'Zenbleed' bug leaks data from AMD Ryzen and Epyc Zen 2 chips
Google security researcher demonstrates that silicon level vulnerability he discovered could enable theft of sensitive data
Google's Tavis Ormandy posted yesterday a proof-of-concept exploit for a flaw he reported earlier this year.
The vulnerability, tracked as CVE-2023-20593 is in all AMD CPUs built on the Zen 2 architecture. This includes ThreadRipper 3000, EPYC data centre processors and the Ryzen 3000/4000/5000 CPUs.
According to Ormandy, the vulnerability is caused by the improper handling of an instruction called 'vzeroupper' which is used to enhance chip performance.
There are good reasons this vulnerability has gathered so much attention. It is OS agnostic, and a would-be attacker doesn't need physical access to the machine they are attacking. An attack could be executed via javascript on a webpage.
Secondly, as Ormondy himself commented, "I found a variant that can leak about 30 kb per core, per second. This is fast enough to monitor encryption keys and passwords as users login!"
The exploit also works across all of the software running on a processor, including virtual machines. This makes Ormandy's discovery all the more ominous for CSPs.
AMD responded yesterday with a security advisory with the expected dates for new firmwares, some of which will not be available until December. However, both AMD and Ormandy recommend that this microcode is applied in the meantime.
"AMD recommends applying the µcode patch listed below for AMD EPYC™ 7002 Processors, and applying BIOS updates that include the following AGESA™ firmware versions for other affected products. AMD plans to release to the Original Equipment Manufacturers (OEM) the AGESA™ versions on the target dates listed below. Please refer to your OEM for the BIOS update specific to your product."
AMD's processors used in the PS5, X Box Series X and S, and Steam Deck are all also powered by Zen 2 chips, but as yet it is unclear if these are affected.