Jump to content
  • AMD confirms firmware update for Ryzen 3000, 4000, 5000, 7000 CPUs vulnerable to Zenbleed


    Karlston

    • 638 views
    • 5 minutes
     Share


    • 638 views
    • 5 minutes

    AMD's Zen 2-based CPUs, which include popular chips like the Ryzen 5 3600, 3700X, and more, are vulnerable to a use-after-free vulnerability. AMD updated its security bulletin and the new article has been published with the ID AMD-SB-7008.

     

    For desktops, AMD's Ryzen 3000 series (Mattise), Ryzen 4000 and 4000G series (Renoir) are on the list; meanwhile, for mobile, list includes Ryzen 5000 (Lucienee), Ryzen 4000 (Renoir), and Ryzen 7020 (Mendocino).

     

    AMD's security bulletin summarizes the new vulnerability which is being tracked under ID CVE-2023-20593, and also lists the AGESA firmware which will patch the Zenbleed vulnerability. Most of these are planned for release around October to December of 2023:

     

    Summary

     

    Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

     

    CVE Details

     

    CVE

    Severity

    CVE Description

    CVE-2023-20593

    Medium

    An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.

     

    Mitigation

     

    AMD recommends applying the µcode patch listed below for AMD EPYC™ 7002 Processors, and applying BIOS updates that include the following AGESA™ firmware versions for other affected products. AMD plans to release to the Original Equipment Manufacturers (OEM) the AGESA™ versions on the target dates listed below. Please refer to your OEM for the BIOS update specific to your product.

     

    DATA CENTER

     

    Mitigation detail

     

    Update to versions listed or higher

    2nd Gen AMD EPYC™ Processors

     

    “Rome”

    µcode

    0x0830107A

    AGESA™ firmware

    RomePI 1.0.0.H

     

    DESKTOP

     

    Mitigation details

     

    Update to versions listed or higher

    AMD Ryzen™ 3000 Series Desktop Processors
    “Matisse”

    AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics
    “Renoir” AM4

    AGESA™ firmware

    ComboAM4v2PI_1.2.0.C (Target Dec 2023)

     

    ComboAM4PI_1.0.0.C

     

    (Target Dec 2023)

    ComboAM4v2PI_1.2.0.C (Target Dec 2023)

     

    HIGH END DESKTOP (HEDT)

     

    Mitigation details

     

    Update to versions listed or higher

    AMD Ryzen™ Threadripper™ 3000 Series Processors
    “Castle Peak” HEDT

    AGESA™ firmware

    CastlePeakPI-SP3r3 1.0.0.A

     

    (Target Oct 2023)

     

    WORKSTATION

     

    Mitigation details

     

    Update to versions listed or higher

    AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors
    “Castle Peak” WS SP3

    AGESA™ firmware

    CastlePeakWSPI-sWRX8 1.0.0.C

     

    (Target Nov 2023)

     

    ChagallWSPI-sWRX8 1.0.0.7

     

    (Target Dec 2023)

     

    MOBILE - AMD Ryzen™ Series

     

    Mitigation details

     

    Update to versions listed or higher

    AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
    “Lucienne”

    AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics
    “Renoir”

    AMD Ryzen™ 7020 Series Processors

     

    “Mendocino” FT6

    AGESA™ firmware

    CezannePI-FP6_1.0.1.0

     

    (Target Dec 2023)

    RenoirPI-FP6_1.0.0.D

     

    (Target Nov 2023)

    MendocinoPI-FT6_1.0.0.6

     

    (Target Dec 2023)

     

    Tavis Ormandy, a security vulnerability researcher at Google, discovered the flaw which they explained in their blog post. The issue is related to 128-bit registers (XMM) and incorrect recovery from a mispredicted vzeroupper. Ormandy writes:

     

    It turns out that with precise scheduling, you can cause some processors to recover from a mispredicted vzeroupper incorrectly!

     

    The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.

     

    We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!

     

    This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file.

     

    In case you are unaware, Use-After-Free (UAF) is a security flaw that occurs when a program or application fails to properly manage the memory pointer after a dynamic memory portion has been freed, which in turn can lead to code execution by an attacker.

     

    A pointer stores data related to a certain address of the memory that is being used by the application. But dynamic memory is constantly flushed and reallocated for use by different apps. However, if that pointer is not set to null once its corresponding memory space has been freed or unallocated, attackers can successfully exploit that pointer data to gain access to that same memory portion to now pass arbitrary malicious code. This is why the vulnerability is named Use-After-Free.

     

    In a statement to Tom's Hardware, AMD suggested that performance impact, if any, will vary depending on workload and system configuration, though there are no exploitations of it in the wild.

     

    Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment.

     

    We will update the article if more information is available on the topic.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...