Tavis Ormandy, Google security researcher, has discovered a new — and very serious — vulnerability baptized as Zenbleed that affects the AMD processors with Zen architecture 2; which include CPU models such as the AMD Ryzen 3000, Ryzen 5000, Ryzen 7020 and Ryzen 4000 APUs.
This is a vulnerability that, according to the researcher, can allow attackers to access information stored in the CPU, such as encryption keys or user login data, without having to have physical access to the device. In fact, the attack can be carried out through JavaScript on a web page and can even affect virtual machines. This makes the flaw discovered in AMD Zen 2 processors especially threatening to both cloud service providers.
In order to gain access to sensitive information on the CPU of AMD processors, attackers only have to execute arbitrary code without privilege and subsequently manipulate the log files in order to force an unexpected command.
“The bug works like this, first you have to trigger something called XMM Register Merge Optimization2, followed by a registry name change and a mispredicted vzeroupper. All of this has to happen within a precise window for it to work,” Ormandy says in a post. The Google researcher details that, in this way, attackers have access to operations such as strlen, strcmp and memcpy, which store important information. “This works because the log file is shared by everything on the same physical kernel.. In fact, two hyperthreads even share the same physical log file,” Ormandy details.
AMD is aware of the vulnerability and is already working on fixing it.
AMD, for its part, has confirmed that it is aware of this vulnerability, although they hint that it is not a serious flaw and that it only occurs on specific occasions. “Under specific microarchitectural circumstances, a register on “Zen 2” CPUs may not be written to 0 correctly. This can cause data from another process and/or thread to be stored in the YMM registry, which can allow an attacker to potentially access sensitive information. Tom’s Hardware.
The processor firm already working on a patch to fix this vulnerability. The firmware, in fact, has already reached some AMD models, although for other CPUs users will have to wait until the end of the year. This is the list of affected processors.
- AMD Ryzen 3000 series processors
- AMD Ryzen PRO 3000 series processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 series processors with Radeon graphics
- AMD Ryzen PRO 4000 series processors
- AMD Ryzen 5000 series processors with Radeon graphics
- AMD Ryzen 7020 series processors with Radeon graphics
- AMD EPYC “Rome” Processors