Seasoned bug-hunter Tavis Ormandy of Google has let loose a microcode bug in a range of AMD processors which he said allows attackers to get at usernames and passwords, while logins are being processed.
Dubbed “Zenbleed”, the speculative execution bug affects various AMD Ryzen and Epic Zen 2 chips, and in his technical writeup of the discovery and exploitation of the bug, Ormandy wrote: “It took a bit of work, but I found a variant that can leak about 30kb per core, per second.”
“This is fast enough to monitor encryption keys and passwords as users login.”
An attacker logged into a cloud machine would be able to exploit Zenbleed to spy on other tenants, without special privileges.
In this GitHub post, he also mentions a malicious web page as a possible attack vector.
Ormandy explained that the bug relates to a single CPU instruction: “The VZEROUPPER instruction can be used to zero the upper 128 bits of the YMM registers.
“The architecture documentation recommends using it to eliminate any performance penalties caused by false dependencies when transitioning between AVX and SSE modes.”
The bug is designated CVE-2023-20593.
“We have discovered cases where the effects of a speculatively executed VZEROUPPER are incorrectly rolled back following a branch misprediction,” he wrote.
“This issue has severe security consequences and is easily exploitable. To illustrate this, we have developed a reliable method of leaking register contents across concurrent processes, hyper threads and virtualised guests.”
Ormandy wrote that the bug has been confirmed as reproducible on AMD Ryzen Threadripper PRO 3945WX 12-Cores; Ryzen 7 PRO 4750GE with Radeon Graphics; Ryzen 7 5700U; and EPYC 7B12.
“In general, we believe all Zen 2 processors are affected, including ‘Rome’ server-class processors at the latest microcode patchlevel at the time of writing,” he wrote.
Ormandy said he told AMD of the bug in May, and the company has issued a patch to the microcode.
Expect patches to come from vendors as well: Citrix has led the way with a hotfix.
“Although this is not an issue in the Citrix Hypervisor product itself, we have released a hotfix that includes this microcode to mitigate this CPU hardware issue”, Citrix said.
“This issue only affects systems running Citrix Hypervisor when running on AMD Zen 2 CPUs”.