Encryption-breaking, password-leaking bug in many AMD CPUs could take months to fix

AMD

A recently disclosed bug in many of AMD’s newer consumer, workstation, and server processors can cause the chips to leak data at a rate of up to 30 kilobytes per core per second, writes Tavis Ormandy, a member of Google’s Project Zero security team. Executed properly, the so-called “Zenbleed” vulnerability (CVE-2023-20593) could give attackers access to encryption keys and root and user passwords, along with other sensitive data from any system using a CPU based on AMD’s Zen 2 architecture.

The bug allows attackers to swipe data from a CPU’s registers. Modern processors attempt to speed up operations by guessing what they’ll be asked to do next, called “speculative execution.” But sometimes the CPU guesses wrong; Zen 2 processors don’t properly recover from certain kinds of mispredictions, which is the bug that Zenbleed exploits to do its thing.

The bad news is that the exploit doesn’t require physical hardware access and can be triggered by loading JavaScript on a malicious website (according to networking company Cloudflare). The good news is that, at least for now, there don’t seem to be any cases of this bug being exploited in the wild yet, though this could change quickly now that the vulnerability has been disclosed, and the bug requires precise timing to exploit.

“AMD is not aware of any known exploit of the described vulnerability outside the research environment,” the company told Tom’s Hardware. Cloudflare also says there is “no evidence of the bug being exploited” on its servers.

Since the vulnerability is in the hardware, a firmware update from AMD is the best way to fully fix it; Ormandy says it is also fixable via a software update, but it “may have some performance cost.” The bug affects all processors based on AMD’s Zen 2 architecture, including several Ryzen desktop and laptop processors, EPYC 7002-series chips for servers, and Threadripper 3000- and 3000 Pro WX-series CPUs for workstations.

Advertisement

AMD has already issued a firmware update mitigating the issue for servers running the EPYC 7002 chips—arguably the most important of the patches since a busy server running multiple virtual machines is a more lucrative target for hackers than individual consumer PCs.

AMD says that “any performance impact will vary depending on workload and system configuration” but hasn’t provided additional details.

When will I get a patch?

The Zen 2 architecture first came to consumer systems around four years ago in the form of the AMD Ryzen 3000 series; the Ryzen 5 3600 was especially popular among PC builders. But AMD’s habit of mixing-and-matching processor architectures in recent CPU generations means that there are some Zen 2 chips sprinkled across the Ryzen 4000, 5000, and 7000 lineups as well, affecting some new systems as well as older ones.

CPU Released Planned fix AGESA version with fixes
Ryzen 3000 (desktop) Mid-2019 December 2023 ComboAM4v2PI_1.2.0.C
Ryzen 4000G (desktop) Mid-2020 December 2023 ComboAM4v2PI_1.2.0.C
Ryzen 4000 (laptop) Early-mid 2020 November 2023 RenoirPI-FP6_1.0.0.D
Ryzen 5700U/5500U/5300U (laptop) Early 2021 December 2023 CezannePI-FP6_1.0.1.0
Ryzen 7020 (laptop) Late 2022 December 2023 MendocinoPI-FT6_1.0.0.6
Ryzen Threadripper 3000 Late 2019 October 2023 CastlePeakPI-SP3r3 1.0.0.A
Ryzen Threadripper Pro 3000WX Mid-2020 November/December 2023 CastlePeakWSPI-sWRX8 1.0.0.C/ChagallWSPI-sWRX8 1.0.0.7
EPYC 7002 Mid-2019 Patch available RomePI 1.0.0.H

If you’re using Ryzen desktop processors, all Ryzen 3000-series and Ryzen 4000G-series chips (but not Ryzen 3000G, which uses an older Zen version) are vulnerable to Zenbleed. AMD plans to release a firmware fix by December, though your motherboard or PC manufacturer will be responsible for distributing the update.

Laptops are a bit trickier. Most Ryzen 4000-series laptop CPUs use Zen 2, and AMD plans to have an update ready for them in November. Many of the Ryzen 5000-series laptop CPUs transitioned to Zen 3, but the Ryzen 7 5700U, Ryzen 5 5500U, and Ryzen 3 5300U continued to use Zen 2. And the Ryzen 7020-series CPUs released in late 2022 for budget systems also use Zen 2. AMD plans to release an update for the 5000- and 7000-series chips in December.

AMD plans to release an update for Threadripper 3000-series systems in October and fixes for Threadripper Pro 3000WX-series systems in November and December.

commentaires

LAISSER UN COMMENTAIRE

S'il vous plaît entrez votre commentaire!
S'il vous plaît entrez votre nom ici

Le plus populaire