A Google Information Security researcher named Tavis Ormandy has discovered a major vulnerability that affects all AMD Zen 2 CPUs. Tavis worked alongside fellow colleagues Eduardo Vela Nava, Alexandra Sandulescu, and Josh Eads to discover and analyze the bug that was found during routine hardware testing. Zenbleed is a vulnerability that is one of the more unique ones to be discovered in recent years in that it does not require physical access to the targeted system. An attacker is capable of using javascript via a webpage to retrieve sensitive information, including encryption keys and password logins from the CPU. Zenbleed is so invasive in its ability to allow data extraction that information can be obtained from all software using the CPU including virtual machines, processes, and sandboxed environments.
Per Tavis Ormandy:
“The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.
We now know that basic operations like strlen, memcpy and strcmp will use the vector registers – so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!”
The news gets worse as the researcher explains that after a bit of work, they were able to create an exploit capable of extracting 30 kb per core, per second. Furthermore, as stated, Zenbleed affects all Zen 2 processors, including data center processors.
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
The good news, and yes there is good news at the end of this dark and very scary tunnel, is that AMD has already been rolling out microcode updates to mitigate this vulnerability. Zenbleed’s technical name is CVE-2023-20593 and AMD has published a bulletin about it which includes details for updates already available as well as expected timelines for others that are planned to be rolled out by the end of 2023.
Per AMD:
“Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.”
Tom’s Hardware has provided extensive lists of affected processors which include desktop, mobile, and server CPUs, along with AGESA version updates and release schedules. Tavis also provided a software workaround for those who are currently unable to use a microcode update in his post about Zenbleed. Tavis does speculate that the workarounds could potentially impact performance but AMD has not yet said if this is true.
Per Tavis Ormandy:
“Workaround
It is highly recommended to use the microcode update.
If you can’t apply the update for some reason, there is a software workaround: you can set the chicken bit DE_CFG[9].
This may have some performance cost.
Linux
You can use msr-tools to set the chicken bit on all cores, like this:
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
FreeBSD
On FreeBSD you would use cpucontrol(8).
Others
If you’re using some other operating system and don’t know how to set MSRs, ask your vendor for assistance.
Note that it is not sufficient to disable SMT.”