SinkClose, a high-severity AMD CPU vulnerability, allows attackers to install undetectable malware. Learn about the affected processors and mitigations

Continue reading
AMD has issued a warning about a critical vulnerability in its CPUs, dubbed SinkClose (CVE-2023-31315). This vulnerability affects a wide range of AMD processors, including EPYC, Ryzen, and Threadripper models. SinkClose enables attackers with kernel-level (Ring 0) privileges to escalate their privileges to Ring -2, the highest privilege level on a computer. This allows them to install malware that is virtually undetectable.
SMM is isolated from the operating system for security reasons, making Ring -2 highly privileged and difficult to access.
SinkClose allows attackers to modify System Management Mode (SMM) settings even when SMM Lock is enabled. This allows them to disable security features and install persistent malware at a level that is invisible to the operating system and security tools.
AMD has released mitigations for EPYC and Ryzen desktop and mobile CPUs. Fixes for embedded CPUs are expected to be released soon.
Exploiting SinkClose requires kernel-level access, which is not easily obtained. However, sophisticated attackers, such as state-sponsored actors and APT groups, have demonstrated the ability to gain kernel-level access through various techniques.
SinkClose poses a significant threat, especially to organizations using AMD-based systems. It is crucial to apply the available mitigations and remain vigilant against potential attacks.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.