Over 60 Percent of AWS Environments Exposed to Zenbleed Attacks

AMD Zenbleed 2 processors were found vulnerable to use-after-free flaws, enabling data theft. While the exploitation of this flaw demands local code execution, less likely in cloud setups.

The Zenbleed vulnerability that is documented recently puts more than 60 percent of AWS environments at risk, impacting AMD Zen 2 processors.

Cybersecurity researchers at Wiz, a cloud security startup, reported about this new attack chain using the cross-process info leak vulnerability in AMD Zen 2 Processors, Zenbleed, which is tracked as ‘CVE-2023-20593’.

Flaw Profile

  • CVE ID: CVE-2023-20593
  • Description: Under specific microarchitectural circumstances, an issue in “Zen 2” CPUs may allow an attacker to access sensitive information potentially.
  • Source: Advanced Micro Devices Inc.
  • NVD Published Date: 07/24/2023
  • NVD Last Modified: 07/27/2023

Tavis Ormandy from Project Zero was the one who uncovered the Zenbleed vulnerability. CVE-2023-20593 is a rare vulnerability that stems from the misuse of the vzeroupper instruction during speculative execution in contemporary processors.

Unlike side-channel flaws, this attack swiftly affects AMD Zen 2 CPUs without complex provisions.

Using fuzzing and performance counters, the researcher pinpointed hardware events and validated them with “Oracle Serialization.” By comparing execution with serialized oracle, inconsistencies emerged, unveiling CVE-2023-20593 in Zen 2 CPUs.

The flaw enabled an optimized exploit, granting access to sensitive data from diverse system operations, including:-

  • Virtual machines
  • Sandboxes
  • Containers

Wiz Research data reveals 62% of AWS environments are at risk from Zenbleed, with Zen 2 CPUs in EC2 instances.

Products Affected

All the AMD CPUs that are built on the Zen 2 architecture were affected, and here below we have mentioned them:-

  • Ryzen 3000 (“Matisse”) 
  • Ryzen 4000U/H (“Renoir”)  
  • Ryzen 5000U (“Lucienne”) 
  • Ryzen 7020 
  • ThreadRipper 3000 
  • Epyc server (“Rome”) 

Moreover, this vulnerability is a completely independent flaw; in short, it’s not dependent on any specific OS. While the cloud experts predict “Rome” CPUs in AWS hosting most affected VM instances, including EC2 types:-

  • C5a
  • C5ad
  • G4ad
  • G5

In Azure, this includes the following VMs:-

  • HBv2
  • Da_v3
  • Ea_v3

While in GCP, this includes the following VMs:-

  • n2d-s2 (Rome)
  • n2d-s4 (Rome)
  • n2d-s8 (Rome)

Recommendation

For Zenbleed-affected CPUs, apply AMD’s microcode update or wait for a BIOS fix from vendors. But, in this scenario, the cloud providers handle it best, while VMs may have some mitigations.

To verify Zenbleed impact on your Linux VM, follow these manual steps for checking the host machine:-

  • Run the following command to check your host’s CPU model:

$ lscpu -J | grep ‘Model name’

  • Then you have to search online for information on the CPU model’s architecture.
  • After that, you have to determine if the CPU model uses the Zen 2 microarchitecture.
  • If it uses Zen 2 microarchitecture, then proceed to the next step.
  • But, if it doesn’t use Zen 2 microarchitecture, then your machine is not affected by Zenbleed.
  • Now, you have to verify the current microcode version on your machine.
  • Then, confirm if the microcode version is 0x0830107A, which is the latest version.
  • After that, you have to run the following command to check the microcode version:

$ grep ‘microcode’ /proc/cpuinfo

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.