Zenbleed: New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk

2023-07-25 10:03

A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords.

Discovered by Google Project Zero researcher Tavis Ormandy, the flaw - codenamed Zenbleed and tracked as CVE-2023-20593 - allows data exfiltration at the rate of 30 kb per core, per second.

The issue is part of a broader category of weaknesses called speculative execution attacks, in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers.

"Under specific microarchitectural circumstances, a register in 'Zen 2' CPUs may not be written to 0 correctly," AMD explained in an advisory.

"Vectorized operations can be executed with great efficiency using the YMM registers," Cloudflare researchers Derek Chamorro and Ignat Korchagin said.

"This attack works by manipulating register files to force a mispredicted command. Since the register file is shared by all the processes running on the same physical core, this exploit can be used to eavesdrop on even the most fundamental system operations by monitoring the data being transferred between the CPU and the rest of the computer," they added.

News URL

https://thehackernews.com/2023/07/zenbleed-new-flaw-in-amd-zen-2.html

#AMD #encryption #CVE-2023-20593

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2023-07-24	CVE-2023-20593	An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. local low complexity xen debian amd	5.5

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
AMD		746	28	115	79	22	244