AMD's Zen 2-based CPUs, which include popular chips like the Ryzen 5 3600, 3700X, and more, are vulnerable to a use-after-free vulnerability. AMD updated its security bulletin and the new article has been published with the ID AMD-SB-7008.
For desktops, AMD's Ryzen 3000 series (Mattise), Ryzen 4000 and 4000G series (Renoir) are on the list; meanwhile, for mobile, list includes Ryzen 5000 (Lucienee), Ryzen 4000 (Renoir), and Ryzen 7020 (Mendocino).
AMD's security bulletin summarizes the new vulnerability which is being tracked under ID CVE-2023-20593, and also lists the AGESA firmware which will patch the Zenbleed vulnerability. Most of these are planned for release around October to December of 2023:
Summary
Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.
CVE Details
CVE
Severity
CVE Description
CVE-2023-20593
Medium
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
Mitigation
AMD recommends applying the µcode patch listed below for AMD EPYC™ 7002 Processors, and applying BIOS updates that include the following AGESA™ firmware versions for other affected products. AMD plans to release to the Original Equipment Manufacturers (OEM) the AGESA™ versions on the target dates listed below. Please refer to your OEM for the BIOS update specific to your product.
DATA CENTER
Mitigation detail
Update to versions listed or higher
2nd Gen AMD EPYC™ Processors
“Rome”
µcode
0x0830107A
AGESA™ firmware
RomePI 1.0.0.H
DESKTOP
Mitigation details
Update to versions listed or higher
AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics
“Renoir” AM4AGESA™ firmware
ComboAM4v2PI_1.2.0.C (Target Dec 2023)
ComboAM4PI_1.0.0.C
(Target Dec 2023)
ComboAM4v2PI_1.2.0.C (Target Dec 2023)
HIGH END DESKTOP (HEDT)
Mitigation details
Update to versions listed or higher
AMD Ryzen™ Threadripper™ 3000 Series Processors
“Castle Peak” HEDTAGESA™ firmware
CastlePeakPI-SP3r3 1.0.0.A
(Target Oct 2023)
WORKSTATION
Mitigation details
Update to versions listed or higher
AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors
“Castle Peak” WS SP3AGESA™ firmware
CastlePeakWSPI-sWRX8 1.0.0.C
(Target Nov 2023)
ChagallWSPI-sWRX8 1.0.0.7
(Target Dec 2023)
MOBILE - AMD Ryzen™ Series
Mitigation details
Update to versions listed or higher
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Lucienne”AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics
“Renoir”AGESA™ firmware
CezannePI-FP6_1.0.1.0
(Target Dec 2023)
RenoirPI-FP6_1.0.0.D
(Target Nov 2023)
MendocinoPI-FT6_1.0.0.6
(Target Dec 2023)
Tavis Ormandy, a security vulnerability researcher at Google, discovered the flaw which they explained in their blog post. The issue is related to 128-bit registers (XMM) and incorrect recovery from a mispredicted vzeroupper. Ormandy writes:
It turns out that with precise scheduling, you can cause some processors to recover from a mispredicted vzeroupper incorrectly!
The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.
We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!
This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file.
In case you are unaware, Use-After-Free (UAF) is a security flaw that occurs when a program or application fails to properly manage the memory pointer after a dynamic memory portion has been freed, which in turn can lead to code execution by an attacker.
A pointer stores data related to a certain address of the memory that is being used by the application. But dynamic memory is constantly flushed and reallocated for use by different apps. However, if that pointer is not set to null once its corresponding memory space has been freed or unallocated, attackers can successfully exploit that pointer data to gain access to that same memory portion to now pass arbitrary malicious code. This is why the vulnerability is named Use-After-Free.
In a statement to Tom's Hardware, AMD suggested that performance impact, if any, will vary depending on workload and system configuration, though there are no exploitations of it in the wild.
Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment.
We will update the article if more information is available on the topic.
9 Comments - Add comment