Critical Vulnerability Found in AMD Zen2 CPUs Allowing Theft of Sensitive Data

A groundbreaking revelation by Google’s security researcher, Tavis Ormandy, has exposed a fresh vulnerability that affects AMD Zen2 CPUs. This security flaw creates a potential gateway for malicious actors to pilfer sensitive data directly from each CPU core, including critical information like passwords and encryption keys. Astonishingly, the exploit allows data theft to occur rapidly at 30KB/sec. This discovery raises serious concerns regarding the security and privacy of users relying on AMD Zen2 CPUs for their computing needs.

CVE-2023-20593 is attributed to mishandling the ‘vzeroupper’ instruction during speculative execution, leading to vulnerability. This instruction is used in all modern processors, including AMD Zen2 CPUs, to enhance performance.

Due to this mishandling during speculative execution, the vulnerability opens up a potential security risk. Malicious actors could exploit this flaw, gaining unauthorised access to sensitive data, such as passwords and encryption keys. The significance of this discovery has raised concerns among security experts and the tech community, urging immediate attention to address the issue.

Ormandy used fuzzing and performance counters to identify particular hardware events related to the vulnerability. To validate his findings, he utilised a technique called “Oracle Serialization.”

Using this method, the researcher detected disparities between the execution of a randomly generated program and its serialized oracle. This divergence ultimately led to the identification of CVE-2023-20593 in Zen2 CPUs.

Once the researcher activated an optimized exploit for the vulnerability, they could extract sensitive data from various system operations. This included processes within virtual machines, isolated sandboxes, containers, and other environments.

Elaborating on the flaw, Ormandy shared in his technical write-up that he invested some effort into the process, eventually identifying a specific variant. This variant could leak about 30 kb per core per second, an alarming rate that could allow for the monitoring of encryption keys and passwords during user logins. The implications of such data leakage raised severe concerns about the vulnerability’s potential impact on system security.

The researcher responsibly notified AMD about the flaw on May 15, 2023. Subsequently, today, the researcher has published a proof-of-concept (PoC) exploit for CVE-2023-20593, shedding light on the severity of the vulnerability.

While the exploit is specifically designed for Linux, it’s important to note that the underlying bug is not tied to any particular operating system. As a result, all operating systems running on Zen 2 CPUs are susceptible to this vulnerability.

So, if your CPU is affected by ‘Zenbleed,’ it is advisable to either apply AMD’s latest microcode update or patiently await your computer vendor to implement the fix in a forthcoming BIOS upgrade. Taking prompt action to address the vulnerability will help safeguard your system from potential risks.

On the other hand, the researcher suggests an alternative mitigation method involving configuring the “chicken bit” to DE_CFG [9]. However, implementing this workaround would lead to a decrease in CPU performance.

Ormandy concludes that the chances of detecting Zenbleed exploitation are very slim. The improper usage of ‘vzeroupper’ does not necessitate elevated privileges or special system calls, making it a rather stealthy technique. As a result, identifying such attacks would be challenging due to their inconspicuous nature.

The practical impact of Zenbleed on regular users needs to be higher, mainly because exploiting it demands local access to the target system and a high level of specialisation and knowledge.

However, ensuring the systems are regularly updated with the latest security patches and promptly applying any available BIOS updates as soon as they are available.

Enjoyed reading this article? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.