What Is Encryption

Understanding Zenbleed: A Critical Vulnerability in AMD’s Zen 2 Processors

3 min read
Daniel Feuster

On July 24, 2023, the Google Information Security Team revealed a vulnerability in AMD's Zen 2 processors, they named it Zenbleed. This vulnerability affects a wide range of Zen 2 products, from data center processors to consumer-grade CPUs, and can be exploited to steal sensitive data such as encryption keys and login credentials. While the attack currently requires the ability to execute native code on the affected machine, the potential implications for data security are concerning.

While AMD identified this vulnerability as a medium or moderate security risk, we treated this as critical. We promptly updated our servers using AMD's Zen CPUs. We mitigated this vulnerability, including testing and deploying a patch for our Managed WordPress, Linux with cPanel, and Advanced Hosting VPS/Dedicated platforms.

Our mitigation effort consisted of identifying the affected servers and setting a chicken bit. We chose this path over the microcode update due to potential performance issues and incompatibility with our current kernel in production. We made a subsequent deployment to ensure persistence upon reboot once we determined the fix was stable.

We have been actively monitoring our environment since installing the patch, which was completed on July 26, 2023, and we believe the changes meet or exceed our Service Level Agreements (SLA) for our platforms based on performance.

Additional details about Zenbleed

Understanding the Zenbleed vulnerability requires knowledge of CPU program execution. The arithmetic logic unit (ALU) is the central part of the CPU responsible for mathematical tasks. Data passes through various storage systems to reach the ALU, including secondary, primary, cache, and CPU registers. The Zenbleed attack focuses on CPU registers, which store 32 or 64 bits of information and are used by the ALU for operations.

Advanced Vector Extensions (AVX) were developed to enable fast calculations for CPUs. These extensions, relevant to Intel and AMD x86-based CPUs, use 16 YMM registers, 256 bits each, to handle complex tasks like data compression and cryptographic computations. AVX registers have become a target for potential malicious activity, as they are used in operations involving sensitive data.

The Zenbleed vulnerability allows storing data from another process or thread in the YMM registers, potentially granting attackers access to sensitive information. This vulnerability occurs when a register is incorrectly written to 0 under specific microarchitectural circumstances. It is not a side-channel vulnerability but involves speculative execution.

The Zenbleed attack exploits speculative execution to reset the z-bit flag and dump the content of a register. The vzeroupper instruction, which zeros out the upper half of AVX registers, is speculatively executed by exploiting a conditional branch misprediction. When the misprediction is rolled back, the AVX register is left undefined, allowing attackers to access random data from the physical register file of the same CPU core. This could compromise the data of other processes, similar to a use-after-free vulnerability.

The vulnerability poses a significant risk as the register file is shared by all processes on the same physical core, enabling attackers to eavesdrop on system operations by monitoring data transfer between the CPU and the rest of the computer. However, successfully exploiting this vulnerability requires precise timing, which is difficult to achieve without the ability to execute native code on the affected machine.

Products Used