Speculative execution bug Zenbleed can eavesdrop on 30kB/s of data from Zen 2 CPU

Researchers have found a speculative execution bug in AMD CPUs based on Zen 2 architecture. The bug, Zenbleed, is a use-after-free bug that makes it possible to eavesdrop on the chip at up to 30kB/s per core. AMD has now released a microcode patch.

The researchers to call the Zenbleed bug. This is a comparable vulnerability in the so-called speculative execution function of CPUs. Several such bugs have emerged in recent years. Zenbleed was discovered by security researchers who previously worked at Google’s security department Project Zero. The researchers have published a technical description and a working proof of concept put online.

The bug affects all Zen 2 processors, both the Ryzen and Threadripper series as well as business models such as the Epyc Rome for data centers. The researchers shared their findings with AMD. That has now happened released a microcode patch under serial number AMD-SB-7008. The bug is further tracked below CVE-2023-20593.

Zenbleed is a speculative execution bug. Speculative execution is an optimization method in which a CPU tries to predict certain tasks or calculations to make the processor faster. Zenbleed is a vulnerability in the vzeroupper instruction used during that process. When that instruction is called, one of the vector registers changed to a 0 bit so that that register can be reserved for a specific action. If this is done via a speculative execution, but it turns out that the register is not needed, the 0 bit is removed from it. But in the meantime, an attacker can use special malware to fill that registry space with other code and also read existing code.

According to the researcher, this looks like a use-after-free bug, something that previously rarely occurred in CPUs. He goes on to say that it is possible to optimize his malware code to eavesdrop on more data than normal. He could eavesdrop on a total of 30 kilobytes of data per second.