish AMD’s reputation in the market, particularly as the company is making strides with its economically feasible confidential computing capable processors,” Chauhan remarked.
“Furthermore,” noted Chauhan, “should unaddressed vulnerabilities lead to considerable harm, AMD might encounter legal consequences, especially within Europe. It is crucial for AMD to maintain open communication and possibly provide remedies for those impacted.”
“Also,” remarked Chauhan, “persisting with these processors could pose compliance issues and substantial financial repercussions stemming from potential security breaches. The lack of updates for these systems means they remain vulnerable to advanced cyber-attacks, which could result in enduring detrimental effects.”
With the ever-evolving cybersecurity environment, AMD’s approach underscores the difficulties in securing a wide and varied lineup of products, particularly as older technologies continue to be utilized.