Zenbleed - A Serious Leak Threat to AMD Zen 2 Processors

Tavis Ormandy, a researcher with Google Information Security, has discovered a serious silicon-level bug dubbed Zenbleed that can be exploited by rogue users and malware to steal passwords, cryptographic keys, and other secrets from software running on a vulnerable system. The vulnerability has wide-ranging implications for anyone running Zen 2 chips, including those in the data center, consumer, and gaming spaces.

The Zenbleed bug affects all AMD Zen 2 processors, including the EPYC data center processors and the Ryzen 3000/4000/5000 CPUs. AMD's gaming console chips like PS5, Xbox Series X and S, and the Steam Deck, which are also powered by Zen 2 chips, could potentially be affected.

The Zenbleed vulnerability allows an attacker to steal sensitive data, such as passwords and encryption keys from the CPU, at a rate of 30KB per core per second. The vulnerability can be exploited without needing physical access to the machine. 

Worryingly, it can be executed via javascript on a webpage, or by malware already present on the system. The exploit can steal sensitive information from any software running on the processor, including virtual machines, sandboxes, containers, and processes. This represents a significant risk for cloud service providers and users of cloud instances.

The good news is that AMD has already started issuing some patches for the EPYC 7002 'Rome' processors. However, the company will not release patches for its consumer Zen 2 Ryzen 3000, 4000, and some 5000-series chips until later this year. It's also worth noting that the company has not yet shared any specific details on potential performance impacts resulting from these patches.

The Zenbleed bug, identified as CVE-2023-20593, exploits the speculative execution engine by manipulating the register files. This forces a mispredicted command, leading to a data leak. The mechanism for this bug involves something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper, all of which need to happen within a specific timeframe to work.

When AMD's chips execute vzeroupper, they simply mark the affected registers as zero by setting a special bit, and then allow those registers to be used for other operations. If vzeroupper is speculatively executed – the processor anticipates it will need to run that instruction – it sets this zero bit and frees the registers in the register file for reuse. 

This can happen if the vzeroupper instruction lies right after a branch instruction; if the processor thinks the branch is unlikely to be taken, it will start the vzeroupper speculatively. As we saw with Spectre and Meltdown, CPUs do this kind of thing to gain big performance boosts.

If the processor core realizes soon after, actually, it shouldn't have speculatively executed the vzeroupper instruction, it tries to rewind that decision and undo the zeroing by clearing the bit that indicates the registers are zero. Unfortunately, by that point, the registers are probably in use by some other code, and are no longer marked as zero, so their contents from the previous operation are now accessible to that other code.

This is why the flaw is being compared to a use-after-free()-style vulnerability.

Ormandy has suggested software-based mitigation approaches for multiple operating systems that might result in a performance penalty. However, he recommends getting the microcode update as a more permanent solution. Details on how to set this up for various operating systems have been included in Ormandy's security research repository.

In light of this discovery, users are strongly urged to keep an eye out for AMD's Zenbleed microcode updates and any other security updates for their operating systems. Installing these updates when they become available is the best way to protect your systems from this vulnerability.

Google, which employs the researcher who discovered this bug, is also taking steps to address the vulnerability across its platforms.

It's important to be aware of the Zenbleed vulnerability and take the necessary steps to protect your data and devices. This discovery reiterates the ongoing need for robust security measures in the ever-evolving tech landscape. Remember, it's not just about being aware, but also about being proactive in securing your digital footprint.