Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[Markfw]

New “Zenbleed” vulnerability announced. Effects up to Zen2 products. Can be exposed remotely and even drum within a virtual machine. Firmware patch to address the issue is available for Epyc systems, no ETA for patch on the consumer side.

When you say "up to Zen 2" then you mean Naples (EPYC) and Zen 1 and Zen 2 only ?

 

[Saylick]

When you say "up to Zen 2" then you mean Naples (EPYC) and Zen 1 and Zen 2 only ?

Seems like it's only Zen 2 products, via Tom's Hardware:

According to Ormandy, all Zen 2 CPUs are impacted, including the EPYC Rome processors:

• AMD Ryzen 3000 Series Processors
• AMD Ryzen PRO 3000 Series Processors
• AMD Ryzen Threadripper 3000 Series Processors
• AMD Ryzen 4000 Series Processors with Radeon Graphics
• AMD Ryzen PRO 4000 Series Processors
• AMD Ryzen 5000 Series Processors with Radeon Graphics
• AMD Ryzen 7020 Series Processors with Radeon Graphics
• AMD EPYC “Rome” Processors

 

[JoeRambo]

New “Zenbleed” vulnerability announced. Effects up to Zen2 products. Can be exposed remotely and even drum within a virtual machine. Firmware patch to address the issue is available for Epyc systems, no ETA for patch on the consumer side.

Yeah, big disaster for AMD. Unlike Spectre that is esoteric and hard to exploit, this is on the level of Meltdown, basically if you share a system with other users, it's game over.

security-research/pocs/cpus/zenbleed at master · google/security-research

This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code. - google/security-research

github.com

Some info here. AMD is obviuosly caring about cloud first, but this is big oof.

 

[dullard]

Firmware patch to address the issue is available for Epyc systems, no ETA for patch on the consumer side.

AMD has now announced expected patch dates for non-EPYC systems to be Oct through Dec, depending on the processor.

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

Even just visiting a website could trigger the vulnerability to reveal your user logins and encryption codes. It works across even sandboxed areas, virtual machines, etc.

 

[JoeRambo]

Even just visiting a website could trigger the vulnerability to reveal your user logins and encryption codes.

Not yet, browsers don't allow users to execute exactly the needed binary code and finding ways to exploit it over browser will take time ( and obviously browser vendors will fight against it by refusing to generate instructions needed ).
Where this is very very relevant is ANY SHARED system. The size of this hole is hilarious. Meltdown sized.

 

[dullard]

Not yet, browsers don't allow users to execute exactly the needed binary code and finding ways to exploit it over browser will take time ( and obviously browser vendors will fight against it by refusing to generate instructions needed ).

Hopefully you are correct. Lots of the tech sites are saying that Javascript on a webpage could do it. Hopefully the browsers do block it.

Currently a Google search for Zenbleed comes up with about a third of the hits on the first page either being Russian sites or sites using Russian language. I would be careful where you click until the browsers are patched.

 

[gdansk]

Hmm. Is it responsible disclosure?
Updated firmware and ucode aren't available for consumer devices. Epyc microcode was available Friday but who thought every cloud provider would be up to date today?

Google released it because they updated their Zen 2 GCP instances. But AWS hasn't yet...

 

[JoeRambo]

Google released it because they updated their Zen 2 GCP instances. But AWS hasn't yet...

uCode released, so it's up to cloud providers to update it. There is also chicken bit setting in MSR to fix it too with whatever performance impact.
Are there even that many Zen2 cloud instances with big players?

 

[beginner99]

Hopefully you are correct. Lots of the tech sites are saying that Javascript on a webpage could do it. Hopefully the browsers do block it.

A reason to always have NoScript installed as accidentally going to obscure site will not run their JavaScript and protect you regardless of browser or OS patches.

And even then it will not automatically bleed your password if you didn't just change it. it needs to be in the register file which means very recently used. So for consumer as with meltdown the attack surface is small to non-existent as you would want to continuously monitor the register files which you can do on a VM in the cloud but hard via browser.

 

[JustViewing]

Reading into the exploit, it doesn't seem like you can exploit it from JavaScript. You need hand written ASM Code get the correct code sequnce and most importantly you cannot access CPU registers from Javascript. Besides it seems like a CPU Bug. Or I could be reading it wrong.

 

[igor_kavinski]

You need hand written ASM Code get the correct code sequnce and most importantly you cannot access CPU registers from Javascript.

