Posted on 25.7.2023

The discovery and mitigation of AMD Zen CPU vulnerability aka Zenbleed

Yesterday, on the 24th of July 2023, Google Project Zero published their findings of a new flaw in AMD’s Zen 2 processors. The vulnerability titled ‘Zenbleed’ affects the entire Zen 2 product stack, from AMD’s EPYC data center processors to the Ryzen 3000 CPUs. It can be exploited to steal sensitive data stored in the CPU, including encryption keys and login credentials.

After learning of the new vulnerability potentially affecting the majority of our server infrastructure, we immediately began evaluating and implementing the recommended mitigation measures. And by the end of the day 24th of July (UTC), we had live-patched our entire infrastructure of potentially impacted servers with AMD’s microcode to mitigate this newly discovered vulnerability.

At this stage, all fixes have been applied and no actions are required from customers.

Vulnerability

Speculative execution attacks have previously been used to compromise CPU registers taking advantage of the speculative execution capabilities of modern CPUs which are used to speed up processing times.

Speculative execution is an optimization technique where the CPU performs tasks that may not be needed before it is known whether it is actually needed. Doing so can save time when the prediction is correct, however, If it turns out the work was not needed, most changes are reverted and the results are ignored.

The researchers of Project Zero at Google Information Security discovered a vulnerability in AMD’s Zen 2-architecture-based CPUs which allowed reading data from the register belonging to another process or thread. This can potentially allow an attacker access to sensitive data, and in a public cloud, including neighboring Cloud Servers.

The vulnerability is caused by a register not being correctly erased to 0 under specific microarchitectural circumstances. However, although this error is associated with speculative execution, it is not a side-channel vulnerability.

Mitigation

Project Zero reported the vulnerability to AMD on the 15th of May 2023. The vulnerability CVE-2023-20593 is classified with a CVSS score of 6.5 (Medium) due to the exact timing needed for its execution.

At the time of publication, AMD released a microcode update for the affected processors. Their mitigation is implemented via the MSR register, which turns off a floating point optimization that otherwise would have allowed a move operation. In our testing, applying this mitigation has not had a detrimental impact on overall server performance.

The microcode update has been rolled out to our cloud infrastructure, much of which runs on the potentially affected AMD Zen processors. We were able to apply the patch within hours of the vulnerability’s disclosure, and at this time, we have not seen any evidence of this vulnerability having been exploited.

We will continue to monitor the situation closely.

As always, we highly recommend all our users keep their Cloud Servers up to date on security updates provided by your operating system vendor.

Should you have any further questions, please don’t hesitate to contact our support staff.

Janne Ruostemaa

Editor-in-Chief

New Intel CPU vulnerability GDS/Downfall

On August 8, 2023, Intel published a new security vulnerability that exploits Gather Data Sampling (GDS). Named Downfall by its discoverer, it impacts multiple generations of Intel processors used in both personal and cloud computers. Downfall is a transient execution side-channel vulnerability that targets a critical weakness found in many modern Intel processor models. Following the […]

Announcements

Information regarding Foreshadow, the Intel L1 Terminal Fault vulnerability

Intel recently shared information about a newly identified vulnerability in their processors. It concerns a speculative execution side-channel method that Intel calls L1 Terminal Fault or L1TF for short. The vulnerability was discovered by two independent groups of researchers who have titled it Foreshadow. L1TF aka Foreshadow The Foreshadow vulnerability (CVE-2018-3615) is an exploit on the speculative execution […]

Announcements

Bigger Is Not Necessary Better: AWS vs. UpCloud

One of the most common questions our customers ask us is that how we can compete with the likes of Amazon Web Services (AWS) on price as they have economies of scale on their side.

Comparisons

Back to top