If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
A few days ago a Google security team researcher, released the news that I detect a vulnerability (already listed under CVE-2023-20593) on AMD processors based on the Zen2 microarchitecture that can be used to detect registers while other processes are running on the same CPU core.
This vulnerability is considered important, since the attack can be carried out from virtual machines and isolated environments. In essence, the issue resembles classic use-after-free vulnerabilities caused by accessing memory after it has been freed.
The problem occurs with AMD Ryzen 3000, Ryzen PRO 3000, Ryzen Threadripper 3000, Ryzen 4000 with Radeon Graphics, Ryzen PRO 4000, Ryzen 5000 with Radeon Graphics, Ryzen 7020 with Radeon Graphics and series of processors EPYC 7002.
About the vulnerability, it is mentioned because in the processors, to store the content of the registers, a register file (RF, Register File) is used, which is an arrangement that is shared in all the tasks in the same core. of the cpu. The Record Allocation Table (RAT) is responsible for attaching records with specific names to the log file resources. In this case, the zero value is stored in the register not by storing an empty value in the register file, but by setting the z-bit flag in the RAT table.
The vulnerability is due to the fact that if the z bit is set during speculative execution of instructions, it is not enough to simply reset it in the event of a bad branch prediction, as space in the log file can be reallocated from speculative execution.
The revealed effect occurs when a record is simultaneously renamed, an instruction for which join optimization is applied is used, and a VZEROUPPER vector instruction is speculatively executed that sets the z bit and frees resources from the log file. If the branch prediction fails and the speculative VZEROUPPER operation is rolled back, the contents of the vector registers may be corrupted, since the z-bit is rolled, but the freed resource remains undiscarded.
Through the manipulation of the VZEROUPPER instruction, it is possible to achieve a controlled leakage of processed data in the YMM vector registers used in AVX (Advanced Vector Extensions) and SSE (Streaming SIMD Extensions) modes. These registers are actively used in the memory copy and string processing functions, for example in the Glibc library they are used in the memcpy, strcmp and strlen functions.
To demonstrate the vulnerability, codenamed Zenbleed, a prototype exploit has been prepared which allows an unprivileged user to determine the data processed in the AES-NI or REP-MOVS instructions (typically used in the memcpy function), which can be used to reconstruct encryption keys and user passwords, processed in other processes, including privileged ones. The data leakage performance of the exploit is approximately 30 KB per second.
Vulnerability fixed in microcode update level. For Linux a patch has been prepared to download the corrected microcode. Although if it is not possible to update the microcode, there is a workaround to block the vulnerability, which leads to decreased performance.
To do this, the control bit DE_CFG[9] must be configured in the CPU and for this, in a terminal, the following command must be typed:
It is worth mentioning that disabling SMT mode does not block the vulnerability and the fix to block the vulnerability was implemented within kernel updates 6.4.6, 6.1.41, 5.15.122, 5.10.187, 5.4.250 and 4.19.289.
For interested in tracking vulnerability information in the different distributions, they can do it in the following pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch, OpenBSD, FreeBSD, NetBSD.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link