The discovery and mitigation of AMD Zen CPU vulnerability aka Zenbleed

Yesterday, on the 24th of July 2023, Google Project Zero published their findings of a new flaw in AMD’s Zen 2 processors. The vulnerability titled ‘Zenbleed’ affects the entire Zen 2 product stack, from AMD’s EPYC data center processors to the Ryzen 3000 CPUs. It can be exploited to steal sensitive data stored in the CPU, including encryption keys and login credentials.

After learning of the new vulnerability potentially affecting the majority of our server infrastructure, we immediately began evaluating and implementing the recommended mitigation measures. And by the end of the day 24th of July (UTC), we had live-patched our entire infrastructure of potentially impacted servers with AMD’s microcode to mitigate this newly discovered vulnerability.

At this stage, all fixes have been applied and no actions are required from customers.

Vulnerability

Speculative execution attacks have previously been used to compromise CPU registers taking advantage of the speculative execution capabilities of modern CPUs which are used to speed up processing times.

Speculative execution is an optimization technique where the CPU performs tasks that may not be needed before it is known whether it is actually needed. Doing so can save time when the prediction is correct, however, If it turns out the work was not needed, most changes are reverted and the results are ignored.

The researchers of Project Zero at Google Information Security discovered a vulnerability in AMD’s Zen 2-architecture-based CPUs which allowed reading data from the register belonging to another process or thread. This can potentially allow an attacker access to sensitive data, and in a public cloud, including neighboring Cloud Servers.

The vulnerability is caused by a register not being correctly erased to 0 under specific microarchitectural circumstances. However, although this error is associated with speculative execution, it is not a side-channel vulnerability.

Mitigation

Project Zero reported the vulnerability to AMD on the 15th of May 2023. The vulnerability CVE-2023-20593 is classified with a CVSS score of 6.5 (Medium) due to the exact timing needed for its execution.

At the time of publication, AMD released a microcode update for the affected processors. Their mitigation is implemented via the MSR register, which turns off a floating point optimization that otherwise would have allowed a move operation. In our testing, applying this mitigation has not had a detrimental impact on overall server performance.

The microcode update has been rolled out to our cloud infrastructure, much of which runs on the potentially affected AMD Zen processors. We were able to apply the patch within hours of the vulnerability’s disclosure, and at this time, we have not seen any evidence of this vulnerability having been exploited.

We will continue to monitor the situation closely.

As always, we highly recommend all our users keep their Cloud Servers up to date on security updates provided by your operating system vendor.

Should you have any further questions, please don’t hesitate to contact our support staff.