AMD reverses course: Ryzen 3000 CPUs will get SinkClose patch after all
Still no love for 1000- or 2000-series
In an apparent reversal, AMD has decided that its Ryzen 3000-series processors released in 2019 are actually worth patching against the recently disclosed SinkClose vulnerability.
The flaw, discovered by the folks at IOActive and disclosed at DEF CON this month under CVE-2023-31315 impacted most AMD processors going back to 2006.
The vulnerability, which specifically impacts AMD silicon, enables malicious software or users that have already gained access to the operating system kernel to run code in System Management Mode (SMM) out of sight of the operating system, antivirus tools, or the hypervisor. That means someone who has already compromised your system can burrow deeper and infect it to the point where it may be difficult or impossible to fully evict them. This earned it a rating of 7.5 out of 10 on the CVSS severity scale.
As we previously stressed, in needing that kernel-level access, this vulnerability a lot less scary than other chip-level flaws that we've come across in recent years. An attacker who's compromised the kernel can already do a lot of damage regardless of whether the system is vulnerable to SinkClose or not. SMM is ordinarily reserved for the BIOS/UEFI firmware.
In its initial advisory, AMD promised fixes in the form of BIOS updates and/or hot-loadable microcode updates. But while much of the House of Zen's datacenter and embedded lineup was slated to receive the patch, not all of its consumer-focused parts were so lucky.
Among the more notable exceptions was AMD's Ryzen 3000-series of desktop CPUs codenamed Matisse, which used the same Zen 2 core as AMD's Rome generation of Epyc datacenter chips. However, in a revised advisory, the Ryzen 3000 family is now listed as eligible for the patch, which can be found in "ComboAM4PI 1.0.0ba" released late last week.
- AMD won't patch Sinkclose security bug on older Zen CPUs
- Raptor Lake microcode limits Intel chips to a mere 1.55 volts to prevent CPU destruction
- Apple, AMD, Qualcomm GPU security hole lets miscreants snoop on AI training and chats
- UEFI flaws allow bootkits to pwn potentially hundreds of devices using images
The Register has reached out to AMD for comment on the decision. But the reversal suggests AMD may have succumbed to backlash from the community that felt the chips still had life left in them.
The decision also isn't surprising considering that AMD was able to patch other Zen 2 parts without issue.
Alas, it doesn't appear that AMD's older Ryzen 1000- or 2000-series client CPUs will be so lucky. But as we mentioned before, if you happen to have an affected CPU, so long as you don't go downloading sketchy executables from disreputable sites and keep your OS up to date, you can at least minimize the likelihood of the SinkClose flaw being exploited. ®