Other official information and services: www.belgium.be

WARNING: Important sensitive information disclosure vulnerability in AMD Zen CPUs

Reference:

Advisory #2023-87

Version:

1.0

Affected software:

AMD Ryzen 3000 Series Processors

AMD Ryzen PRO 3000 Series Processors

AMD Ryzen Threadripper 3000 Series Processors

AMD Ryzen 4000 Series Processors with Radeon Graphics

AMD Ryzen PRO 4000 Series Processors

AMD Ryzen 5000 Series Processors with Radeon Graphics

AMD Ryzen 7020 Series Processors with Radeon Graphics

AMD EPYC “Rome” Processors

Type:

Disclosure of sensitive information

CVE/CVSS:

CVE-2023-20593

Date:

27/07/2023

Sources

Zenbleed - https://lock.cmpxchg8b.com/zenbleed.html#vulnerability

Risks

The vulnerability has a HIGH impact on Confidentiality that affects all operating systems, as it is a hardware flaw affecting AMD processors.

Furthermore, exploit code is publicly available for this vulnerability.

Description

CVE-2023-20593: Disclosure of sensitive information

An issue in AMD’s Zen CPUs, under specific microarchitectural circumstances, allow an attacker to potentially access sensitive information at a rate of 30 kb per core, per second. This is fast enough to monitor encryption keys and passwords as users login.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to check with their BIOS or Operating System vendor for an available update.

AMD have also released an microcode update for affected processors.

References

Securityweek - https://www.securityweek.com/wiz-says-62-of-aws-environments-exposed-to-zenbleed-exploitation/
Nist - https://nvd.nist.gov/vuln/detail/CVE-2023-20593