AMD Leaves Older CPUs Exposed to SinkClose Vulnerability
Published On: August 13th, 2024
AMD has acknowledged a significant vulnerability, SinkClose (CVE-2023-31315), that affects several of their processors, some dating back to 2006. Despite the severity of this flaw, which has been given a CVSS score of 7.5, AMD has announced that they will not be patching older processors, particularly those released before 2020.
Discovered by cybersecurity firm IOActive and officially tracked as CVE-2023-31315, SinkClose is a vulnerability rated 7.5 out of 10 on the Common Vulnerability Scoring System (CVSS), categorizing it as important but not critical. The flaw specifically targets System Management Mode (SMM) in AMD processors—a highly privileged execution environment that operates below the operating system kernel and hypervisor.
SMM is designed to be largely invisible to the operating system, handling tasks such as power management, system cooling, and other hardware-specific functions. Its unrestricted access to system resources means that any breach can lead to severe consequences. Suppose malicious software or a rogue user gains access to SMM. In that case, they can execute arbitrary code, spy on the system, steal data, and establish persistent infections at the BIOS level, making detection and remediation extremely challenging.
AMD's response
AMD has committed to releasing firmware updates to mitigate the SinkClose vulnerability for a range of their more recent processors. This includes all generations of their EPYC processors used in data centers and various Ryzen models, including the 4000, 5000, 7000, and 8000 series. However, the company has stated that they will not provide patches for certain older processors, specifically those released before 2020, such as the Ryzen 3000 series and earlier models.
The decision not to patch these older CPUs has raised concerns, especially since these processors are still used in many systems worldwide. AMD has indicated that these models are outside their software support window, effectively marking the end of security updates for these products. This exposes users of older Zen and Zen+ processors, including the popular Ryzen 1000 and 2000 series, to the SinkClose vulnerability without an official fix.
The vulnerability is not only a concern for personal computers but also for embedded systems that may run on affected processors. These systems, often used in industrial or IoT applications, are designed to operate continuously with minimal human intervention, making them ideal targets for persistent, undetected attacks facilitated by SinkClose.
The importance of protecting your tech
As vulnerabilities like SinkClose emerge, they highlight how older hardware can become increasingly vulnerable when not supported by ongoing security updates. This is especially relevant in a world where cyber threats are becoming more sophisticated and targeted, often exploiting the smallest weaknesses in a system’s defense.
This development raises an important consideration for readers still using older AMD processors: the potential need to upgrade to newer hardware that benefits from active security support. While upgrading can be a significant investment, the cost of a security breach—whether it’s data loss, identity theft, or system damage—can far outweigh the price of new equipment.
It is crucial to understand the risks associated with unsupported hardware and take proactive steps to mitigate them. Whether upgrading to a more secure processor, applying available updates promptly, or implementing additional security measures, staying ahead of potential threats is key to safeguarding personal and business data in today’s digital landscape