Conversation
Notices
-
:afire: Third Man :afire: (anonaccount@poa.st)'s status on Sunday, 11-Aug-2024 16:23:35 JST 
:afire: Third Man :afire:
>AMD is warning about a high-severity CPU vulnerability named SinkClose that impacts multiple generations of its EPYC, Ryzen, and Threadripper processors. The vulnerability allows attackers with Kernel-level (Ring 0) privileges [that is, device drivers] to gain Ring -2 privileges and install malware that becomes nearly undetectable.
>Ring -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system's Kernel.
>The Ring -2 privilege level is associated with modern CPUs' System Management Mode (SMM) feature. SMM handles power management, hardware control, security, and other low-level operations required for system stability.
>Due to its high privilege level, SMM is isolated from the operating system to prevent it from being targeted easily by threat actors and malware.
>Tracked as CVE-2023-31315 and rated of high severity (CVSS score: 7.5), the flaw was discovered by IOActive Enrique Nissim and Krzysztof Okupski, who named privilege elevation attack 'Sinkclose.'
>Full details about the attack will be presented by the researchers at tomorrow in a DefCon talk titled "AMD Sinkclose: Universal Ring-2 Privilege Escalation."
>The researchers report that Sinkclose has passed undetected for almost 20 years, impacting a broad range of AMD chip models.
>Ring -2 is isolated and invisible to the OS and hypervisor, so any malicious modifications made on this level cannot be caught or remediated by security tools running on the OS.
>Okupski told Wired that the only way to detect and remove malware installed using SinkClose would be to physically connect to the CPUs using a tool called a SPI Flash programmer and scan the memory for malware.
Access to Ring 0 on Windows is trivial:
>[...] Advanced Persistent Threat (APT) actors, like the North Korean Lazarus group, have been using BYOVD (Bring Your Own Vulnerable Driver) techniques or even leveraging zero-day Windows flaws to escalate their privileges and gain kernel-level access.
>Ransomware gangs also use BYOVD tactics, employing custom EDR killing tools they sell to other cybercriminals for extra profits.
>The notorious social engineering specialists Scattered Spider have also been spotted leveraging BYOVD to turn off security products.
>These attacks are possible via various tools, from Microsoft-signed drivers, anti-virus drivers, MSI graphics drivers, bugged OEM drivers, and even game anti-cheat tools that enjoy kernel-level access.
Whose lucky Russian \ Chinese state APT group will pounce on this to create another bootkit?
bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/-
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 11-Aug-2024 16:23:50 JST 
:btrfly: anime graf mays 🛰️🪐
@anonaccount @j @p -
pistolero (p@fsebugoutzone.org)'s status on Sunday, 11-Aug-2024 16:23:50 JST 
pistolero
@graf @anonaccount @j goddammit
backdoors_protection.jpg† top dog :pedomustdie: likes this.† top dog :pedomustdie: repeated this. -
pistolero (p@fsebugoutzone.org)'s status on Sunday, 11-Aug-2024 16:24:10 JST
pistolero
@graf @anonaccount @j I just realized: KVM is Ring-0 and Frantech is all EPYC, and this vulnerability is unpatchable. How does any VPS provider that has AMD gear deal with this? † top dog :pedomustdie: likes this. -
Sir ReadyKilowatt (readykilowatt@noauthority.social)'s status on Sunday, 11-Aug-2024 16:33:46 JST 
Sir ReadyKilowatt
You have to convince your boss that this is the Internet and everything's working as designed...
† top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Sunday, 11-Aug-2024 16:34:20 JST 
† top dog :pedomustdie:
@p @j @anonaccount @graf Happy i am fully intel...
hehpng -
pistolero (p@fsebugoutzone.org)'s status on Sunday, 11-Aug-2024 16:38:35 JST
pistolero
@dcc @anonaccount @graf @j
> Happy i am fully intel...
KASLR disagrees.† top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Sunday, 11-Aug-2024 16:40:12 JST
† top dog :pedomustdie:
@p @j @anonaccount @graf WE MUST ALL USE RISC-V
1636330811762.gif -
pistolero (p@fsebugoutzone.org)'s status on Sunday, 11-Aug-2024 16:43:34 JST
pistolero
@dcc @anonaccount @graf @j :xismug: Exactly as planned. † top dog :pedomustdie: likes this. -
Phantasm (phnt@fluffytail.org)'s status on Sunday, 11-Aug-2024 17:30:25 JST 
Phantasm
@p @j @anonaccount @graf It's already fixed for some EPYC and desktop CPUs. The patch requires a bios flash or a microcode update to prevent the infection (not fix it).
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
One article I read also implies that the malware has to be loaded during boot for the exploit to work which should be preventable with secure boot. -
pistolero (p@fsebugoutzone.org)'s status on Sunday, 11-Aug-2024 17:31:12 JST
pistolero
@phnt @anonaccount @graf @j
> The patch requires a bios flash or a microcode update
Reasonable.
> One article I read also implies that the malware has to be loaded during boot
Guess we'll have to wait; it sounds like anyone with Ring-0 can do it if they're talking about infected drivers triggering the vulnerability. You don't need to care about which ring you're in if you can intercept the boot process, so it would be a nothingburger if that's the case.† top dog :pedomustdie: likes this. -
waffle (house@annihilation.social)'s status on Monday, 12-Aug-2024 02:26:26 JST 
waffle
@dcc @p @anonaccount @graf @j definitely yeah
20240811_094344.jpg† top dog :pedomustdie: likes this. -
тняэдт™ (threat@ryona.agency)'s status on Monday, 12-Aug-2024 03:47:16 JST 
тняэдт™
@dcc @j @p @anonaccount @graf it's going to be a bit, dcc. until then, just enjoy the ride and if you smell donuts, it's nsa cuddling with your ime. † top dog :pedomustdie: likes this. -
EconomicMigrant (economic_hitman@shitposter.world)'s status on Monday, 12-Aug-2024 04:32:14 JST 
EconomicMigrant
@p @j @anonaccount @graf I thought Ring 0 was the highest privilege! † top dog :pedomustdie: likes this. -
pistolero (p@fsebugoutzone.org)'s status on Monday, 12-Aug-2024 04:32:45 JST
pistolero
@j @phnt @anonaccount @graf
> Even then a VM shouldn't have ring-0.
The point of hypervisors living at -1 is to allow VMs at 0. KVM runs at Ring 0.† top dog :pedomustdie: likes this. -
Jake (formerly sjw) :lain_sneed: (j@bae.st)'s status on Monday, 12-Aug-2024 04:32:46 JST 
Jake (formerly sjw) :lain_sneed:
@phnt @p @anonaccount @graf Even then a VM shouldn't have ring-0. You'd have to find a way to break out of the VM and also escalate privileges. I'm not saying it's impossible.
It's hard to say how big of a threat this is without more info.
It's likely a way bigger issue for Windows users. Not out of the ordinary to run stuff downloaded from websites as administrator on that OS. -
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Monday, 12-Aug-2024 04:32:47 JST
:btrfly: anime graf mays 🛰️🪐
@p @phnt @j @anonaccount I told the guy who owns our ISP about it the other day and he said it's not a concern for them 🛌🏻 -
Phantasm (phnt@fluffytail.org)'s status on Monday, 12-Aug-2024 04:32:47 JST
Phantasm
@graf @j @p @anonaccount Makes sense, it's probably a concern only for VPS and server providers that effectively allow running any code on their machines. If company systems get infected by this, it was game over long before that.
-
All 076萌SNS content and data are available under the 
