[Vegenoid]

The Ryzen 3000 series ("matisse") is less than 5 years old, with the models coming out in late 2019 and 2020. To not issue a fix for those is very disappointing.

I just built a gaming PC with a Ryzen 3600. It is more than sufficient to run modern games with demanding graphics and performance. I now need to learn about this exploit. Yes, if someone gets the level of access required to exploit it I was pwned anyway, but now if I get pwned I need to open up my computer and throw away a perfectly powerful CPU, then put it back together with a new one.

That's pretty damn frustrating. It will definitely push me away from AMD when I am making future hardware decision.

EDIT: As pointed out by sqeaky and others, there shouldn't be a method for persistence that lives on the processor, instead it would likely be on the motherboard, or in the bootloader on a storage device.

[outworlder]

We need more details before claiming that the sky is falling. Many exploits that are theoretically possible have so many pre-requisites in practice that they don't matter. We need to see if that's the case here.

Intel CPUs have been self-destructing, so you need to throw away CPUs even if they aren't pwned. They have also had far more security vulnerabilities than AMD, some of them cannot be patched, and operating systems had to work around them. Heck, the Sinkclose name came from 'Sinkhole', which was an Intel vulnerability.

No manufacturer is perfect.

[Vegenoid]

Yes, fair enough. My hasty anger was emotionally driven because I just built a fairly powerful gaming computer with a Ryzen 3600, and because I am perpetually chafed by the hardware treadmill. I still think "no fix planned" for their CPUs that are widely used and <5 years old is ridiculous.

[gruez]

>but now if I get pwned I need to open up my computer and throw away a perfectly powerful CPU, then put it back together with a new one.

I don't think there's any indication that the exploit allows the CPU itself to be persistently infected.

[Vegenoid]

From the article:

> As a matter of fact, the researchers say that the code would likely survive a complete reinstallation of the operating system. The best option for infected computers would be a one-way ticket to the trash heap.

From the Wired article (https://www.wired.com/story/amd-chip-sinkclose-flaw/):

> In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a “bootkit” that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot—which the researchers warn encompasses the large majority of the systems they tested—a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system.

> Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: “You basically have to throw your computer away.”

Do you have differing information?

[sqeaky]

I have no information that conflicts with what you posted but none of that indicates that the CPU gets written to.

Consider that even things like CPU microcode don't get stored on the CPU, it's simply doesn't have persistent storage. CPU microcode is often applied early during OS boots and loaded into memory or CPU cache.

What you have quoted indicates something similar, perhaps the main board or other device with storage of some kind is being written to or perhaps an attacker could write a payload that lived entirely in the bootloader on the main storage.

[mjg59]

Not 100% true - a microcode-based CPU without microcode isn't able to execute anything, so CPUs will ship with an early version of the microcode that's then (as you say) updated during boot.

[sahmeepee]

So I believe this rules out a supply chain attack where someone buys a bunch of CPUs, infects them, repackages them and sells them as new.

If you can't do that, then this feels significantly less problematic.

[mjg59]

They could potentially do that to motherboards, but they could do that anyway (physical access would give you as much access to flash as this vulnerability does). But yes, CPUs should be fine in that respect.

[sqeaky]

But that doesn't persist through reboots, does it?

[mjg59]

Correct, the update has to be applied on every boot, but that doesn't mean there's no microcode in the CPU itself

[Vegenoid]

Appreciate the clarification, that makes sense. Maybe we'll get more details on potential persistence methods from the talk they'll give tomorrow: https://info.defcon.org/event/?id=54863

[outworlder]

Looks like the motherboard would have to be thrown away, not the CPU, even if the vulnerability was facilitated by the CPU.

> For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot

Seems like this actually requires two vulnerabilities, then?

[gruez]

That just sounds like they can install a rogue bootloader, bypass secureboot, or hide from the operating system by operating on a higher privilege level than it. I don't see how it can infect the CPU itself, or how the infection can persist after swapping out the hard drives.

[Sakos]

Jesus, that's catastrophic. They weren't kidding. "No fix planned" isn't acceptable.

[kmeisthax]

If you get code execution in SMM you can flash the BIOS on the motherboard. You'd be junking the mobo (unless it has one of those "BIOS Flashback" setups), not the CPU.