AMD won't patch all chips affected by severe data theft vulnerability — older Ryzen models will not get patched for 'Sinkclose' [Updated]

News
By
published

AMD says some chips fall outside of the software support window.

AMD Ryzen 5 9600X
(Image credit: Tom's Hardware)

Edit 8/12/2024 4:45am PT: The researchers who discovered the flaw in AMD's chips contend that the vulnerability impacts all AMD chips extending back to 2006. However, AMD has not listed Ryzen and Threadripper 1000 and 2000 and other previously released products as impacted by the vulnerability. We are following up for further details regarding the disparity. 

AMD processors dating back to 2006, reportedly numbering in the hundreds of millions of chips, suffer from a major security flaw that allows attackers to infiltrate a system virtually undetectable. AMD Product Security has since released updates for several processor families to mitigate this issue, but not all of them will be covered. According to a statement given to Tom's Hardware, AMD said, "There are some older products that are outside our software support window." AMD has no plans to update its older Ryzen 3000 series processors, and it is possible that the vulnerability extends back further than the processors listed in AMD's advisory. We're following up for more details.

Nevertheless, most of AMD's recent processors have already received mitigation options to deal with the issue. This includes all generations of AMD's EPYC processors for the data center, the latest Threadripper, and Ryzen processors. Its MI300A data center chips are also getting the patch. The company said there is "No performance impact expected" when asked about the consequences of the update. Thus, the company is likely still doing performance tests to fully assess patch impacts on overall system performance.

These are all the AMD chips that are expected to have, or already have, the security patch available:  

Swipe to scroll horizontally
Data CenterEmbeddedDesktopHEDTWorkstationMobile
1st Gen AMD EPYC (Naples)AMD EPYC Embedded 3000AMD Ryzen 5000 Series (Vermeer/Cezanne)AMD Ryzen Threadripper 3000 Series (Castle Peak)AMD Ryzen Threadripper PRO (Castle Peak)AMD Athlon 3000 Series with Radeon Graphics (Dali/Pollock)
2nd Gen AMD EPYC (Rome)AMD EPYC Embedded 7002AMD Ryzen 7000 Series (Raphael) X3DAMD Ryzen Threadripper 7000 Series (Storm Peak)AMD Ryzen Threadripper PRO 3000WX (Chagall)AMD Ryzen 3000 Series with Radeon Graphics (Picasso)
3rd Gen AMD EPYC (Milan/Milan-X)AMD EPYC Embedded 7003AMD Ryzen 4000 Series with Radeon Graphics (Renoir)Row 2 - Cell 3 Row 2 - Cell 4 AMD Ryzen 4000 Series with Radeon Graphics (Renoir)
4th Gen AMD EPYC (Genoa/Genoa-X/Bergamo/Siena)AMD EPYC Embedded 9003AMD Ryzen 8000 Series with Radeon Graphics (Phoenix)Row 3 - Cell 3 Row 3 - Cell 4 AMD Ryzen 5000 Series with Radeon Graphics (Cezanne/Barcelo)
AMD Instinct MI300AAMD Ryzen Embedded R1000Row 4 - Cell 2 Row 4 - Cell 3 Row 4 - Cell 4 AMD Ryzen 6000 Series with Radeon Graphics (Rembrandt)
Row 5 - Cell 0 AMD Ryzen Embedded R2000Row 5 - Cell 2 Row 5 - Cell 3 Row 5 - Cell 4 AMD Ryzen 7020 Series with Radeon Graphics (Mendocino)
Row 6 - Cell 0 AMD Ryzen Embedded 5000Row 6 - Cell 2 Row 6 - Cell 3 Row 6 - Cell 4 AMD Ryzen 7030 Series with Radeon Graphics (Barcelo-R)
Row 7 - Cell 0 AMD Ryzen Embedded 7000Row 7 - Cell 2 Row 7 - Cell 3 Row 7 - Cell 4 AMD Ryzen 7035 Series with Radeon Graphics (Rembrandt-R)
Row 8 - Cell 0 AMD Ryzen Embedded V1000Row 8 - Cell 2 Row 8 - Cell 3 Row 8 - Cell 4 AMD Ryzen 7040 Series with Radeon Graphics (Phoenix)
Row 9 - Cell 0 AMD Ryzen Embedded V2000Row 9 - Cell 2 Row 9 - Cell 3 Row 9 - Cell 4 AMD Ryzen 7045 Series (Dragon Range)
Row 10 - Cell 0 AMD Ryzen Embedded V3000Row 10 - Cell 2 Row 10 - Cell 3 Row 10 - Cell 4 AMD Ryzen with Radeon Graphics (Hawk Point)

These are all the chips that are flagged to receive an update so far, and it covers most of the recent processors. However, you'll notice that several older processors, which are nonetheless popular with consumers, are not included in this list. These include the Ryzen 3000 chips. The latest Ryzen 9000 and Ryzen AI 300 series processors are also not included in the list, but these newly-released models might have had this vulnerability already addressed from the factory. We're following up for clarity.

