Some AMD chips are vulnerable to a high-severity security flaw that allows threat actors to steal sensitive data from the endpoint, including passwords and encryption keys. The manufacturer has since released a patch for the vulnerability and urged its users to apply it quickly and minimize the chances of being targeted.
The flaw was discovered by Google’s security researcher Travis Ormandy. His analysis focused on AMD Zen 2 CPUs, and said it “took a bit of work”. However, he managed to discover improper handling of an instruction called “vzeroupper” during speculative execution. If “speculative execution” rings a bell, it’s because the same technique was used in the Spectre and Meltdown vulnerabilities. It’s a common practice used by most silicon OEMs these days, to make the chips run faster.
The vulnerability, since confirmed by AMD, is tracked as CVE-2023-20593 and at press time has not yet been rated.
In any case, the vulnerability makes the CPU leak data “at about 30 kb per core, per second,” the researcher explains. “That is fast enough to monitor encryption keys and passwords as users login!”. What’s more, the flaw can be used for any system operation, including those happening in virtual machines and isolated sandboxes.
The vulnerability affects all AMD chips built on the Zen 2 architecture, meaning endpoints powered by the Ryzen 3000 ("Matisse"), Ryzen 4000U/H ("Renoir"), Ryzen 5000U ("Lucienne"), Ryzen 7020, and the high-end ThreadRipper 3000 and Epyc server ("Rome") processors are all vulnerable.
AMD has since released a microcode update available on this link. Alternatively, users can wait for their computer vendor to add the fix to a future BIOS upgrade.
The flaw was first reported to AMD in mid-May 2023, and a proof-of-concept exploit (PoC) is already available, dubbed “Zenbleed”.
Analysis: Why does it matter?
Any vulnerability that allows hackers to use malware to steal encryption keys is by default extremely dangerous. As encryption keys are used to decrypt sensitive information such as passwords, they are considered a holy grail for hackers and threat actors. Often, other sensitive data such as personal photos, emails, instant messaging, and business-related documents, can also sometimes be protected with an encryption key, meaning the ramifications of such an attack are quite extensive.
The silver lining with Zenbleed is that it’s quite impractical to use, especially against regular users. As Ormandy explained, to abuse Zenbleed, the attacker needs local access to the target system, and extensive specialization and knowledge. That doesn’t make it any less dangerous, though, as criminals will go to great lengths to extract valuable data from organizations. As per The Hacker News, Ormandy is part of Google’s Project Zero, the search engine’s cybersecurity arm known for its research into state-sponsored actors.
What makes Zenbleed even more dangerous is the fact that it’s almost impossible to detect, as improper use of “vzeroupper” doesn’t warrant elevated privileges or special system calls. In other words, hackers using this vulnerability can stay under the radar while exfiltrating sensitive information.
The exploit is similar to the dreaded Meltdown and Spectre vulnerabilities, which also leveraged flaws during speculative execution. When news of the flaws first broke, hardware manufacturers rushed to release a patch, and many failed. The result made endpoints sluggish, and some were even completely bricked. This time around, AMD was more careful, suggesting that the patch could affect the device’s performance. In a statement shared with Tom’s Hardware, the company said: “Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment.”
So, we can expect some impact, although AMD is not yet comfortable sharing any details, or even generalizing on the topic. We’ll just have to wait for the benchmarks to arrive.
What have others said about Zenbleed?
In Ormandy’s Twitter thread, users mostly praised the researcher’s work, with one person even claiming they were “easily able to retrieve memory contents of the Windows host via WSL.” Others weren’t that impressed, as one user said the whole thing felt “like someone’s jumped the gun”: “No vendor bios updates I can find, no distro has the microcode ready, we're having to resort to the chicken bits-- this smells.”
BleepingComputer, on the other hand, left nothing to chance, telling its readers that “it's essential to keep systems up-to-date with the latest security patches and apply any BIOS updates as soon as they become available.” CloudFlare chimed in to say some of its servers are using AMD’s Zen line of CPUs and that it’s patched its entire fleet to mitigate the potential vulnerability. “While our network is now protected from this vulnerability, we will continue to monitor for any signs of attempted exploitation of the vulnerability and will report on any attempts we discover in the wild,” it said in a writeup.
Go deeper
If you want to learn more, make sure to read our “What is encryption?” article, as well as our explainer on why encryption matters to your organization. Also, make sure to read our in-depth guide on the best encryption software right now, and best ways to share files securely.
Via: Tom’s Hardware
