Posted on 25.7.2023

The discovery and mitigation of AMD Zen CPU vulnerability aka Zenbleed

Yesterday, on the 24th of July 2023, Google Project Zero published their findings of a new flaw in AMD’s Zen 2 processors. The vulnerability titled ‘Zenbleed’ affects the entire Zen 2 product stack, from AMD’s EPYC data center processors to the Ryzen 3000 CPUs. It can be exploited to steal sensitive data stored in the CPU, including encryption keys and login credentials.

After learning of the new vulnerability potentially affecting the majority of our server infrastructure, we immediately began evaluating and implementing the recommended mitigation measures. And by the end of the day 24th of July (UTC), we had live-patched our entire infrastructure of potentially impacted servers with AMD’s microcode to mitigate this newly discovered vulnerability.

At this stage, all fixes have been applied and no actions are required from customers.

Vulnerability

Speculative execution attacks have previously been used to compromise CPU registers taking advantage of the speculative execution capabilities of modern CPUs which are used to speed up processing times.

Speculative execution is an optimization technique where the CPU performs tasks that may not be needed before it is known whether it is actually needed. Doing so can save time when the prediction is correct, however, If it turns out the work was not needed, most changes are reverted and the results are ignored.

The researchers of Project Zero at Google Information Security discovered a vulnerability in AMD’s Zen 2-architecture-based CPUs which allowed reading data from the register belonging to another process or thread. This can potentially allow an attacker access to sensitive data, and in a public cloud, including neighboring Cloud Servers.

The vulnerability is caused by a register not being correctly erased to 0 under specific microarchitectural circumstances. However, although this error is associated with speculative execution, it is not a side-channel vulnerability.

Mitigation

Project Zero reported the vulnerability to AMD on the 15th of May 2023. The vulnerability CVE-2023-20593 is classified with a CVSS score of 6.5 (Medium) due to the exact timing needed for its execution.

At the time of publication, AMD released a microcode update for the affected processors. Their mitigation is implemented via the MSR register, which turns off a floating point optimization that otherwise would have allowed a move operation. In our testing, applying this mitigation has not had a detrimental impact on overall server performance.

The microcode update has been rolled out to our cloud infrastructure, much of which runs on the potentially affected AMD Zen processors. We were able to apply the patch within hours of the vulnerability’s disclosure, and at this time, we have not seen any evidence of this vulnerability having been exploited.

We will continue to monitor the situation closely.

As always, we highly recommend all our users keep their Cloud Servers up to date on security updates provided by your operating system vendor.

Should you have any further questions, please don’t hesitate to contact our support staff.

Janne Ruostemaa

Editor-in-Chief

Comparing Cloud Providers: What should you look for when choosing a cloud solution?

Which cloud provider should you choose? From Hyperscalers like AWS, Azure, and Google Cloud; to powerful challengers such as Akami Connected Cloud, DigitalOcean, Exoscale, OVH Cloud, UpCloud, and Vultr; and beyond to bare-bones servers – the list can feel endless.  Choosing a cloud service comes down to finding the right fit for your organization’s unique […]

Comparisons

New Intel CPU vulnerability GDS/Downfall

On August 8, 2023, Intel published a new security vulnerability that exploits Gather Data Sampling (GDS). Named Downfall by its discoverer, it impacts multiple generations of Intel processors used in both personal and cloud computers. Downfall is a transient execution side-channel vulnerability that targets a critical weakness found in many modern Intel processor models. Following the […]

Announcements

Available now, AMD EPYC 5th generation server hardware.

As part of our ongoing improvements to our core products we’re proud to announce we’re one of the first providers rolling out 5th Gen AMD EPYC™ 9575F Turin processors to our locations across the globe.  Upgrades to the new hardware are underway and will continue throughout 2025 at no extra cost or downtime to our […]

Announcements

Product Updates

Back to top