Tavis Ormandy, a well-known Google security researcher, published a new vulnerability which was named as pale and this affects processors AMD based on Zen 2 architectureboth the PC-oriented Ryzen models and the EPYC models aimed at servers and data centers.

Architecture Zen 2 debuted with the Ryzen 3000 series and AMD has reused it on many occasions so it is present in processor models corresponding to Ryzen 4000, 5000 and 7000. Currently, the CPU models of all these generations have been confirmed to be affected by Zenbleed, which is accompanied by “Rome”, the second generation of EPYC.

Other devices that use AMD’s Zen 2 architecture are the latest generation of video game consoles, which include the PlayStation 5 and Xbox Series X|S, as well as the Steam Deck. There is no evidence yet that they have been affected, but the published data regarding the vulnerability does not encourage optimism, at least for Valve’s machine, as Linux has begun to adopt mitigations to prevent its exploitation.

Zenbleed, which is tracked as CVE-2023-20593, allows data exfiltration at 30kb/s per core, which opens a stream powerful enough to steal sensitive information flowing through the processor. Its severity is exacerbated when we consider that apparently It has the ability to work with all software running on the processor, including virtual machines, sandboxes (sandbox), containers and processes.

As it is able to read data across virtual machines, this means that the isolation provided by the technology is at least reduced compared to Zenbleed, resulting in a significant threat to cloud service providers and those running cloud instances. Up, it is possible to successfully execute an attack by running unprivileged codea factor that further increases the dangerousness of vulnerability.

Tavis Ormandy explains that the security flaw: “First you have to run something called XMM Register Merge Optimization2, followed by a registry renaming and a poorly predictable vzeroupper. All of this has to happen in a precise window for it to work.”

Because basic functions like strlen, memcpy and strcmp using vector registers opens the door to the ability to eavesdrop on the Zen 2 processor regardless of what is happening in virtual machines, sandboxes, containers, or processes.

Ormandy goes on to say that exploiting the vulnerability “works because the log file is shared by everyone on the same physical core. In fact, the two hyperthreads even share the same physical log file. The researcher said that it is possible to fix Zenbleed with software, but that would mean a decrease in performance. In addition, he recommended a microcode update for AMD, and the processor manufacturer is preparing a new AGESA firmware version.

What about AMD in all this? Well, all indications are that his reaction will anger many. The red giant has already started providing AGESA and microcode updates for EPYC, but Ryzen users will have to wait until at least October 2023, depending on the model.

AMD has set a target of patching the vulnerability in the Ryzen 5000 Mobile “Lucienne”, Ryzen 4000 Mobile “Renoir” and Ryzen 7020 “Mendocino” lines by December of this year. The Threadripper 3000 “Caslle Peak” aims to be as soon as possible with a date set for October, while most Ryzen models, whether CPU, APU or Threadripper, will receive patches between November and December..

The processor manufacturer stated about Zenbleed that “under certain micro-architectural circumstances, the register in the ‘Zen 2’ CPU may not properly write to 0. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to access sensitive information.”

The manner in which Zenbleed was released to the public and AMD’s response suggest that the company missed the patch deadline. Tavis Ormandy said he reported the vulnerability privately on May 15, and as is normal for Google’s research team, they give the person responsible for the software or hardware a deadline to fix it. In the event of a mismatch and no sign of a quick fix, the Google team will proceed to publish a security bug.

The methods used by Google’s security research team have led to conflicts with other companies. The sound was the anger he had at Microsoft, who accused the giant’s researchers of irresponsibly disclosing Windows vulnerabilities. Microsoft once responded to the dispute between the tech giants by accusing Google of not properly addressing security flaws in Chrome.

Restoring one of the queues that was described in this microcode entry, AMD is laying the groundwork to increase its size for Zen 5 processors with the possible purpose of supporting more complex instructions or new features.. This was known thanks to a patch introduced in Linux by the person responsible for Radeon, which shows that the maximum microcode size has increased to eight times the 4,096 bytes of the kernel page, bringing it to a maximum of 32 KB.

We’ll see how the Zenbleed issue is managed from now on, but looking at the situation and timelines, everything seems to indicate that those responsible for kernels, operating systems, and possibly applications, need to implement temporary mitigations until AMD follows through on its plan, and thus if its patches actually end the vulnerability. We shouldn’t lose sight of platforms like the Xbox Series X | S and PlayStation 5.