Google’s security researcher Tavis Ormandy discovered a new vulnerability impacting AMD Zen2 CPUs that could allow a malicious actor to steal sensitive data, such as passwords and encryption keys, at a rate of 30KB/sec from each CPU core.
The vulnerability is tracked as CVE-2023-20593 and is caused by the improper handling of an instruction called ‘vzeroupper’ during speculative execution, a common performance-enhancing technique used in all modern processors.
Ormandy used fuzzing and performance counters to discover specific hardware events and validated his results using an approach called “Oracle Serialization.”
With this approach, the author was able to detect inconsistencies between the execution of the randomly generated program and its serialized oracle, leading to the discovery of CVE-2023-20593 in Zen2 CPUs.
After triggering an optimized exploit for the flaw, the researcher could leak sensitive data from any system operation, including those that take place in virtual machines, isolated sandboxes, containers, etc.
“It took a bit of work, but I found a variant that can leak about 30 kb per core, per second. This is fast enough to monitor encryption keys and passwords as users login!,” explained Ormandy in a technical write-up of the flaw.
First big result from our new CPU research project, a use-after-free in AMD Zen2 processors! AMD have just released updated microcode for affected systems, please update! https://t.co/NVPWFpVopz pic.twitter.com/HgKwu9w8Av
The researcher reported the flaw to AMD on May 15, 2023, and today, he published a proof-of-concept (PoC) exploit for CVE-2023-20593.
The exploit is written for Linux, but the bug is OS-agnostic, so all operating systems running on Zen 2 CPUs are affected.
The flaw impacts all AMD CPUs built on the Zen 2 architecture, including the Ryzen 3000 (“Matisse”), Ryzen 4000U/H (“Renoir”), Ryzen 5000U (“Lucienne”), Ryzen 7020, and the high-end ThreadRipper 3000 and Epyc server (“Rome”) processors.
If your CPU is impacted by ‘Zenbleed,’ it is recommended to apply AMD’s new microcode update or wait for your computer vendor to incorporate the fix in a future BIOS upgrade.
Alternatively, the researcher proposes the mitigation method of setting the “chicken bit” to DE_CFG[9], although this workaround would result in a CPU performance drop.
Ormandy concludes that detecting exploitation of Zenbleed is most likely impossible, as improper usage of ‘vzeroupper’ does not require elevated privileges or special system calls and hence would be pretty stealthy.
Zenbleed’s practical impact on regular users is relatively low, as it requires local access to the target system and a high degree of specialization and knowledge to exploit.
However, it’s essential to keep systems up-to-date with the latest security patches and apply any BIOS updates as soon as they become available.
