[Hardware]AMD 'Zenbleed' Bug Leaks Data From Ryzen, EPYC CPUs: Most Patches Coming Q4 (Updated)

[Ronaldskk.]

https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released

AMD hasn't given specific details of any performance impacts but did issue the following statement to Tom's Hardware: “Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment.”

 

AMD's statement implies there will be some performance impact from the patches, but we'll have to conduct independent benchmarks when the patches arrive for the consumer Ryzen products. In the meantime, we've asked AMD for any ballpark figures it can share.

 

The Zenbleed vulnerability is filed as CVE-2023-20593 and allows data exfiltration (theft) at a rate of 30kb per core, per second, thus providing adequate throughput to steal sensitive information flowing through the processor. This attack works across all software running on the processor, including virtual machines, sandboxes, containers, and processes. The ability for this attack to read data across virtual machines is particularly threatening for cloud service providers and those who use cloud instances.

 

The attack can be accomplished via unprivileged arbitrary code execution. Ormandy has posted a security research repository and code for the exploit. The attack works by mani[CENSORED]ting the register files to force a mispredicted command (meaning it eploits the speculative execution engine), as described below:

 

"The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.

 

We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!

 

 

This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file," says Ormandy.

 

AMD describes the exploit much more simply, saying, "Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information."

 

Ormandy says the bug can be patched through a software approach for multiple operating systems (e.g., Windows -"you can set the chicken bit DE_CFG[9]"), but this might result in a performance penalty. Ormandy says it is highly recommended to get the microcode update, but his post also has examples of software mitigations for other operating systems, too.

 

Here's a list of the impacted processors, and the schedule for the release of the AGESA versions to OEMs: 

 

Below, we have a more detailed list with the model number of each impacted chip and the expected data for the new AGESA to arrive. AMD's AGESA is a code foundation upon which the OEMs build BIOS revisions. You will need to update to a BIOS with the above-listed AGESA code, or newer, to patch your system.

 

“We are aware of the AMD hardware security vulnerability described in CVE-2023-20593, which was discovered by Tavis Ormandy, a Security Researcher at Google, and we have worked with AMD and industry partners closely. We have worked to address the vulnerability across Google platforms.” - Google spokesperson to Tom's Hardware.

 

Ormandy says he reported the issue to AMD on May 15, 2023, but it still remains unclear if this was a coordinated disclosure — AMD didn't seem prepared for the announcement. Ormandy also credits his colleagues; "I couldn’t have found it without help from my colleagues, in particular Eduardo Vela Nava and Alexandra Sandulescu. I also had help analyzing the bug from Josh Eads."