What about compiled code like WebAssembly?

 

[DrMrLordX]

What about compiled code like WebAssembly?

That's a solid "maybe", assuming the browser has a working and compliant WASM engine.

 

[moinmoin]

That's a solid "maybe", assuming the browser has a working and compliant WASM engine.

Pretty much all common browsers support it though: https://caniuse.com/?search=webassembly

Check for yourself: https://wasm-feature-detect.surma.technology/

Ways to disable WASM, both confirmed to work:

• Firefox: Enter about:config in the URL bar and change javascript.options.wasm to false
• Chrome and derivatives (Opera in my case): Add --js-flags=--noexpose_wasm to the command line for starting the program

 

[PingSpike]

Cloudflare at least thinks exploiting from a browser is possible, but I haven't seen anyone claim to have done it. I suspect if it is possible it isn't as efficient as the assembly PoC. I read some people saying that running the PoC code for 10 minutes they already saw fragments of their root password leaked.

I actually think this is pretty horrible and AMD rating it 'medium' severity is a joke. Haven't seen any info on performance hit (if any) from the updated microcode. I'm not sure why it will take so long to get the patches out for the rest of the product stack. This is serious enough I'd think releasing those immediately with only that fix would be wise. Certainly it is game over territory for cloud providers, but it doesn't seem an overblown worry for regular users at all to me.

I haven't seen anything to suggest other zen generation products aren't possibly vulnerable, but the language used could just be because you can't easily prove a negative not because they haven't tested. I guess we'll know soon enough.

The only good news is the chicken bit mitigates it.

 

[JustViewing]

What about compiled code like WebAssembly?

WASM is just a device Independent byte code (like Java/DotNet) which has to be compiled by browser to native code. I am not sure all browsers/versions will compile the same way. Even if you compile the WASM to exact x64 ASM sequence, there won't be a way to read YMM registers from WASM.

 

[DrMrLordX]

Pretty much all common browsers support it though:

FireFox doesn't support gc, jspi, memory64, relaxedSimd, tailCall, threads, or typeReflection

WASM is just a device Independent byte code (like Java/DotNet) which has to be compiled by browser to native code. I am not sure all browsers/versions will compile the same way. Even if you compile the WASM to exact x64 ASM sequence, there won't be a way to read YMM registers from WASM.

Well that's good to know.

 

[moinmoin]

Seems like severity is not considered high:

https://www.reddit.com/r/AMD_Stock/comments/158gk9l/_/jtcw1g0

 

[DrMrLordX]

Seems like anyone serious about AVX performance wouldn't be running Rome or Matisse in 2023 anyway.

 

[PingSpike]

Well, I enabled the chicken bit until the microcode update hits. I'd advise others to do the same.

 

[tamz_msc]

Voltage glitching on the PSP has now been carried out on Tesla's infotainment system in their cars.

Black Hat

Black Hat

www.blackhat.com

 

[JustViewing]

Voltage glitching on the PSP has now been carried out on Tesla's infotainment system in their cars.

Black Hat

Black Hat

www.blackhat.com

Vulnerabilities also have a positive side

 

[jpiniero]

Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big Performance Implications - Phoronix

www.phoronix.com

Here's a new one for Intel. Says affected processors are Skylake-TigerLake/Icelake Server.

 

[DrMrLordX]

Here's a new one for Intel. Says affected processors are Skylake-TigerLake/Icelake Server.

The best thing to come from all these vulnerabilities are all the cute logos. Also big win for Intel since anyone who bought Cooper Lake (assuming it is affected, which it probably is) or IceLake-SP for AVX512 throughput will now probably need to replace their hardware with Sapphire Rapids.

edit: also it looks like this vulnerability is potentially severe, at least on any system serving up VMs.

 

[Markfw]

The best thing to come from all these vulnerabilities are all the cute logos. Also big win for Intel since anyone who bought Cooper Lake (assuming it is affected, which it probably is) or IceLake-SP for AVX512 throughput will now probably need to replace their hardware with Sapphire Rapids.

edit: also it looks like this vulnerability is potentially severe, at least on any system serving up VMs.

Pretty sad for the industry, when due to a design defect, they have to replace their processors with inferior ones (compared to the competition)

 

[Hitman928]

AMD also has a new vulnerability (inception) announced today that effects Zen3 and Zen4. Doesn’t sound that serious though.