Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label vzeroupper. Show all posts

Zenbleed: Security Flaw Steals Data from AMD Zen 2 CPUs


After initially disclosing the flaw to AMD on May 15, Google security researcher Tavis Ormandy published an overview of it on his blog. Because of the Zenbleed vulnerability, AMD’s entire Zen 2 product line is said to be affected.

The flaw apparently enables attackers to take control of private information stored in the AMD Zen 2 class CPUs – which includes PS5, XBox, and desktop and data center computers – such as encryption keys and logins. Remote attackers can use website Javascript to exploit Zenbleed, according to cloud infrastructure provider Cloudflare.

AMD Zen 2 CPU

AMD’s Zen 2 CPU, launched in 2019, is the third generation of the company’s Ryzen processors. The processors include Ryzen 4000U/H desktop chips, Ryzen 5000U for mobile applications, Threadripper 3000 for high-performance workstations, and Ryzen 4000G Accelerated Processing Unit (APU) system-on-a-chip.

Moreover, the processors also powers Sony’s PlayStation 5, Microsoft’s Xbox Series S and Series X, and Steam’s Steam Deck. Zen 2 CPUs are also used across a number of standalone computers and data center servers.

The CPUs, as mentioned earlier are now affected by Zenbleed – labeled as CVE-2023-20593 – which relies on an error in the way how CPUs execute a process known as speculative execution.

CPU Misprediction 

Modern CPUs are designed such that they increase processing speed, by preloading a number of alternatives, to predict what it needs to do next so that the CPU does not have to wait for them to load after finishing the current instruction. This technique is known as speculative execution.

While, the predictions that are eventually of no use are eliminated using a command called vzeroupper, that rolls back the guess by "zeroing out" the memory space, known as a YMM register, that had been prepared for those predictions.

However, Tavis Ormandy discovered that the chip does not always delete the data stored in the YMM register—which are also used by regular CPU instructions that move and copy data—when Zen 2 CPUs predict the next instruction will be vzeroupper, and it turns out to be a misprediction.

He further notes that the memory space may include sensitive data like passwords, credit-card details, encryption keys, etc. and well executed exploit can dupe the CPU into recovering in a way that it will enable threat actors to steal data from affected systems at a speed of 30KB per core/second.

Since the flaw related to the normal operation of the CPU, it operates regardless of the operating system, programs, virtual machines, or security tools that are installed on the system.

Patching the Underlying Vulnerability

Ormandy, in his post has recently released the exploit code along with a PoC exploit, that has already been published. This flaw is said to be simpler to exploit than other recent CPU bugs like Spectre and Meltdown.

Moreover, AMD has released a temporary patch that will be applied to the affected systems’ core chips and is also planning to release a full update on the equipment manufacturers by October. 

Cloudflare announced that it is "patching [its] entire fleet of potentially impacted servers with AMD's microcode." 

Citrix has provided a patch, and the developers of the Linux operating systems Debian and Red Hat have also responded. Red Hat has categorized the vulnerability as having "moderate impact" and has cautioned that an appropriate solution is not currently available.

Security experts have further advised companies to assess their impact by the bug, by reviewing use of their systems based on Zen 2 CPUs. They also advise businesses to be mindful of other, related hardware bugs like RAMBleed that allow data to be read straight from CPU and memory hardware.