AMD confirms firmware update for Ryzen 3000, 4000, 5000, 7000 CPUs vulnerable to Zenbleed

AMD"s Zen 2-based CPUs, which include popular chips like the Ryzen 5 3600, 3700X, and more, are vulnerable to a use-after-free vulnerability. AMD updated its security bulletin and the new article has been published with the ID AMD-SB-7008.

For desktops, AMD"s Ryzen 3000 series (Mattise), Ryzen 4000 and 4000G series (Renoir) are on the list; meanwhile, for mobile, list includes Ryzen 5000 (Lucienee), Ryzen 4000 (Renoir), and Ryzen 7020 (Mendocino).

AMD"s security bulletin summarizes the new vulnerability which is being tracked under ID CVE-2023-20593, and also lists the AGESA firmware which will patch the Zenbleed vulnerability. Most of these are planned for release around October to December of 2023:

Summary

Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

CVE Details

CVE

Severity

CVE Description

CVE-2023-20593

Medium

An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.

Mitigation

AMD recommends applying the µcode patch listed below for AMD EPYC™ 7002 Processors, and applying BIOS updates that include the following AGESA™ firmware versions for other affected products. AMD plans to release to the Original Equipment Manufacturers (OEM) the AGESA™ versions on the target dates listed below. Please refer to your OEM for the BIOS update specific to your product.

DATA CENTER

Mitigation detail

Update to versions listed or higher

2nd Gen AMD EPYC™ Processors

“Rome”

µcode

0x0830107A

AGESA™ firmware

RomePI 1.0.0.H

DESKTOP

Mitigation details

Update to versions listed or higher

AMD Ryzen™ 3000 Series Desktop Processors
“Matisse”

AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics
“Renoir” AM4

AGESA™ firmware

ComboAM4v2PI_1.2.0.C (Target Dec 2023)

ComboAM4PI_1.0.0.C

(Target Dec 2023)

ComboAM4v2PI_1.2.0.C (Target Dec 2023)

HIGH END DESKTOP (HEDT)

Mitigation details

Update to versions listed or higher

AMD Ryzen™ Threadripper™ 3000 Series Processors
“Castle Peak” HEDT

AGESA™ firmware

CastlePeakPI-SP3r3 1.0.0.A

(Target Oct 2023)

WORKSTATION

Mitigation details

Update to versions listed or higher

AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors
“Castle Peak” WS SP3

AGESA™ firmware

CastlePeakWSPI-sWRX8 1.0.0.C

(Target Nov 2023)

ChagallWSPI-sWRX8 1.0.0.7

(Target Dec 2023)

MOBILE - AMD Ryzen™ Series

Mitigation details

Update to versions listed or higher

AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
“Lucienne”

AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics
“Renoir”

AMD Ryzen™ 7020 Series Processors

“Mendocino” FT6

AGESA™ firmware

CezannePI-FP6_1.0.1.0

(Target Dec 2023)

RenoirPI-FP6_1.0.0.D

(Target Nov 2023)

MendocinoPI-FT6_1.0.0.6

(Target Dec 2023)

Tavis Ormandy, a security vulnerability researcher at Google, discovered the flaw which they explained in their blog post. The issue is related to 128-bit registers (XMM) and incorrect recovery from a mispredicted vzeroupper. Ormandy writes:

It turns out that with precise scheduling, you can cause some processors to recover from a mispredicted vzeroupper incorrectly!

The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.

We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!

This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file.

In case you are unaware, Use-After-Free (UAF) is a security flaw that occurs when a program or application fails to properly manage the memory pointer after a dynamic memory portion has been freed, which in turn can lead to code execution by an attacker.

A pointer stores data related to a certain address of the memory that is being used by the application. But dynamic memory is constantly flushed and reallocated for use by different apps. However, if that pointer is not set to null once its corresponding memory space has been freed or unallocated, attackers can successfully exploit that pointer data to gain access to that same memory portion to now pass arbitrary malicious code. This is why the vulnerability is named Use-After-Free.

In a statement to Tom"s Hardware, AMD suggested that performance impact, if any, will vary depending on workload and system configuration, though there are no exploitations of it in the wild.

Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment.

We will update the article if more information is available on the topic.

Report a problem with article
Next Article

Get this TP-Link WiFi range extender for a rock-bottom price for a limited time

Previous Article

Microsoft confirms virtual desktop improvements in the latest Windows 11 Dev build