The discovery and mitigation of AMD Zen CPU vulnerability aka Zenbleed

  • Author

    Janne Ruostemaa

    Editor-in-Chief

  • About

    Type
    Blog
    Category
    Announcements

Posted on 25 July 2023

Yesterday, on the 24th of July 2023, Google Project Zero published their findings of a new flaw in AMD’s Zen 2 processors. The vulnerability titled ‘Zenbleed’ affects the entire Zen 2 product stack, from AMD’s EPYC data center processors to the Ryzen 3000 CPUs. It can be exploited to steal sensitive data stored in the CPU, including encryption keys and login credentials.

After learning of the new vulnerability potentially affecting the majority of our server infrastructure, we immediately began evaluating and implementing the recommended mitigation measures. And by the end of the day 24th of July (UTC), we had live-patched our entire infrastructure of potentially impacted servers with AMD’s microcode to mitigate this newly discovered vulnerability.

At this stage, all fixes have been applied and no actions are required from customers.

Vulnerability

Speculative execution attacks have previously been used to compromise CPU registers taking advantage of the speculative execution capabilities of modern CPUs which are used to speed up processing times.

Speculative execution is an optimization technique where the CPU performs tasks that may not be needed before it is known whether it is actually needed. Doing so can save time when the prediction is correct, however, If it turns out the work was not needed, most changes are reverted and the results are ignored.

The researchers of Project Zero at Google Information Security discovered a vulnerability in AMD’s Zen 2-architecture-based CPUs which allowed reading data from the register belonging to another process or thread. This can potentially allow an attacker access to sensitive data, and in a public cloud, including neighboring Cloud Servers.

The vulnerability is caused by a register not being correctly erased to 0 under specific microarchitectural circumstances. However, although this error is associated with speculative execution, it is not a side-channel vulnerability.

Mitigation

Project Zero reported the vulnerability to AMD on the 15th of May 2023. The vulnerability CVE-2023-20593 is classified with a CVSS score of 6.5 (Medium) due to the exact timing needed for its execution.

At the time of publication, AMD released a microcode update for the affected processors. Their mitigation is implemented via the MSR register, which turns off a floating point optimization that otherwise would have allowed a move operation. In our testing, applying this mitigation has not had a detrimental impact on overall server performance.

The microcode update has been rolled out to our cloud infrastructure, much of which runs on the potentially affected AMD Zen processors. We were able to apply the patch within hours of the vulnerability’s disclosure, and at this time, we have not seen any evidence of this vulnerability having been exploited.

We will continue to monitor the situation closely.

As always, we highly recommend all our users keep their Cloud Servers up to date on security updates provided by your operating system vendor.

Should you have any further questions, please don’t hesitate to contact our support staff.

Summer promotion!

Start your free 30-day trial today and discover why thousands of businesses trust UpCloud

  • Risk-free trial
  • Optimized performance
  • Scalable infrastructure
  • Top-tier security
  • Global availability

Sign up

See also

UpCloud blog post cover with Kubernetes logo and abstract interface, illustrating 'Navigating Kubernetes - Abstraction, Adoption, and the Future'.

Navigating Kubernetes – Abstraction, Adoption, and the Future

Kubernetes is becoming increasingly abstracted, with the underlying complexities hidden from developers, making it easier for companies to leverage its benefits without needing deep administrative […]

Ines Pompeu dos Santos

Steve Midgley Board Chair

UpCloud appoints Steve Midgley as Chair of the Board

[Helsinki, 18.11.2021] UpCloud, the European leader in high-performance cloud infrastructure services, announces their new Chair of the Board, Steve Midgley. UpCloud’s new Board Chair, Steve […]

Barbora Mervaala

Social Media and Content Specialist at UpCloud. Passionate about writing stories about inspiring people and companies.

Using Trivy to Secure Your UpCloud Workloads: A DevSecOps Guide for Modern Infrastructure

Enhance your Kubernetes security with Trivy for improved automation and architectural visibility in modern infrastructure.

Anita Ihuman

Back to top