New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Content source
https://thehackernews.com/2023/07/zenbleed-new-flaw-in-amd-zen-2.html
A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords.

Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second.

The issue is part of a broader category of weaknesses called speculative execution attacks, in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers.

"Under specific microarchitectural circumstances, a register in 'Zen 2' CPUs may not be written to 0 correctly," AMD explained in an advisory. "This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information."
Click to expand...
 
  • +Reputation
  • Like
Reactions: upnorth, harlan4096 and vtqhtr413
JustInTime

JustInTime

Level 1
Feb 21, 2022
46
AMD 'Zenbleed' bug allows Meltdown-like data leakage

What's hit?​

The bug affects all AMD Zen 2 processors including the following series: Ryzen 3000; Ryzen Pro 3000; Ryzen Threadripper 3000; Ryzen 4000 Pro; Ryzen 4000, 5000, and 7020 with Radeon Graphics; and Epyc Rome datacenter processors.
Click to expand...
A microcode patch for Epyc 7002 processors is available now. As for the rest of its affected silicon: AMD is targeting December 2023 for updates for desktop systems (eg, Ryzen 3000 and Ryzen 4000 with Radeon); October for high-end desktops (eg, Threadripper 3000); November and December for workstations (eg, Threadripper Pro 3000); and November to December for mobile (laptop-grade) Ryzens. Shared systems are the priority, it would seem, which makes sense given the nature of the design blunder.

Ormandy noted at least some microcode updates from AMD are making their way into the Linux kernel. OpenBSD has some details here. Our advice is to keep an eye out for AMD's Zenbleed microcode updates, and for any security updates for your operating system, and apply them as necessary when available. There's no word yet on whether there will be a performance hit from installing these but we can imagine it'll mostly depend on your workloads.
Click to expand...
 
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Thanks
Collide+Power, Downfall, and Inception: New Side-Channel Attacks Affecting Modern CPUs
Replies
3
Views
2,000
News Archive
vtqhtr413
vtqhtr413
silversurfer
    • Like
    • Wow
    • Sad
Patches for new Retbleed AMD and Intel microprocessor vulnerability may have significant overhead
Replies
4
Views
992
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Intel and AMD Hertzbleed CPU Vulnerability Uses Boost Speed to Steal Crypto Keys
Replies
0
Views
606
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top