>AMD is warning about a high-severity CPU vulnerability named SinkClose that impacts multiple generations of its EPYC, Ryzen, and Threadripper processors. The vulnerability allows attackers with Kernel-level (Ring 0) privileges [that is, device drivers] to gain Ring -2 privileges and install malware that becomes nearly undetectable.

>Ring -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system's Kernel.

>The Ring -2 privilege level is associated with modern CPUs' System Management Mode (SMM) feature. SMM handles power management, hardware control, security, and other low-level operations required for system stability.

>Due to its high privilege level, SMM is isolated from the operating system to prevent it from being targeted easily by threat actors and malware.

>Tracked as CVE-2023-31315 and rated of high severity (CVSS score: 7.5), the flaw was discovered by IOActive Enrique Nissim and Krzysztof Okupski, who named privilege elevation attack 'Sinkclose.'

>Full details about the attack will be presented by the researchers at tomorrow in a DefCon talk titled "AMD Sinkclose: Universal Ring-2 Privilege Escalation."

>The researchers report that Sinkclose has passed undetected for almost 20 years, impacting a broad range of AMD chip models.

>Ring -2 is isolated and invisible to the OS and hypervisor, so any malicious modifications made on this level cannot be caught or remediated by security tools running on the OS.

>Okupski told Wired that the only way to detect and remove malware installed using SinkClose would be to physically connect to the CPUs using a tool called a SPI Flash programmer and scan the memory for malware.

Access to Ring 0 on Windows is trivial:

>[...] Advanced Persistent Threat (APT) actors, like the North Korean Lazarus group, have been using BYOVD (Bring Your Own Vulnerable Driver) techniques or even leveraging zero-day Windows flaws to escalate their privileges and gain kernel-level access.

>Ransomware gangs also use BYOVD tactics, employing custom EDR killing tools they sell to other cybercriminals for extra profits.

>The notorious social engineering specialists Scattered Spider have also been spotted leveraging BYOVD to turn off security products.

>These attacks are possible via various tools, from Microsoft-signed drivers, anti-virus drivers, MSI graphics drivers, bugged OEM drivers, and even game anti-cheat tools that enjoy kernel-level access.

Whose lucky Russian \ Chinese state APT group will pounce on this to create another bootkit?

bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/