Though AMD has released security updates to address the “Sinkclose” vulnerability in its processors, some of its older and still-popular chips will not be receiving patches. The flaw, disclosed by researchers from security firm IOActive, affects processors dating back to 2006 and could allow attackers to infiltrate systems undetected.
While AMD has rolled out mitigation options for most of its recent processors, including all generations of EPYC data center processors, the latest Threadripper models, and Ryzen processors, the company has decided not to extend these updates to its Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models.
These older chips, though still in use by many consumers, will remain vulnerable. The decision not to patch older chips raises questions about the security of systems still running these processors.
“AMD’s decision to exclude older processors from the ‘Sinkclose’ vulnerability patch risks damaging customer trust and brand loyalty,” said Arjun Chauhan, senior analyst at Everest Group. “Enterprises using these still-popular chips may feel neglected, leading to dissatisfaction and potentially driving them to consider competitors who offer longer support lifecycles.”
Notably, AMD’s recently released Ryzen 9000 and Ryzen AI 300 series processors are not included in the update list, though it is believed that these models may have had the vulnerability addressed at the factory.
For users of AMD’s older processors, the company recommends taking standard security precautions, though the absence of a patch may leave some systems more exposed to potential threats. Despite the sophisticated nature of the “Sinkclose” exploit, which typically requires access to the system kernel and is often associated with state-sponsored hackers, users are advised to stay vigilant.
Unpatched older AMD processors that are highly vulnerable to attacks can escalate privileges to the most privileged system level and that can be troublesome for enterprises,” Chauhan said. “Since the vulnerability can survive OS reinstalls and bypass traditional security measures, it puts sensitive data and system integrity at risk. The compromise of Secure Boot and other security features can potentially lead to severe operational disruptions, data breaches, and increased maintenance costs for enterprises.”
“While this is a significant vulnerability, hackers need kernel-level access which won’t be easy except for sophisticated hackers, making the overall implication minimal for now,” said Neil Shah, VP for research and partner at Counterpoint Research.
“This should give AMD some plan to strategize and offer some upgrade solutions with OEM and channel partners for systems where it might not be technically feasible or viable to offer a firmware patch,” he said.
What could be the implications?
The vulnerability, termed AMD Sinkclose by IOActive, is classified as high severity. It enables a privilege escalation from ring 0 (the OS kernel) to ring -2, the most privileged execution level on a computer.
Though the bug was there in the AMD chips for over a decade, it has not been exploited yet, or at least there is no “report” of such incidents. However, its discovery opens up the playground for the bad actors. To make things worse, the company is not offering patches for all the vulnerable systems.
This perception of inadequate security support could result in negative press and erode AMD’s standing in the market, especially when AMD is making significant progress with its cost-effective confidential computing capable processors,” said Chauhan.
“Moreover,” Chauhan pointed out, “AMD could face legal implications if unpatched vulnerabilities lead to significant damages, particularly in the European region. To mitigate this, AMD will need to communicate transparently and possibly offer solutions for affected users.”
“Additionally,” Chauhan stated that, “the continued usage of these processors may result in compliance-related challenges and significant financial losses due to the fallout from potential breaches. The inability to patch these systems creates an ongoing risk, leaving them exposed to sophisticated attacks that can cause long-term damage.”
As the cybersecurity landscape continues to evolve, AMD’s decision highlights the challenges of maintaining security across a broad and diverse product range, particularly as older hardware remains in active use.