'Zenbleed' Flaw Affects AMD Zen 2 CPUs, But Patches Are Months Away
25.07.2023 - 19:43
/ pcmag.com
If you own an AMD chip built with the Zen 2 architecture, be on the lookout for an important patch in the coming months. A security researcher discovered a flaw in AMD’s CPUs that can be exploited to steal passwords and encryption keys from a PC.
The finding comes from Tavis Ormandy, a security researcher at Google, who warns the vulnerability affects all Zen 2 CPUs, which span(Opens in a new window) both desktop and laptop chips largely in the Ryzen 3000 and 4000 line, in addition to Epyc "Rome" processors.
By abusing the flaw, a hacker can trigger a Zen 2 CPU to leak normally protected data, which can include sensitive details. "The attack can even be carried out remotely through JavaScript on a website, meaning that the attacker need not have physical access to the computer or server,” adds(Opens in a new window) internet backbone provider Cloudflare.
Ormandy discovered the problem while “fuzzing” the AMD processors, which essentially involves trying to get the chips to crash by bombarding them with invalid instructions. The Zenbleed vulnerability specifically affects the register file for the CPUs, which stores information to complete operations.
“This attack works by manipulating register files to force a mispredicted command,” Cloudflare says. “Since the register file is shared by all the processes running on the same physical core, this exploit can be used to eavesdrop on even the most fundamental system operations by monitoring the data being transferred between the CPU and the rest of the computer.”
In his own write-up(Opens in a new window), Ormandy adds: “The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization, followed by a register rename(Opens in a new window) and a mispredicted vzeroupper. This all has to happen within a precise window to work.”
The resulting bug can then open a way to spy on the chip’s operations, regardless if it’s occurring in a virtual machine, sandbox, or container. Leveraging the flaw isn’t easy, but Ormandy says: "It took a bit of work, but I found a variant that can leak about 30 kb per core, per second. This is fast enough to monitor encryption keys and passwords as users login!”
Ormandy notified AMD about the threat in May. However, the company still needs several months to prepare some of the patches. In AMD’s security bulletin(Opens in a new window), the chip vendor noted the fix for most desktop and laptop-based Ryzen processors won’t arrive until December. Meanwhile, the Ryzen Threadripper 3000 series should receive the patch in October.
The other problem is that the patches might cause a performance decrease, according to Ormandy. Users can expect the fixes to arrive via their motherboard