Markfw
Moderator Emeritus, Elite Member
- May 16, 2002
- 26,324
- 15,473
- 136
When you say "up to Zen 2" then you mean Naples (EPYC) and Zen 1 and Zen 2 only ?
Saylick
Diamond Member
- Sep 10, 2012
- 3,622
- 8,149
- 136
Yeah, big disaster for AMD. Unlike Spectre that is esoteric and hard to exploit, this is on the level of Meltdown, basically if you share a system with other users, it's game over.
security-research/pocs/cpus/zenbleed at master · google/security-research
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code. - google/security-research
github.com
Some info here. AMD is obviuosly caring about cloud first, but this is big oof.
dullard
Elite Member
- May 21, 2001
- 25,543
- 4,038
- 126
AMD has now announced expected patch dates for non-EPYC systems to be Oct through Dec, depending on the processor.
Even just visiting a website could trigger the vulnerability to reveal your user logins and encryption codes. It works across even sandboxed areas, virtual machines, etc.
Not yet, browsers don't allow users to execute exactly the needed binary code and finding ways to exploit it over browser will take time ( and obviously browser vendors will fight against it by refusing to generate instructions needed ).
Where this is very very relevant is ANY SHARED system. The size of this hole is hilarious. Meltdown sized.
dullard
Elite Member
- May 21, 2001
- 25,543
- 4,038
- 126
Hopefully you are correct. Lots of the tech sites are saying that Javascript on a webpage could do it. Hopefully the browsers do block it.
Currently a Google search for Zenbleed comes up with about a third of the hits on the first page either being Russian sites or sites using Russian language. I would be careful where you click until the browsers are patched.
Last edited:
Hmm. Is it responsible disclosure?
Updated firmware and ucode aren't available for consumer devices. Epyc microcode was available Friday but who thought every cloud provider would be up to date today?
Google released it because they updated their Zen 2 GCP instances. But AWS hasn't yet...
Updated firmware and ucode aren't available for consumer devices. Epyc microcode was available Friday but who thought every cloud provider would be up to date today?
Google released it because they updated their Zen 2 GCP instances. But AWS hasn't yet...
uCode released, so it's up to cloud providers to update it. There is also chicken bit setting in MSR to fix it too with whatever performance impact.
Are there even that many Zen2 cloud instances with big players?
A reason to always have NoScript installed as accidentally going to obscure site will not run their JavaScript and protect you regardless of browser or OS patches.
And even then it will not automatically bleed your password if you didn't just change it. it needs to be in the register file which means very recently used. So for consumer as with meltdown the attack surface is small to non-existent as you would want to continuously monitor the register files which you can do on a VM in the cloud but hard via browser.
Reading into the exploit, it doesn't seem like you can exploit it from JavaScript. You need hand written ASM Code get the correct code sequnce and most importantly you cannot access CPU registers from Javascript. Besides it seems like a CPU Bug. Or I could be reading it wrong.
DrMrLordX
Lifer
- Apr 27, 2000
- 22,140
- 11,828
- 136
That's a solid "maybe", assuming the browser has a working and compliant WASM engine.
moinmoin
Diamond Member
- Jun 1, 2017
- 5,111
- 8,151
- 136
Pretty much all common browsers support it though: https://caniuse.com/?search=webassembly
Check for yourself: https://wasm-feature-detect.surma.technology/
Ways to disable WASM, both confirmed to work:
- Firefox: Enter about:config in the URL bar and change javascript.options.wasm to false
- Chrome and derivatives (Opera in my case): Add --js-flags=--noexpose_wasm to the command line for starting the program
PingSpike
Lifer
- Feb 25, 2004
- 21,749
- 584
- 126
Cloudflare at least thinks exploiting from a browser is possible, but I haven't seen anyone claim to have done it. I suspect if it is possible it isn't as efficient as the assembly PoC. I read some people saying that running the PoC code for 10 minutes they already saw fragments of their root password leaked.
I actually think this is pretty horrible and AMD rating it 'medium' severity is a joke. Haven't seen any info on performance hit (if any) from the updated microcode. I'm not sure why it will take so long to get the patches out for the rest of the product stack. This is serious enough I'd think releasing those immediately with only that fix would be wise. Certainly it is game over territory for cloud providers, but it doesn't seem an overblown worry for regular users at all to me.
I haven't seen anything to suggest other zen generation products aren't possibly vulnerable, but the language used could just be because you can't easily prove a negative not because they haven't tested. I guess we'll know soon enough.
The only good news is the chicken bit mitigates it.
I actually think this is pretty horrible and AMD rating it 'medium' severity is a joke. Haven't seen any info on performance hit (if any) from the updated microcode. I'm not sure why it will take so long to get the patches out for the rest of the product stack. This is serious enough I'd think releasing those immediately with only that fix would be wise. Certainly it is game over territory for cloud providers, but it doesn't seem an overblown worry for regular users at all to me.
I haven't seen anything to suggest other zen generation products aren't possibly vulnerable, but the language used could just be because you can't easily prove a negative not because they haven't tested. I guess we'll know soon enough.
The only good news is the chicken bit mitigates it.
WASM is just a device Independent byte code (like Java/DotNet) which has to be compiled by browser to native code. I am not sure all browsers/versions will compile the same way. Even if you compile the WASM to exact x64 ASM sequence, there won't be a way to read YMM registers from WASM.
DrMrLordX
Lifer
- Apr 27, 2000
- 22,140
- 11,828
- 136
FireFox doesn't support gc, jspi, memory64, relaxedSimd, tailCall, threads, or typeReflection
Well that's good to know.
moinmoin
Diamond Member
- Jun 1, 2017
- 5,111
- 8,151
- 136
Vulnerabilities also have a positive sideVoltage glitching on the PSP has now been carried out on Tesla's infotainment system in their cars.
Here's a new one for Intel. Says affected processors are Skylake-TigerLake/Icelake Server.
DrMrLordX
Lifer
- Apr 27, 2000
- 22,140
- 11,828
- 136
The best thing to come from all these vulnerabilities are all the cute logos. Also big win for Intel since anyone who bought Cooper Lake (assuming it is affected, which it probably is) or IceLake-SP for AVX512 throughput will now probably need to replace their hardware with Sapphire Rapids.
edit: also it looks like this vulnerability is potentially severe, at least on any system serving up VMs.
Last edited:
Markfw
Moderator Emeritus, Elite Member
- May 16, 2002
- 26,324
- 15,473
- 136
Pretty sad for the industry, when due to a design defect, they have to replace their processors with inferior ones (compared to the competition)
AMD also has a new vulnerability (inception) announced today that effects Zen3 and Zen4. Doesn’t sound that serious though.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 22K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 17K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter