A security researcher from Google has discovered a new vulnerability in AMD processors based on the CPU architecture Zen 2. AMD used this architecture for CPUs of the Ryzen 3000 (Matisse), Threadripper 3000 (Castle Peak) and Epyc Generation 2 (Rome) types, among others. But also in later generations, the manufacturer repeatedly resorted to this architecture for lower-performance CPU models.
How Bleeping Computer reportsthe cause of the vulnerability lies in improper handling of an instruction called vzeroupper during speculative execution – a technique used in modern processors to increase their computing power.
Zenbleed lets attackers steal passwords from AMD systems
Loud Tavis Ormandy, the discoverer of the vulnerability registered as CVE-2023-20593 and dubbed Zenbleed, allows an attacker to harvest sensitive data, including keys and passwords, from a target system. Even virtual machines or otherwise isolated containers should not be protected from the attack.
Although exploiting the vulnerability requires local access to the target computer and a high degree of specialization and knowledge, an attack can be carried out regardless of the operating system used. In addition, exploitation is difficult to detect because the attacker does not need higher rights or special system calls. “I am not aware of any reliable techniques to detect abuse”wrote the researcher in his report.
However, a high transmission rate should not be expected in a Zenbleed attack. Ormandy managed to grab 30 KB per second of data per CPU core. However, that is “fast enough to monitor encryption keys and passwords while users log in”.
A microcode update is available
The Google researcher reported the vulnerability to AMD as early as May 15, 2023. On Monday (July 24) he published his report on a Zenbleed exploit written for Linux systems. But AMD now has one anyway Microcode update provided, which closes the security gap. It remains to be seen when all mainboard manufacturers will offer a BIOS update that contains the fix.
Ormandy offers a workaround for users who cannot yet apply the update: “You can do that chicken bits DE_CFG[9] set.” However, since this measure disables the affected CPU feature, a drop in performance is to be expected.