Official forum for Utopia Community
You are not logged in.
The Zen 2 architecture-based processors from AMD have a new security flaw that could be used to extract private information like encryption keys and passwords.
The Zenbleed bug, code-named by Google Project Zero researcher Tavis Ormandy and tracked as CVE-2023-20593 (CVSS score: 6.5), permits data exfiltration at a rate of 30 kb per core, per second.
The problem is a part of a larger class of flaws known as speculative execution attacks, in which the widely used optimization method in contemporary CPUs is abused to access cryptographic keys from CPU registers.
A register in "Zen 2" CPUs "may not be written to 0 correctly" under certain microarchitectural conditions, according to AMD's advisory. "This could result in data from another process and/or thread being saved in the YMM register, potentially allowing an attacker to access sensitive data. ".
The web infrastructure provider Cloudflare pointed out that the attack could even be executed remotely through JavaScript on a website, negating the need for physical access to the computer or server.
Researchers at Cloudflare Derek Chamorro and Ignat Korchagin found that vectorized operations could be carried out very effectively using the YMM registers. Applications that process a lot of data have a lot to gain from them, but malicious activity is increasingly focusing on them. ".
This attack forces an incorrect command by modifying register files. The register file is shared by all processes running on the same physical core, so this exploit can be used to eavesdrop on even the most basic system operations by watching the data being transferred between the CPU and the rest of the computer, they added.
Although there is no proof that the bug has been used in the wild, it is crucial to apply the microcode updates as soon as they are made available through original equipment manufacturers (OEMs) in order to reduce potential risk.
Update.
Wiz, a cloud security company, has issued a warning that "62 percent of AWS environments are running EC2 instances with Zen 2 CPUs and may therefore be affected by Zenbleed.". In a separate alert, Google stated that the fixes had already been made to its fleet of servers for the Google Cloud Platform. The problem is anticipated to be fixed as soon as the process is finished by Amazon Web Services (AWS), which is currently "testing the stability" of the update
Offline