Attackers need to access the system kernel to exploit the Sinkclose vulnerability, so the system would have to already be compromised. The hack itself is a sophisticated vector that is usually only used by state-sponsored hackers, so most casual users should take that into account.

Nevertheless, all Ryzen Embedded and EPYC Embedded systems will receive an update to patch the vulnerability. This is because most embedded machines are designed to run in the background 24/7 with little to no human intervention for several years, meaning they can be used as attack vectors if not updated properly.

But even if you don't have state secrets stashed in your personal computer, we still recommend updating your chips if you receive an update from AMD. That way, you ensure that you're protected and won't lose your data, even if the Sinkclose vulnerability becomes more widely used.

See more CPUs News
TOPICS
Jowi Morales
Jowi Morales
Contributing Writer

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

39 Comments Comment from the forums
  • -Fran-
    "AMD processors dating back to 2006 reportedly suffer from a major security flaw that allows attackers to infiltrate a system virtually undetectable."

    "Attackers need to access the system kernel to exploit the Sinkclose vulnerability"

    If you already have access to the Kernel, this exploit is kind of a nothing-burger.

    /facepalm

    Regards...?
    Reply
  • CelicaGT
    While I'm personally no expert on these particular matters, it has been made clear to me by someone who is, that this is of little consequence for the home user as it requires an extremely complex, targeted attack. No one is going to be collateral damage and this is the main reason AMD isn't too concerned with patching older, consumer level machines. For us, the risk is basically nil.
    Reply
  • Li Ken-un
    -Fran- said:
    If you already have access to the Kernel, this exploit is kind of a nothing-burger.
    I’d imagine this includes scenarios like booting into a USB stick. The OS on the USB stick is compromised, and either you had to turn secure boot off to use it (e.g., Ventoy) or the compromise did not affect secure boot verification. In either case, you’d have a deeply buried rootkit and your main installed OS wasn’t involved at all. All that had to be done was to boot your computer with an already prepared vector of infection.
    Reply
  • Gururu
    Nothing wrong with believing it is a true vulnerability from a homeland security perspective. If I had an AMD though, I wouldn't worry about it much since the dark web already has my social security LOL c/o the banking, credit and healthcare industries.
    Reply
  • Amdlova
    amd ryzen 1xxx 2xxx are so problematic amd try hard to hidden these cpus.
    Amd don't want patch these cpus because all the epyc cpus out there. Amd want piles of e-waste
    Reply
  • tamalero
    Li Ken-un said:
    I’d imagine this includes scenarios like booting into a USB stick. The OS on the USB stick is compromised, and either you had to turn secure boot off to use it (e.g., Ventoy) or the compromise did not affect secure boot verification. In either case, you’d have a deeply buried rootkit and your main installed OS wasn’t involved at all. All that had to be done was to boot your computer with an already prepared vector of infection.
    That still need someone to have access to your system in the first place. And to have credentials to boot it and have time to do all the things you mentioned.
    Reply
  • Makaveli
    Amdlova said:
    amd ryzen 1xxx 2xxx are so problematic amd try hard to hidden these cpus.
    Amd don't want patch these cpus because all the epyc cpus out there. Amd want piles of e-waste
    Don't know if that is it.

    Most enterprise would be on support contracts with their server\workstations. And those machine are old enough that they would have been swapped out for something newer years ago. Alot of companies will do a hardware refresh at like 3-5 years depending on contract.
    Reply
  • rluker5
    -Fran- said:
    "AMD processors dating back to 2006 reportedly suffer from a major security flaw that allows attackers to infiltrate a system virtually undetectable."

    "Attackers need to access the system kernel to exploit the Sinkclose vulnerability"

    If you already have access to the Kernel, this exploit is kind of a nothing-burger.

    /facepalm

    Regards...?
    Drivers often have access to the kernel.
    Videocardz could infect the masses. Well at least whoever gets updated drivers from there.
    At least Windows prompts you before you install something.
    Reply
  • spongiemaster
    -Fran- said:
    "AMD processors dating back to 2006 reportedly suffer from a major security flaw that allows attackers to infiltrate a system virtually undetectable."

    "Attackers need to access the system kernel to exploit the Sinkclose vulnerability"

    If you already have access to the Kernel, this exploit is kind of a nothing-burger.

    /facepalm

    Regards...?
    2nd hand market. Early generation Zen CPU's you're 99.99% likely to be buying them used. Do you know where that system has been?
    Reply
  • SonoraTechnical
    Really disappointed in Tom's Hardware on this one... It's a sensationalistic headline for generating clicks. You are overstating a threat that's actually never been implemented.

    Keep this kind of reporting up and I'll just get my news elsewhere.
    Reply