Google security researcher Tavis Ormandy has discovered a new vulnerability affecting AMD Zen2 processors that could allow a malicious actor to steal sensitive data, such as passwords and encryption keys, at a rate of 30 KB/s from each processor core.

The vulnerability is identified as CVE-2023-20593 and is caused by the mishandling of an instruction called “vzeroupper” during speculative execution, a common performance-enhancing technique used in all modern processors.

Ormandy used fuzzing and performance counters to discover specific hardware events and validated his results using an approach called “Oracle Serialization”.

With this approach, the author was able to detect inconsistencies between the execution of the randomly generated program and its serialized oracle, leading to the discovery of CVE-2023-20593 in Zen2 CPUs.

After triggering an exploit optimized for the flaw, the researcher could leak sensitive data from any system operation, including those that take place in virtual machines, isolated sandboxes, containers, and more.

“It took a bit of work, but I found a variant that can leak around 30 KB per core, per second. It’s fast enough to monitor encryption keys and passwords as users log in!” Ormandy explained in a technical writing of the fault.

First big result of our new CPU research project, a use-after-free in AMD Zen2 processors! AMD has released a microcode update for affected systems, please update!

The researcher reported the flaw to AMD on May 15, 2023, and today he released a proof-of-concept (PoC) exploit for CVE-2023-20593.

The exploit is written for Linux, but the bug is operating system independent, so all operating systems running on Zen 2 processors are affected.

The flaw affects all AMD processors built on the Zen 2 architecture, including Ryzen 3000 (“Matisse”), Ryzen 4000U/H (“Renoir”), Ryzen 5000U (“Lucienne”), Ryzen 7020, and high-end ThreadRipper 3000 and Epyc server (“Rome”) processors.

If your CPU is impacted by ‘Zenbleed’, it is recommended to apply AMD’s New Microcode Update or wait for your computer vendor to include the fix in a future BIOS upgrade.

Alternatively, the researcher offers the mitigation method to set the “piece of chicken” to DE_CFG[9]although this workaround would result in lower CPU performance.

Ormandy concludes that detection of the Zenbleed exploit is most likely impossible, as improper use of “vzeroupper” does not require elevated privileges or special system calls and would therefore be quite stealthy.

The practical impact of Zenbleed on regular users is relatively small, as it requires local access to the target system and a high degree of specialization and knowledge to operate.

However, it is essential to keep systems up to date with the latest security patches and to apply BIOS updates as soon as they become available.

Source link