A concerning vulnerability affecting AMD’s Zen 2 processors has recently been unveiled by Google security researcher Tavis Ormandy. Dubbed “Zenbleed” and filed as CVE-2023-20593, this bug poses a significant risk as it allows malicious actors to steal sensitive data such as passwords and encryption keys. The exploit affects a wide range of AMD processors, including those found in the Ryzen 3000, 4000, 5000, and 7020 series, the Ryzen Pro 3000 and 4000 series, and the EPYC “Rome” data center processors. In this article, we explore the details of the Zenbleed vulnerability, its potential impact, and the actions being taken to address it.
The Zenbleed vulnerability exploits a flaw within speculative executions, similar to the Spectre class of CPU vulnerabilities. However, Zenbleed is far easier to execute, making it more akin to the Meltdown family of exploits. One of the most alarming aspects of this vulnerability is that it doesn’t require physical access to a user’s computer for exploitation. It can be triggered remotely through Javascript on a webpage, raising concerns about its potential for widespread attacks.
If successfully executed, the Zenbleed exploit enables the unauthorized transfer of data at an alarming rate of 30 kb per core, per second. This means that sensitive data from any software running on the system, including virtual machines, sandboxes, containers, and processes, could be stolen. Cloud-hosted services are particularly vulnerable to this exploit, as it can be used to spy on users within cloud instances.
One of the most troubling aspects of Zenbleed is its ability to operate covertly without requiring any special system calls or privileges. This makes it challenging to detect exploitation. Security researcher Tavis Ormandy has emphasized the lack of reliable techniques to identify successful attacks. To mitigate the risk, AMD has released a microcode patch for second-generation Epyc 7002 processors. However, users of other AMD CPU lines must wait until October 2023 for the next updates.
While AMD has assured users that any performance impact will vary depending on workload and system configuration, it hasn’t disclosed specific details regarding the impact of the patches. Some users might experience a reduction in performance, while others may not notice any significant changes. AMD states that no known exploit of the vulnerability exists outside the research environment, offering some reassurance amid the ongoing threat.
Security researcher Tavis Ormandy highly recommends that affected users apply AMD’s microcode update. However, for those seeking an interim solution, he has provided a software workaround on his blog. This workaround may also impact system performance but serves as a temporary measure until vendors incorporate the fix into future BIOS updates.
You can find the exploit code of the vulnerability here.