A researcher at Google Information Security recently discovered a major flaw in AMD’s Zen 2 processors. Dubbed ‘Zenbleed,’ the vulnerability allows for theft of protected information from the series of CPUs, including but not limited to AMD’s Epyc data centre processors as well as the entire Ryzen 3000 cohort and Radeon Graphics-equipped Ryzen 4000 and 5000 models.
According to the author of the technical write-up, Tavis Ormandy, the vulnerability is tracked as CVE-2023-20593 and caused by the improper handling of an instruction called ‘vzeroupper’ during speculative execution, a common performance-enhancing technique used in today’s modern processors.
Ormandy was able to trigger this flaw within a precise time window and managed to optimise the exploit to leak about 30kb of data per core, per second, from any system operation, including virtual machines, isolated sandboxes, containers, and processors, to name but a few. At this speed and size, it is more than enough for hackers to grab passwords, data encryption keys and the like from unsuspecting users.
The good news is Ormandy reported this vulnerability to AMD on May 15, 2023, and Team Red has already released a microcode update for affected processors that can be applied with immediate effect. Alternatively, you can wait for an official BIOS update from your motherboard vendor, or security update via your OS provider.
Should the proposed micro-update fail to work on your system, the researcher also suggests a workaround via a mitigation method involving the setting of a control bit that disables some functionality, ergo preventing execution. This could result in a CPU performance hit, of which the impact is currently unknown.
Finally, Ormandy concludes that Zenbleed’s practical impact on users is relatively low, as it requires local access to the target system, plus a high degree of specialisation and knowledge to exploit. However, it is highly advised to keep your systems up-to-date with the latest security patches and apply any BIOS updates as soon as they are available.
AMD has currently summarised the vulnerability as a Cross-Processor Information Leak and listed the overall severity as medium. The report can be found here.