Taming Zenbleed: AMD patches holes in its chips
A hidden vulnerability turns the chips into excellent spies.
Company AMDa well-known chip manufacturer, started production fixes for their processors, subject to a serious vulnerability – Zenbleed. The flaw allows malware to steal passwords, cryptographic keys, and other sensitive information from an infected system.
Ryzen and Epyc Zen 2 chips were affected by Zenbleed. Information from them can be stolen at a rate of at least 30 KB per second per core. This is enough for someone to be able to spy on other users on a shared server, for example, on a cloud host. Zenbleed is associated with excessive speculative execution. Unlike related bugs like Specter, this bug is fairly easy to exploit.
The vulnerability was discovered by Google IT security specialist Tavis Ormandy, who spotted the flaw while testing the hardware. AMD became aware of the issue in May 2023. The company intends to save the day with microcode updates and encourages users to update their devices as soon as possible.
Example exploitation created by Ormandy confirms the effectiveness of potential attacks on the Zen 2 Epyc system. They are easy to implement with unprivileged arbitrary code, using the XMM register merge optimization function and then renaming it. As a result, a vzeroupper prediction error occurs.
Zen 2 processors include Ryzen 3000; Ryzen Pro 3000; Ryzen Threadripper 3000; Ryzen 4000 Pro; Ryzen 4000, 5000 and 7020 with Radeon graphics; and Epyc Rome. AMD has already released patches for the EPYC 7002 “Rome” processors, but updates for Zen 2 Ryzen 3000, 4000 and some 5000 series systems are not expected until November-December 2023. The processors used in the PS5, Xbox Series X and S, and Steam Deck are also powered by Zen 2 chips, but it’s not yet clear if they are affected by the threat.
AMD rates the vulnerability as medium severity. According to Ormandy, the manufacturer now needs to confirm the presence of fixes in new firmware. Detailed safety recommendations are also expected from the company.
Currently, the only way to work around the problem is to set a control bit, which disables some features and prevents operation. However, this can cause a noticeable performance degradation.