CVE-2023-20593: Critical Flaw Discovered in AMD Ryzen 2 and EPYC Processors
Cybersecurity threats continue to evolve, and processors are not spared. One recent vulnerability making headlines is CVE-2023-20593, a significant security loophole affecting AMD’s Zen2 class processors. This vulnerability allows an attacker to spy on the registers of other processes, without any system calls or privileges required.
The root cause of the vulnerability is the vector register file (RF), a shared resource among all tasks on a physical core. The register allocation table (RAT) is responsible for mapping and assigning RF resources to named registers. A unique feature of this architecture is that zero-value registers don’t need any RF space—just a flag in the RAT known as the z-bit.
Known as “zenbleed,” the CVE-2023-20593 vulnerability arises when the z-bit is set speculatively, which means it cannot be unset upon branch misprediction. The security risk occurs because the previously allocated RF space might have been reassigned between these two events, resulting in a use-after-free (UaF) scenario.
Tavis Ormandy of Google Information Security made a groundbreaking discovery related to this issue. He found that this UaF scenario could actually occur under very specific conditions. These include an instruction using merge optimization, a register rename, and a mispredicted VZEROUPPER instruction simultaneously entering the FP backend.
The real-world impact of this flaw is substantial. It allows bad actors to spy on the registers of other processes, with no system calls or privileges needed. Furthermore, it works across virtual machines and affects all operating systems, making it a pervasive threat.
Ormandy was able to create a proof of concept (poc) for this issue that could reconstruct keys and passwords as users log in. CVE-2023-20593 affects all Zen 2 class processors, encompassing numerous AMD products including
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
First big result from our new CPU research project, a use-after-free in AMD Zen2 processors! 🔥 AMD have just released updated microcode for affected systems, please update! https://t.co/NVPWFpVopz pic.twitter.com/HgKwu9w8Av
— Tavis Ormandy (@taviso) July 24, 2023
Ormandy reported this vulnerability to AMD on May 15, 2023, leading AMD to release a microcode update for affected processors. If your system is running on the affected processors, your BIOS or Operating System vendor might already have an update that includes the microcode patch. It’s highly recommended to apply this update as soon as possible.
If, for some reason, you cannot apply the update, you can resort to a software workaround—setting the chicken bit DE_CFG[9]. Although this approach might have some performance cost, it offers an alternative to unprotected systems.
For Linux users, msr-tools can be used to set the chicken bit on all cores with a specific command (# wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))). FreeBSD users can employ cpucontrol(8). For other operating systems, you are advised to seek assistance from your vendor. However, it’s important to note that disabling SMT isn’t sufficient to mitigate this vulnerability.
In Ormandy’s words, “I am not aware of any reliable techniques to detect exploitation. This is because no special system calls or privileges are required. It is definitely not possible to detect improper usage of vzeroupper statically, please don’t try!”
The invisible nature of this vulnerability makes it an even more potent threat. Stay vigilant, update your systems regularly, and always be on the lookout for patches and updates from your vendors to stay ahead of potential cyber threats.
