back to article AMD won’t patch Sinkclose security bug on older Zen CPUs

Some AMD processors dating back to 2006 have a security vulnerability that's a boon for particularly underhand malware and rogue insiders, though the chip designer is only patching models made since 2020. The flaw was discovered by the folks at infosec services outfit IOActive, and tracked as CVE-2023-31315 aka SinkClose. It's …

  1. Piro Silver badge

    Until Steve Burke makes a video slagging them off, that is

    They've already got the patch code deployed on Epyc.

  2. Blazde Silver badge
    Meh

    End of security updates?

    Ouch. Some of those Zen 2 chips only launched 49 months ago. It's not very long ago they stopped being sold through direct channels and there still plenty of new ones knocking around on Amazon marketplace etc. (For comparison AMD's own EU sales site currently sells a chip launched 45 months ago - the 5800X).

    We have to start shopping around for CPU security update commitments, like with phones. What do Intel offer?

    (So much more painful because the Zen 2 is such a fantastic architecture. I figured they could finally be something to rival the longevity of the mighty Core 2)

    1. Glenn Hunt

      Re: End of security updates?

      Yeah this definitely sucks. I have box running the Ryzen 9 3900XT - relased 49 months ago. Can't believe it won't get patched.

  3. Who-me

    How long have they had to get this right and they're still dropping clangers like this? Let's be realistic. If manumfacturers can't build a secure system by now then they never will be able to. It's time for a complete rethink on security.

    1. Nate Amsden

      Having it be super secure is also bad for many. I think most techies would prefer having more control over their devices and not be locked down and somewhat powerless.

      It's part of the appeal of open source and linux and PCs in general vs more locked systems like game consoles, mobile phones etc.

      It's really hard to provide a (truly) secure, open system. Perhaps impossible.

      Never having a known compromise of any system of mine since the 90s and the [STONED] virus, I don't care about this kind of security thing. It's super unlikely that I'd ever be impacted by it. Same reason I didn't apply patches for meltdown/spectre and specifically disable the fixes in the linux kernel.

      Don't forget that there will always be some new vulnerability around the corner.

      If you are in the unlucky position of being an at risk target then I feel for you.

      I suspect the vast majority of servers out there at least are VMs which I assume should lower the attack surface as you'd have to compromise the host in order to do anything with the firmware.

      Been running Internet connected services since 1996.

    2. The Dogs Meevonks Silver badge

      AMD have shot themselves in the foot so many times with 'new' releases that they have no toes left...so why do you think they'd 'do the right thing' with this

      Meanwhile, Intel has shot themselves so many times with botched releases and so forth... they're a quadriplegic.

  4. williamyf

    In principle, Microsoft could (and should) twist AMD's (figurative) nipples and make them fix every chip AMD themselves deemed adequate for Win11.

    Part of the dealio for a chip to qualify for Win11 was a compromise from AMD (and Intel) to supply drivers support and security fixes for said products.

    That's how we eneded at Win11 launch with Intel's 8th gen onwards and AMD's 2nd gen Ryzen...

    So, AMD, get patching, before big bad microsoft comes for you...

    1. druck Silver badge

      Microsoft doesn't care, and if you are running Windows, you've got far bigger problems than this to worry about.

    2. The Dogs Meevonks Silver badge

      2nd gen ryzen is only the 3xxx series.... the 2xxx series was Zen+...

  5. This post has been deleted by its author

    1. Who-me

      "In defense of AMD...". Do you work for them or something?

      So it's OK for a manufacturer to churn out badly designed c**p, so long as they can get it to the end of a 12 month warranty? And what do you mean by warranty anyway? The last one ever sold or the one you bought? Have you stopped to think that if security support was limited to warranty your going to be cost a furtune replacing stuff every five minutes? What complete nonsense.

  6. chasil

    Intel spectre/meltdown microcode

    My Dell R710 server is running an X5675, released Q1'11. RHEL9 applies a microcode update:

    # dmesg | head -1

    [ 0.000000] microcode: microcode updated early to revision 0x1f, date = 2018-05-08

    The spectre-meltdown-checker.sh script reports:

    CPU microcode is the latest known available version: YES

    (latest version is 0x1f dated 2018/05/08 according to builtin firmwares DB v296+i20240514+988c)

    It seems as if Intel is more indulgent with these updates than is AMD.

    1. Steve Jackson

      Re: Intel spectre/meltdown microcode

      Looks about right. Intel *usually* EOL chips 7-8 years after release.

      Skylake and Kaby Lake were ending a bit prematurely but a microcode update for Kaby Lake has dropped in my inbox this morning.

      Think this decision was them being the wrong side of MS cut off for W11, who knows?

      The Spectre cut off reasons were “impossible / too hard” and severe performance penalties AIUI.

  7. TrevorH

    The link to the AMD CVE details page has changed since I looked at it when this article was first published. It now says under "Ryzen 3000 Series Desktop" "(Target 2024-08-20)" so that looks to me like it is being fixed for the 3x00X series after all.

    1. TrevorH

      Desktop Ryzen 3000 series now showing a fix version of:

      ComboAM4PI

      1.0.0ba

      (2024-08-16)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like