Yesterday I was reading up on a newly disclosed vulnerability, discovered by Google Project Zero. It’s a big one, so I wanted to be sure I had my facts in order before posting anything here and ‘getting on the hype train’ as so many of these issues can be. But it’s bad.
Affected Devices: Any device with AMD Zen 2 generation processors.
Remote or Local Vulnerability: Remote
Patched: Servers - Yes, Endpoints - No
CVE: CVE-2023-20593
CVE Score: 6.5 / Medium
High-Level Breakdown:
Modern processors utilise speculative execution, which can give us problems such as Spectre as we saw previously. Allowing the processor to pre-emptively execute code that may or may not be required. The desired output is a successful branch prediction, which means that when an application then says it does want to do something, the processor has already performed that task, maximising performance by moving onto the next task. Unlike Spectre however, this vulnerability isn’t a side-channel attack, instead it’s a rather interesting scenario of ‘use after free’.
If you’ve never heard of a use after free, it’s a common exploitation path (and sometimes the cause of crashes) in programming languages that aren’t ‘memory safe’. A good example of a memory safe language would be Rust, and a good example of a memory ‘unsafe’ language would be C++. A common exploitation of ‘use after free’ is to execute arbitrary code. A common (and less malicious) example of this is within the game console hacking community, whereby such exploits are used to gain privileged access to a console to allow the running of your own code, back to the issue at hand however!
A use after free in the context of the processor means that when a processing core performs speculative execution, to the YMM registers, only the reference to the register is cleared, not the register’s value, meaning that a password or encryption key could be entered into the register and read by a completely different program.
The result is a data extraction rate of 30kbps per core, whilst it’s not much, it’s certainly easy enough to get encryption keys and credentials, hence the severity. This exploit can even be triggered via JavaScript on a website, leading to the remote code execution designation I mentioned earlier.
AMD have provided micro code updates for their Server processors, and the rest of the Zen 2 family are expected to receive updates in due course.
Original article: Zenbleed (archive.org)
