/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Some AMD chips are vulnerable to a high-severity security flaw that allows threat actors to steal sensitive data from endpoints, including passwords and encryption keys. The maker has since released a patch for the vulnerability and urged its users to apply it quickly and reduce the chances of being targeted.
The flaw was discovered by Travis Ormandy, a Google security researcher. His analysis focused on the AMD Zen 2 CPU, and said it “had a bit of work to do”. However, he managed to detect improper handling of an instruction called “vzeroupper” during speculative execution. If “speculative execution” rings alarm bells, it’s because the same technique was used in the Specter and Meltdown vulnerabilities. It’s a common practice nowadays by most silicon OEMs to make chips run faster.
Since confirmed by AMD, the vulnerability is tracked as CVE-2023-20593 and has not yet been evaluated as of press time.
In any case, the researchers point out that the vulnerability leaks CPU data at “approximately 30 KB per core, per second”. “It’s fast enough to monitor encryption keys and passwords when users login!”. In addition, the fault can be used for any system operation, including operations in virtual machines and isolated sandboxes.
The vulnerability affects all AMD chips built on the Zen 2 architecture, meaning that the Ryzen 3000 (“Matis”), Ryzen 4000U/H (“Renoir”), Ryzen 5000U (“Lucien”), Ryzen 7020, and endpoints powered by the high-end Threadripper 3000 and Epyc Server (“ROM”) processors are all vulnerable.
AMD has since released a microcode update that is available this link, Alternatively, users can wait for their computer vendor to add the fix in a future BIOS upgrade.
The flaw was first reported to AMD in mid-May 2023, and a proof-of-concept exploit (PoC) is already available, called “Zenbleed”.
Analysis: Why does it matter?
Any vulnerability that allows hackers to use malware to steal encryption keys is extremely dangerous by default. Since encryption keys are used to decrypt sensitive information such as passwords, they are considered the holy grail for hackers and threat actors. Often, other sensitive data such as personal photos, email, instant messaging and business-related documents can also sometimes be protected with an encryption key, meaning that the implications of such an attack are quite widespread.
The silver lining with Zenbleed is that it is quite impractical to use, especially for regular users. As Ormandy explained, in order to abuse Zenbleed, an attacker needs local access to the target system and extensive expertise and knowledge. However, this does not make it any less dangerous, as criminals can go to any extent to extract valuable data from organizations. According to hacker newsOrmandy is part of Google’s Project Zero, the search engine’s cybersecurity arm known for its research on state-sponsored actors.
What makes Zenbleed even more dangerous is that it is nearly impossible to detect, since improper use of “vzeroupper” does not guarantee elevated privileges or special system calls. In other words, hackers using this vulnerability could stay under the radar while exfiltrating sensitive information.
This exploit is similar to the dreaded Meltdown and Specter vulnerabilities, which also take advantage of flaws during speculative execution. When news of the flaws first broke, hardware makers rushed to issue patches, and many failed. The result made endpoints sluggish, and some even outright bad. This time, AMD was more careful, suggesting that the patch may affect the device’s performance. In a statement shared with Tom Hardware, the company said: “Any performance impact will vary based on workload and system configuration. AMD is not aware of any known exploits of the described vulnerability outside of research environments.
So, we can expect some impact, although AMD isn’t yet comfortable sharing any details or even generalizing on the topic. We’ll just have to wait for the benchmarks to come.
What are other people saying about Zenbleed?
in ormandy twitter threadUsers mostly praised the researcher’s work, with one person even claiming that they were able to “easily recover the memory contents of a Windows host via WSL.” Others were not so impressed, as one user said the whole thing felt like “somebody jumped the gun”: “I didn’t get any vendor bios updates, no distro has microcode ready, we have to resort to chicken bits – it smells.”
bleepingcomputerOn the other hand, it leaves no stone unturned in telling its readers that “it is essential to keep the system up to date with the latest security patches and to apply any BIOS updates as soon as they become available.” Cloudflare said some of its servers are using CPUs from AMD’s Zen line and that it has patched its entire fleet to mitigate the potential vulnerability. “While our network is now secure from this vulnerability, we will continue to monitor for any signs of attempts to exploit the vulnerability and will report on any attempts found in the wild,” it said. write up,
go deeper
If you want to learn more, be sure to read our “What is encryption?article, plus our explainer on why encryption matters to your organization. Plus, be sure to read our in-depth guide on best encryption software right nowAnd Best practices for sharing files securely,
Via: tom’s hardware
