“Zenbleed” vulnerability puts AMD Ryzen users at risk of data theft

“Zenbleed” vulnerability puts AMD Ryzen users at risk of data theft
Written by Techbot

TechSpot is celebrating its 25th anniversary. TechSpot means tech analysis and advice you can trust.

Why it matters: A new vulnerability has been discovered that affects the entirety of AMD’s Zen 2 processor line, including the Ryzen 3000/4000/5000 CPUs and the Epyc enterprise processors. Called Zenbleed, the exploit can be used to steal sensitive data such as passwords and encryption keys. Most worrying of all, attacks can be carried out remotely.

Google security researcher Tavis Ormand reported Zenbleed (CVE-2023-20593) to AMD on May 15 before revealing its details this week. As we’ve seen with previous similar attacks like Spectre and Meltdown, it takes advantage of the speculative execution technique used by modern processors to optimize their performance. Zenbleed is closer to the more easily exploitable Meltdown than Spectre.

Zenbleed works by manipulating the register files to force a mispredicted command. As Ormandy explains:

“The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work”

“We now know that basic operations like strlen, memcpy and strcmp will use the vector registers – so we can effectively spy on those operations happening anywhere on the system!”

“This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file.”

Cloudflare specifies that the vulnerability is caused by a register not being written to 0 correctly under specific microarchitectural circumstances. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

The company adds that while the error is associated with speculative execution, it is not a side-channel vulnerability. It adds that the attack can be executed remotely through JavaScript on a website, meaning that the attacker need not have physical access to the computer or server.

The vulnerability allows the pilfering of data at speeds of 30KB per second per core, fast enough to monitor encryption keys and passwords as users log in. It can steal data from any software running on the system, including virtual machines, sandboxes, containers, and processes. As Tom’s Hardware notes, its ability to read data across virtual machines will be especially concerning for cloud service providers and their customers.

AMD says in a security advisory that it has already released a microcode patch for its second-generation Epyc 7002 processors, but many of the updates for the other Zen 2 CPUs aren’t arriving until between October and December. Moreover, AMD says the performance impact resulting from the update will vary depending on workload and system configuration.

Ormandy is recommending Zen 2 users get and apply AMD’s microcode update. He has also provided a software workaround that involves setting a control bit to disable some of the functionality that prevents exploitation. It may impact system performance, but it’s better to be safe than sorry until the updates arrives.

Original Article:

About the author