Tavis Ormandy, a researcher with Google Information Security, posted today about a new vulnerability he independently found in AMD's Zen 2 processors. The '
Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via javascript on a webpage.
Ormandy says that AMD has issued a firmware fix for affected systems, and although signs of
new firmwares with undefined changes did emerge for Linux today, we are unsure if they have the patches. AMD tells us that it will post an advisory about Zenbleed today, but it hasn't yet commented on the status of the patches. We also don't know if the firmware patches have a performance impact, but we will update this article as we learn more.
[
Update 9:15am PT: AMD told us that patches to prevent Zenbleed are available for its EPYC Rome processors, but hasn't said if they are available for the impacted consumer Ryzen CPUs. AMD also hasn't given an ETA for patches for Ryzen chips or responded to our questions about potential performance impacts from the Zenbleed patches. We're still working to learn more.]
The Zenbleed vulnerability is filed as
CVE-2023-20593 and allows data exfiltration (theft) at a rate of 30kb per core, per second, thus providing adequate throughput to steal sensitive information flowing through the processor. This attack works across all software running on the processor, including virtual machines, sandboxes, containers, and processes. The ability for this attack to read data across virtual machines is particularly threatening for cloud service providers and those who use cloud instances.
The attack can be accomplished via unprivileged arbitrary code execution. Ormandy has posted a
security research repository and
code for the exploit. The attack works by manipulating the register files to force a mispredicted command, as described below:
"The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.
We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!
This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file," says Ormandy.
Ormandy says the bug can be patched through a software approach for multiple operating systems (e.g., Windows -"you can set the
chicken bit DE_CFG[9]"), but this might result in a performance penalty. Ormandy says it is highly recommended to get the microcode update, but we don't have the details of firmware availability yet.
According to Ormandy, all Zen 2 CPUs are impacted, including the EPYC Rome processors:
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
